On Thu, 13 Aug 2020 09:47:21 -0700 Vagrant Cascadian wrote: > It is also possible to retrieve tarballs directly from linux-libre git > tags, though I know at least projects hosted on github this does > occasionally result in non-identical tarballs. Not sure what factors > might trigger this, other than changing tags, but possibly different > git versions, tar versions and flags, and compression tool versions > and optimizations could be a factor. Reproducible builds has > documented some potential causes: Adding in compression changes this because, for just one example, compression details can change between versions of compressors. Assuming that there is no compression and there aren't changes in the underlying git repository and assuming that git archive is invoked with precisely the same parameters each time, git archive is supposed to generate bit-identical tarballs between different platforms/versions of git (it's considered a bug if it doesn't.) Indeed, the Linux stable tree takes advantage of this reproducibility by adding a GPG signature for the uncompressed tarballs as a git note under refs/notes/signatures/tar. The signature also includes a comment with the precise command to regenerate the uncompressed tarball with git archive. This then makes it possible to verify a GPG signature of an uncompressed tarball that way. An example is [0]. cgit automatically adds the (sig) link when the corresponding git note is added in refs/notes/signatures/tar but they can also be accessed directly from within git. I found that useful after learning that GPG signatures within git itself "only validate the commit file contents up to the SHA-1 of the top level tree, it's not a GPG signature of the entire tree state. This means that a SHA-1 collision on the tree object, or any blob object, still results in a valid GPG signature." It seemed to be a neat way to sidestep the whole matter of SHA-1 falling apart, at least until git moves on to SHA-2 at some as-yet-unknown future point. Anyway, the Linux-libre git repository similarly contains GPG signatures for the uncompressed tarballs but as tags not as a git note but either way the outcome is the same. [0] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ refs/notes/signatures/tar