On Mon, 2017-01-23 at 14:12 +0000, Luca Boccassi wrote: > On Mon, 23 Jan 2017 12:02:04 +0000 Luca Boccassi <luca.boccassi@gmail.com> wrote: > > On Fri, 02 Sep 2016 16:54:10 +0100 Ben Hutchings <ben@decadent.org.uk> wrote: > > > Control: severity -1 important > > > > > > On Fri, 10 Jun 2016 16:55:43 +0100 Ben Hutchings <ben@decadent.org.uk> > > > wrote: > > > > Package: src:linux-signed > > > > Version: 1.1 > > > > Severity: serious > > > > > > > > Several changes are needed before it's ready for release: > > > > > > > > 1. Building signed udebs > > > > 2. Removing the -signed suffix from signed image packages > > > > > > These are now done as of version 2.2. > > > > > > > 3. Signing with an HSM > > > > > > This is not, and it really should be, but I think we can't treat this > > > as a blocker for testing propagation. > > > > > > Ben. > > > > Hello Ben, > > > > I've done some minor changes to add flags to use pesign which supports > > hardware tokens via PKCS11. Inline patch for review. > > > > Fortunately kbuild's sign-file already supports just passing a PKCS11 > > URI, which makes it so much simpler. On the other hand as you most > > likely have found out already pesign needs an NSS DB and cert nicknames > > and tokens, and all in all it's a really awkward API to use, but that's > > what we have to work with I suppose. > > > > What do you think? > > > > Thanks! > > > > Kind regards, > > Luca Boccassi > > And as a followup, the build-time change to attach using pesign. The > build-dependency is generated based on rules.defs. [...] This doesn't make sense to me. It shouldn't matter which tool was used to generate the detached signature. If pesign and sbsigntool use different file formats for detached signatures (WTF?) then sign.py should convert to a single format. Ben. -- Ben Hutchings Hoare's Law of Large Problems: Inside every large problem is a small problem struggling to get out.
Attachment:
signature.asc
Description: This is a digitally signed message part