(In reply to Bernhard Wiedemann from comment #3) > The timestamp is only one part. > The more tricky part is that a random key is generated (in my test I had > only replaced /dev/(u)random with /dev/zero to avoid that randomness = > https://github.com/bmwiedemann/reproducible-faketools/blob/master/ > reproducible-faketools.spec#L145 ). > But if it is meant to secure something, we probably do not want everyone to > be able to reproduce the same private key. Or would it not matter? The use of that signing key is a requisite of the java vncviewer to use the system clipboard of the server it connects. To make the connection secure you can configure the connection to use x509 cert or other security methods VNC provides (this is something out of the build scope and not related with the key we are talking about). From my perspective, I would say there is no harm in using the same private key.