Tollef Fog Heen writes ("UEFI Secure Boot sprint report"):
> In the end, we decided to have a signing service which will construct
> a source package based on a "template" package and a list of files to
> sign and upload this to be processed by the normal buildd and dak
> processes. The signing service will also have an audit log which makes
> it public what was signed and when.Thanks for the update. > Once this was agreed and various corner cases ironed out, we started > implementing the signing service, and the necessary changes in the > Linux kernel package, dak, fwupdate, shim and grub. The source for the > signing service can be found at > https://salsa.debian.org/ftp-team/code-signing. One small point: Do you think tht the source for the signing service is part of the source for the signed output ? If so it probably needs to be in the Debian archive, not just on salsa. Sorry if this is inconvenient. > By the end of the sprint, we were able to: > - generate a signing template for Linux kernel modules > - generate a signing template for shim > - generate a signing template for fwupdate > - have DAK detect such signing template packages automatically and > generate a request for signing > - run the code of the signing box by hand to generate the source code > packages containing the generated signatures Thanks for your work. Regards, Ian.
