On Sat, 23 Apr 2022 18:21:47 +0100, Steve McIntyre <st...@einval.com> wrote: >We don't have good docs around this in general (hey, it's security >software - it's against the law to write good and complete docs!), but >I've certainly discussed this with a few folks over the years.
It would be great to have that written down somewhere to tell poeple what they're actually doing. >Alternatively, people can build replacement shim-signed packages using >their own root of trust if desired. If we had a large enough number of >users wanting a different root of trust, we could even offer our own >different shim-signed package to match. I would probably prefer to have grub an/or the kernel signed, avoiding additional code, but maybe having some explanation would convince me that the shim actually improves things additionally to adding complexity. >Better than that, our shim-signed source package always double-checks >things here. At build time it removes the Microsoft signature and >compares that shim binary to the binary that we submitted for >signing. We would spot immediately if there was any code added. And if that check fails at build time, the Debian process refrains from putting a Debian signature on the deb and from uploading? Can the end user build the shim herself, remove the signature from the signed shim and compare the binary, preferably in a documented way? Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom " | Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834
