As long as the program is equivalent there isn't an actual problem here. Requiring the output to always be the same is an arbitrary restriction.
If you want to have users trust that someone else hasn't modified it, then sign it with your identity.
As long as the program is equivalent there isn't an actual problem here. Requiring the output to always be the same is an arbitrary restriction.
If you want to have users trust that someone else hasn't modified it, then sign it with your identity.
We'd like to verify, not trust.
The whole point of a signature is that you are able to verify what was signed was in fact a message that was signed by signer.
Sure, but a signature doesn't prove that a particular binary came from a particular codebase - merely that a particular human (or other trusted entity, for varying degrees of "trusted") has vouched for it.
Being able to reproduce the binary from the source code and being able to verify that it's the same as the original is quite important in some contexts.
>Being able to reproduce the binary from the source code and being able to verify that it's the same as the original is quite important in some contexts.
I disagree. The contexts that people come up with are purely theoretical, and are not practically important. Please do try and convince me otherwise by sharing such a context. From my view the juice of trying to accomplish this is no where worth the squeeze.
You disagree but you're wrong.
Military context: a government would want to review the code and compile themselves. Provide a hash of the target binary to ensure they've compiled it correctly.
SDLC: provide auditors with _proof_ that the tested binary is indeed coming from the audited code
>a government would want to review the code and compile themselves. Provide a hash of the target binary to ensure they've compiled it correctly.
The government doesn't want to do this. A lot of the time the government doesn't even get the source code in the first place.
>provide auditors with _proof_ that the tested binary is indeed coming from the audited code
This can be done by showing to the auditor how one's CI is setup to build checked in code and sign it.
Military Context: Just build the code that you just reviewed. No need to get the binaries
SDLC: Traceability is more important than reproducibility. Keeping logs is more important than deterministic build outputs
> Being able to reproduce the binary from the source code and being able to verify that it's the same as the original is quite important in some contexts
Why not build your own binaries and be done with that. If you don’t trust the compiler or the machine doing the build, just build the code yourself.
Sure, I can do that, but there's some value in being able to check quickly and easily that, for example, the xz utils binaries shipped by a major distro actually match the published source.
Also useful for checking that a binary containing GPLed code does actually correspond to its published source.
The capability may be nice to have, but what about its usefulness. Would that have been of use in any real world situation?