On Tue, 19 May 2015, David Howells wrote: > That wouldn't very convenient for building our kernels in our build farm > - we have a lot of machines and all of them would have to be equiped > with the key. Besides, we *want* to discard the private key where > possible as soon as possible because then we can't leak it and we can't > be forced to disclose it.
You can still have a dedicated machine that's used just for signing the binaries. That machine wouldn't be connected to the network, would be physically secured, and would sign through a serial line or so. -- Jiri Kosina SUSE Labs -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
