On Mon, 2019-02-11 at 14:00 +0000, Steve McIntyre wrote: > On Mon, Feb 11, 2019 at 10:05:20AM +0000, Luca Boccassi wrote: > > On Sun, 2019-02-10 at 21:52 -0800, Steve Langasek wrote: > > > On Mon, Feb 11, 2019 at 01:06:58AM +0000, Steve McIntyre wrote: > > > > > > > > Just one tiny thing missing that I was hoping for: add i386 to > > > > the > > > > arch list. We're wanting to get shim signed for all of amd64, > > > > arm64 > > > > and i386 for Buster. > > > > > > Ok, -2 uploaded with i386 enabled. Cheers! > > > > Hello Steve, > > > > Thank you very much for your work! > > > > One question: last year Philipp did some work to have the shim > > source > > package build the templates required to make it work with our new > > signing infrastructure: > > > > https://salsa.debian.org/pmhahn/shim > > > > Instead of using the ephemeral, build-time generated key to sign FB > > and > > MoK, that allows to sign them using our CA. > > Among other things, this allows the build to be reproducible - > > which is > > an important aspect in my opinion, especially for a security- > > critical > > component like shim. > > > > What are your (and other folks on the list's) thoughts on this? > > Ah, very good point - I'd thought about the signing setup and > mistakenly only considered the shim binary itself, which of course we > don't sign ourselves. > > This is another piece that would be good to have. Steve - could you > look at this too please? Hi, I'm happy to work on it and send an MR, if you required. The repo on Salsa though does not seem to exist yet or it doesn't have +R set: https://salsa.debian.org/vorlon/shim -- Kind regards, Luca Boccassi
Attachment:
signature.asc
Description: This is a digitally signed message part