Giters

kommendorkapten / reprogo

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Go reproducibility/diffoscope

go-0* # Locally built and signed
go-1* # Upstream binary, signed by google
go-stripped-0* # Local built binary, signature stripped
go-stripped-1* # Google built binary, signature stripped

SHA2-256 digests:

fc94bbe0abf124964ec7b55163537bf655ff509a2e5abb1c374f1285ff085e4d go-0
0935bcda59d2635a89103dc1e147a18aede115a2ce1e0f11f0afc2aa0c3ac5d1 go-1
dcd4b6f067e15e3fb872900254628d460deb40ae2c5b4c502b9be6e8a083707e go-stripped-0
dcd4b6f067e15e3fb872900254628d460deb40ae2c5b4c502b9be6e8a083707e go-stripped-1

$  diffoscope go-0 go-stripped-0
--- go-0
+++ go-stripped-0
├── arm64
│ ├── otool -arch arm64 -h {}
│ │ @@ -1,3 +1,3 @@
│ │  Mach header
│ │        magic  cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
│ │ - 0xfeedfacf 16777228          0  0x00           2    16       2040 0x00200004
│ │ + 0xfeedfacf 16777228          0  0x00           2    15       2024 0x00200004

View signatures

Unsigned file

$ codesign -dv --verbose=4 go-stripped-0
go-stripped-0: code object is not signed at all

Self Signed file (i.e built locally)

$ codesign -dv --verbose=4 go-0
Executable=/Users/kommendorkapten/TMP/go/go-0
Identifier=a.out
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=93630 flags=0x20002(adhoc,linker-signed) hashes=2923+0 location=embedded
VersionPlatform=1
VersionMin=720896
VersionSDK=720896
Hash type=sha256 size=32
CandidateCDHash sha256=7654f0a68e469ab3bbde48e0dcf451f8c1fcb8ea
CandidateCDHashFull sha256=7654f0a68e469ab3bbde48e0dcf451f8c1fcb8eae3429e9bb8b943f5683d56c1
Hash choices=sha256
CMSDigest=7654f0a68e469ab3bbde48e0dcf451f8c1fcb8eae3429e9bb8b943f5683d56c1
CMSDigestType=2
Executable Segment base=0
Executable Segment limit=6324224
Executable Segment flags=0x1
Page size=4096
Launch Constraints:
	None
CDHash=7654f0a68e469ab3bbde48e0dcf451f8c1fcb8ea
Signature=adhoc
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements=none

Signed by Google

$ codesign -dv --verbose=4 go-1
Executable=/Users/kommendorkapten/TMP/go/go-1
Identifier=org.golang.go
Format=Mach-O thin (arm64)
CodeDirectory v=20500 size=93721 flags=0x10000(runtime) hashes=2923+2 location=embedded
VersionPlatform=1
VersionMin=720896
VersionSDK=720896
Hash type=sha256 size=32
CandidateCDHash sha256=831ff04336bd1044b0abb8872fcfa0e74bc23abd
CandidateCDHashFull sha256=831ff04336bd1044b0abb8872fcfa0e74bc23abd31cc892ba05b35f3f5af85b2
Hash choices=sha256
CMSDigest=831ff04336bd1044b0abb8872fcfa0e74bc23abd31cc892ba05b35f3f5af85b2
CMSDigestType=2
Executable Segment base=0
Executable Segment limit=6324224
Executable Segment flags=0x1
Page size=4096
Launch Constraints:
	None
CDHash=831ff04336bd1044b0abb8872fcfa0e74bc23abd
Signature size=8990
Authority=Developer ID Application: Google LLC (EQHXZ8M8AV)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=9 Oct 2023 at 19:20:15
Info.plist=not bound
TeamIdentifier=EQHXZ8M8AV
Runtime Version=11.0.0
Sealed Resources=none
Internal requirements count=1 size=176

Dump commands

$ otool -l go-0
...
Load command 15
      cmd LC_CODE_SIGNATURE
  cmdsize 16
  dataoff 11970256
 datasize 93650

$ otool -l go-stripped-0
...
Load command 14
          cmd LC_LOAD_DYLIB
      cmdsize 96
         name /System/Library/Frameworks/Security.framework/Versions/A/Security (offset 24)
   time stamp 0 Thu Jan  1 01:00:00 1970
      current version 0.0.0
compatibility version 0.0.0

About