[unstable/linux-signed][PATCH] Remove arbitrary timestamp and filename from ARM64 signed linux-image

[Dimitri John Ledkov]

BugLink: https://bugs.launchpad.net/bugs/2045684

$ file /boot/vmlinuz-6.6.0-14-generic
/boot/vmlinuz-6.6.0-14-generic: gzip compressed data, was
"vmlinuz-6.6.0-14-generic.efi.signed", last modified: Fri Dec 1
18:54:57 2023, max compression, from Unix, original size modulo 2^32
56127880

Note that original filename and timestamp are encoded in the gzip
content header which is not reproducible and not roundtrip safe. This
make it difficult to do gymnastics to convert for linux
linux-unsgined, to linux-signed, to kernel.efi, and back and preserve
the same checksum or HMAC of the file, as needed by FIPS or just pure
curiosity to confirm that the kernel image is the same across all
image formats we ship.

The fix is to use -n (--no-name) option to gzip to compress the file
without filename nor timestamp.

$ file linux-image/boot/vmlinuz-6.6.0-14-generic.new
/boot/vmlinuz-6.6.0-14-generic.new: gzip compressed data, max
compression, from Unix, original size modulo 2^32 56127880

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov at canonical.com>
---
 debian/rules | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian/rules b/debian/rules
index 01339d8348..236a1293d0 100755
--- a/debian/rules
+++ b/debian/rules
@@ -67,7 +67,7 @@ override_dh_auto_build:
 				vars="$${base}.efi.vars";			\
 				[ -f "$$vars" ] && . "./$$vars";		\
 				if [ "$$GZIP" = "1" ]; then			\
-					gzip -9 "$$s";				\
+					gzip -9 -n "$$s";			\
 					mv "$${s}.gz" "$$s";			\
 				fi;						\
 			);							\
-- 
2.34.1