On Sat, 2022-04-23 at 12:21 +0200, Marc Haber wrote: > >Is the presence of shim-signed on the install media enough to make > >people feel somehow contaminated? > > I think so, yes. Personally, I don't care too much but i can > understand why some people might.
Why? Because it contains a third-party signature for which the private key is not included in Debian? The same is true for signatures in debian-archive-keyring, debian-keyring, ca-certificates, wireless- regdb, and many other packages. If we were to include more signatures in binary packages (e.g., a signed manifest listing files (with hashes) shipped by the package, signed executables, an embedded signature for the .deb itself), would that be a problem? We do include signatures for source packages (*.dsc and also for upstream tarballs) as well. > We can compile shim-signed and compare the signed code with our own > object code, can't we? That we we would only have to worry about the > validity and benignness of the signature and not worry about having > undocumented functionality in the signed code. Debian's buildds build shim (binary package: shim-unsigned); the binary generated by Debian is then signed by Microsoft's key. Ansgar
