Re: [Reproducible-builds] Reproducibility vs signatures

2015-08-05 Thread Jérémy Bobbio
Ben Hutchings: > On Mon, 2015-08-03 at 10:27 +0200, Jérémy Bobbio wrote: > > Ben Hutchings: > > > At some point we're hopefully going to support Secure Boot on amd64. > > > That means there will be a signed kernel image (separate from the > > > current linux-image packages) and a signed GRUB image.

Re: [Reproducible-builds] Reproducibility vs signatures

2015-08-03 Thread Holger Levsen
Hi, On Montag, 3. August 2015, Ben Hutchings wrote: > Only the FTP team will be able to get shim signed by the Microsoft CA. > Only the FTP team will be able to sign GRUB and the kernel using the > private key for which the public part is embedded in shim. > > Users can add further trusted keys a

Re: [Reproducible-builds] Reproducibility vs signatures

2015-08-03 Thread Ben Hutchings
On Mon, 2015-08-03 at 12:46 +0200, Holger Levsen wrote: > Hi, > > On Montag, 3. August 2015, Ben Hutchings wrote: > > See . > > Thanks. > > That seems to say that a.) only the kernel team can sign kernels, so no user > signed kernels

Re: [Reproducible-builds] Reproducibility vs signatures

2015-08-03 Thread Holger Levsen
Hi, On Montag, 3. August 2015, Ben Hutchings wrote: > See . Thanks. That seems to say that a.) only the kernel team can sign kernels, so no user signed kernels?? and b.) only amd64, while I believe uefi arm mainboards are there alre

Re: [Reproducible-builds] Reproducibility vs signatures

2015-08-03 Thread Ben Hutchings
On Mon, 2015-08-03 at 12:27 +0200, Holger Levsen wrote: > Hi, > > On Montag, 3. August 2015, Ben Hutchings wrote: > > That sort of works as long as there's only one architecture we want to > > do this for. But the ability to verify modules is useful in general so > > I would like to turn that on

Re: [Reproducible-builds] Reproducibility vs signatures

2015-08-03 Thread Holger Levsen
Hi, On Montag, 3. August 2015, Ben Hutchings wrote: > That sort of works as long as there's only one architecture we want to > do this for. But the ability to verify modules is useful in general so > I would like to turn that on for all architectures. how is this going to work for builds on buil

Re: [Reproducible-builds] Reproducibility vs signatures

2015-08-03 Thread Ben Hutchings
On Mon, 2015-08-03 at 10:27 +0200, Jérémy Bobbio wrote: > Ben Hutchings: > > At some point we're hopefully going to support Secure Boot on amd64. > > That means there will be a signed kernel image (separate from the > > current linux-image packages) and a signed GRUB image. The kernel > > modules

Re: [Reproducible-builds] Reproducibility vs signatures

2015-08-03 Thread Jérémy Bobbio
Ben Hutchings: > At some point we're hopefully going to support Secure Boot on amd64. > That means there will be a signed kernel image (separate from the > current linux-image packages) and a signed GRUB image. The kernel > modules in the linux-image packages will also be signed, probably with > a