Bug 1217967 - grub2: verification build issue
Summary: grub2: verification build issue
Status: NEW
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Other (show other bugs)
Version: Current
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Joey Lee
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-12-12 06:42 UTC by Bernhard Wiedemann
Modified: 2024-07-18 04:45 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Bernhard Wiedemann 2023-12-12 06:42:41 UTC 
While working on reproducible builds for ALP + openSUSE, I found that our
grub2 package produced different results when built locally
compared to the official Factory build on OBS.

My guess is that it comes from
https://github.com/openSUSE/pesign-obs-integration

filterdiff 'rpm -qp --qf %{PLATFORM}\n' binaries*/grub2-2.12~rc1-12.1.x86_64.rpm
--- rpm -qp --qf %{PLATFORM}\n binaries/grub2-2.12~rc1-12.1.x86_64.rpm
+++ rpm -qp --qf %{PLATFORM}\n binaries.nachbau/grub2-2.12~rc1-12.1.x86_64.rpm
@@ -1 +1 @@
-x86_64-suse-linux
+i386-suse-linux-gnu

using https://github.com/bmwiedemann/reproducibleopensuse/blob/master/filterdiff


Apart from that, there is the (probably unavoidable) sig itself:
--- old /usr/share/grub2/x86_64-efi/grub.efi (hex)
+++ new /usr/share/grub2/x86_64-efi/grub.efi (hex)
@@ -1,6 +1,6 @@
 00000100  00 00 00 00 10 00 00 00  00 00 00 00 00 00 00 00  |................|
 00000110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
-00000120  00 00 00 00 00 00 00 00  00 50 1f 00 70 07 00 00  |.........P..p...|
+*
 00000130  00 30 1f 00 00 20 00 00  00 00 00 00 00 00 00 00  |.0... ..........|
 00000140  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 *
Comment 1 Joey Lee 2024-07-18 03:01:10 UTC 
(In reply to Bernhard Wiedemann from comment #0)
> While working on reproducible builds for ALP + openSUSE, I found that our
> grub2 package produced different results when built locally
> compared to the official Factory build on OBS.
> 
> My guess is that it comes from
> https://github.com/openSUSE/pesign-obs-integration
> 
> filterdiff 'rpm -qp --qf %{PLATFORM}\n'
> binaries*/grub2-2.12~rc1-12.1.x86_64.rpm
> --- rpm -qp --qf %{PLATFORM}\n binaries/grub2-2.12~rc1-12.1.x86_64.rpm
> +++ rpm -qp --qf %{PLATFORM}\n
> binaries.nachbau/grub2-2.12~rc1-12.1.x86_64.rpm
> @@ -1 +1 @@
> -x86_64-suse-linux
> +i386-suse-linux-gnu
> 
> using
> https://github.com/bmwiedemann/reproducibleopensuse/blob/master/filterdiff
> 
> 
> Apart from that, there is the (probably unavoidable) sig itself:
> --- old /usr/share/grub2/x86_64-efi/grub.efi (hex)
> +++ new /usr/share/grub2/x86_64-efi/grub.efi (hex)
> @@ -1,6 +1,6 @@
>  00000100  00 00 00 00 10 00 00 00  00 00 00 00 00 00 00 00 
> |................|
>  00000110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> |................|
> -00000120  00 00 00 00 00 00 00 00  00 50 1f 00 70 07 00 00 
> |.........P..p...|
> +*
>  00000130  00 30 1f 00 00 20 00 00  00 00 00 00 00 00 00 00  |.0...
> ..........|
>  00000140  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> |................|
>  *

In factory, grub2 be signed by openSUSE key. I am not sure which key be used for signing in your local environment. 
Could you please use pesign to check the signatures list of grub2.efi? Just compare two different grub2.efi.

pesign -S -i ./grub2.efi
Comment 2 Bernhard Wiedemann 2024-07-18 04:45:05 UTC 
My local verification builds are not signed.
They should not differ in the PLATFORM rpm header from that.