Per openssl-mime(1):
-noattr
Normally when a message is signed a set of attributes are
included which include the signing time and supported
symmetric algorithms. With this option they are not included.
The signing time hurts reproducibility, even if the same database, key,
and certificate are used.
So, drop the extra attributes from the smime command.
Signed-off-by: Brian Norris <[email protected]>
---
Makefile | 1 +
1 file changed, 1 insertion(+)
diff --git a/Makefile b/Makefile
index 02176ec7b717..ecd23309efb6 100644
--- a/Makefile
+++ b/Makefile
@@ -69,6 +69,7 @@ regulatory.db.p7s: regulatory.db $(REGDB_PRIVKEY) $(REGDB_PUBCERT)
-signer $(REGDB_PUBCERT) \
-inkey $(REGDB_PRIVKEY) \
-in $< -nosmimecap -binary \
+ -noattr \
-outform DER -out $@
sha1sum.txt: db.txt
--
2.43.0.rc0.421.g78406f8d94-goog
On Thu, 16 Nov 2023 14:18:16 -0800, Brian Norris wrote:
> Per openssl-mime(1):
>
> -noattr
> Normally when a message is signed a set of attributes are
> included which include the signing time and supported
> symmetric algorithms. With this option they are not included.
>
> [...]
Applied, thanks!
[1/1] wireless-regdb: Makefile: Reproducible signatures
commit: 9e0aee64cd2347b45d6d29a65105c2926c0b8dbc
Best regards,
--
Chen-Yu Tsai <[email protected]>