Bugzilla – Bug 1217690
libcamera: reproducible builds vs signatures
Last modified: 2023-11-30 12:02:24 UTC
While working on reproducible builds for openSUSE+ALP, I found that our libcamera package varies in every build because during build it creates a random keypair, embeds the pubkey adds .so.sign files When I asked upstream about it long ago, it was said to prevent smuggling in of 3rd party modules that shall not receive the same level of permissions as modules that are shipped as part of the main codebase. Can we patch src/libcamera/ipa_module.cpp to not use .sign files or is there another way to get reproducible build results for libcamera?
I just did the last version bump, not sure if I am the right assignee. @Jan: Should I assign the bug to you as the maintainer or do you have no time to work on this ?
I was thinking one could perhaps replace the generated key with the openSUSE build key, but #needssslcertforbuild only adds the pubkey to the build root, which is not enough to sign the libcamera modules. I do not plan on putting any more effort in this. Whether we disable signing or whether just leave it producing random builds, I have no preference for either.