Package: systemd-boot Version: 255-1 Severity: important Dear Maintainer,
as per https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033725 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=996202, there seems to be no willingness to sign esp/EFI/systemd/systemd-bootx64.efi and esp/EFI/BOOT/BOOTX64.EFI with the Debian CA. Sidenote: (Maybe this decision should be revisited? We are a couple of years later and systemd-boot is the only proper Linux bootloader able to do measured boot). Instead, the solution pointed out is that the user should have their own keys. I do just that, and I use sbctl accordingly for both UKI images and systemd-boot. This works well, also with sbsign instead of sbctl (the latter being unavailable as a package in Debian). Unfortunately, one has to manually remember to sign the bootloader in the EFI partition after each re-install of the systemd-boot package. Would it be possible to provide a configuration / script file so that one can sign the bootloader before installing it? I can obviously create a dpkg-diversion and wrap bootctl myself by invoking sbsign manually, but I think it would be better if this was a more generic solution. Best of all, systemd-boot.efi.signed would be provided by a systemd-boot-signed package by Debian itself. :-) >From the bootctl man page: SIGNED .EFI FILES bootctl install and update will look for a systemd-boot file ending with the ".efi.signed" suffix first, and copy that instead of the normal ".efi" file. This allows distributions or end-users to provide signed images for UEFI SecureBoot. Thanks, Matteo Settenvini -- System Information: Debian Release: trixie/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.5.0-5-amd64 (SMP w/24 CPU threads; PREEMPT) Locale: LANG=it_IT.utf8, LC_CTYPE=it_IT.utf8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages systemd-boot depends on: ii libc6 2.37-13 ii libsystemd-shared 255-1 ii systemd-boot-efi 255-1 Versions of packages systemd-boot recommends: ii efibootmgr 18-1 systemd-boot suggests no packages. -- no debconf information
