Re: shim-signed (was: Firmware - what are we going to do about it?)
Marc Haber wrote:
>On Sat, 23 Apr 2022 18:21:47 +0100, Steve McIntyre <steve@einval.com>
>
>>Better than that, our shim-signed source package always double-checks
>>things here. At build time it removes the Microsoft signature and
>>compares that shim binary to the binary that we submitted for
>>signing. We would spot immediately if there was any code added.
>
>And if that check fails at build time, the Debian process refrains
>from putting a Debian signature on the deb and from uploading? Can the
>end user build the shim herself, remove the signature from the signed
>shim and compare the binary, preferably in a documented way?
Look at the shim-signed source - the build will fail if the code has
changed.
--
Steve McIntyre, Cambridge, UK. steve@einval.com
"We're the technical experts. We were hired so that management could
ignore our recommendations and tell us how to do our jobs." -- Mike Andrews
Reply to: