ellahathaway
commented
1 week ago I played around with this a bit more, and I've ultimately settled on the fact that the Bom differences are due to the way pkgbuild works. I think that it alters the metadata (eg the timestamp), which ultimately affects the checksum. I came to this conclusion by running lsbom <bomfile>, on each a bom file (one from from an unpacked pkg and one from a repacked/unpackaged again pkg). When I did this, I was only able to decipher a timestamp difference.
See https://github.com/dotnet/arcade/pull/15205#issuecomment-2450545499
The checksums are different between the original and repacked .pkgs. After briefly investigating this, I've found that the Bom file has a different checksum and the Payload tarball is bigger in the repacked .pkg than the original .pkgs.
We should spend time looking into this to determine the cause of the issue.