How to verify an if an existing Debian package is reproducible (Related to GSoC 18)

Hi all

@dachary suggested me to write about how to verify if an existing GNU/Linux package is reproducible or not while reviewing my GSoC proposal.

I’ve written a post on the topic, which involves working with the package jp2a. I’ve initially written on my blog, but I’ll add it here if required.

Link to the post:

I request the mentors, particularly @dachary to kindly go through it. For any questions or discussions, please post it here, or use this link:

@aydwi I followed the instructions in the post and they work as advertised :tada:

$ sha256sum jp2a
6c50c4bef3fcac2a5e777d85c587c2653d9d1672195d3e9666efe89575ed1769  jp2a

However, I get a different sum from the official package, in a Debian GNU/Linux Stretch

$ sudo apt-get install jp2a
$ sha256sum /usr/bin/jp2a 
32a8ed0a470cb1b1b0938fd17351a18df2a559fbbb79873d7455f01ddd544751  /usr/bin/jp2a

I tried to recompile it from sources with:

apt-get source jp2a
apt-get build-dep jp2a
cd jp2a-1.0.6
dpkg-buildpackage -uc -us

and after installing the package I just built, I get another checksum.

$ sudo dpkg -i ../jp2a_1.0.6-7_amd64.deb 
(Reading database ... 315240 files and directories currently installed.)
Preparing to unpack ../jp2a_1.0.6-7_amd64.deb ...
Unpacking jp2a (1.0.6-7) over (1.0.6-7) ...
Setting up jp2a (1.0.6-7) ...
Processing triggers for man-db ( ...
$ sha256sum /usr/bin/jp2a 
8a936ddb3d5dea51cc92db5eaed9768e81f9f6c8ce9e416c3a134523184feaf4  /usr/bin/jp2a

Could you please explain why? How can I verify the reproducibility of the binary found in the official Debian GNU/Linux package?

1 Like

Could you please explain why?

This is most probably due to the difference in build environments, particularly the build path. The environment in which jp2a binary was compiled, is different from the environment on your machine.

When I ran sha256sum on the precompiled binary, I obtained 32a8ed0a470cb1b1b0938fd17351a18df2a559fbbb79873d7455f01ddd544751 jp2a, which
was expected.

But when I recompiled it from sources obtained via apt, and ran sha256sum, I got 541a2c9f97cba6f9732129ca442634ac0206906bd8e9cb2690f4b28e9b8efed0 jp2a, which was different than the hash of the precompiled binary as well as the value you obtained. This is quite possibly due to the fact that none of the build environments are identical.

How can I verify the reproducibility of the binary found in the official Debian GNU/Linux package?

To do this, you have to set up a build environment identical to the one in which the precompiled binary was built. This information should be present in the .buildinfo file. I’ll work on doing this, and post here soon.

1 Like

Following up on this, I was able to get same checksum when binaries were built manually after apt-get source jp2a. The path was /build.

1st build-

cd /build/jp2a-1.0.6/ && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games" HOME="/nonexistent/first-build" dpkg-buildpackage -us -uc -b --buildinfo-id=amd64 -rfakeroot

The obtained SHA-256 was-

541a2c9f97cba6f9732129ca442634ac0206906bd8e9cb2690f4b28e9b8efed0 jp2a

2nd build-

cd /build/jp2a-1.0.6/ && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path" HOME="/nonexistent/second-build" dpkg-buildpackage -us -uc -b --buildinfo-id=amd64 -rfakeroot

Again, the obtained SHA-256 was-

541a2c9f97cba6f9732129ca442634ac0206906bd8e9cb2690f4b28e9b8efed0 jp2a

Thus, the binary built from source (obtained via apt) is reproducible. But, this hash does not match the hash of the precompiled binary obtained by apt-get install. I’m not sure what is the cause of this difference, but I’ll investigate further.

1 Like

An update on this. Running diffoscope on the two binaries produced a large output with several (low level) differences, although it wasn’t very clear what was the origin of those differences. I might have to get in touch with the package maintainer to discuss this matter before I can post another update.

1 Like