On Mon, Feb 25, 2019 at 08:13:22PM +0100, Ansgar wrote: > I added support for listing `trusted_certs`[1] as proposed by Ben > Hutchings. This means the `files.json` structure *must* list the > sha256sum of certificates the signed binaries will trust (this can be an > empty list in case no hard-coded certificates are trusted).
Do I understand correctly that this ought to be empty in the case of grub2, since it does all its signature checking via shim? If so, done: https://salsa.debian.org/grub-team/grub/commit/89c1529cd82f106dbb9a4b17bae03e828ec349b6 > I would like to implement one additional change. Currently files.json > looks like this: [...] > This is not extendable; therefore I would like to move everything below a > top-level `packages` key, i.e. the file would look like this instead: [...] > This would allow adding additional top-level keys later should the need > arise. (I'll prepare the archive-side changes for this later today.) I'm happy to do this, though presumably it's a flag day? > Could all maintainers (for fwupd, fwupdate, grub2, linux) please ack one > last time that their packages are ready for switching to the production > key? And prepare an upload with the changes described above and ready > to use the production key? I don't know of any blockers from the grub2 side. Once the archive has the "packages" key changes, I can prepare an upload - I was planning to make one this week anyway. Thanks, -- Colin Watson [cjwat...@debian.org]
