On Mon, 2017-01-23 at 15:02 +0000, Ben Hutchings wrote: > On Mon, 2017-01-23 at 14:12 +0000, Luca Boccassi wrote: > > On Mon, 23 Jan 2017 12:02:04 +0000 Luca Boccassi <luca.boccassi@gmail.com> wrote: > > > On Fri, 02 Sep 2016 16:54:10 +0100 Ben Hutchings <ben@decadent.org.uk> wrote: > > > > Control: severity -1 important > > > > > > > > On Fri, 10 Jun 2016 16:55:43 +0100 Ben Hutchings <ben@decadent.org.uk> > > > > wrote: > > > > > Package: src:linux-signed > > > > > Version: 1.1 > > > > > Severity: serious > > > > > > > > > > Several changes are needed before it's ready for release: > > > > > > > > > > 1. Building signed udebs > > > > > 2. Removing the -signed suffix from signed image packages > > > > > > > > These are now done as of version 2.2. > > > > > > > > > 3. Signing with an HSM > > > > > > > > This is not, and it really should be, but I think we can't treat this > > > > as a blocker for testing propagation. > > > > > > > > Ben. > > > > > > Hello Ben, > > > > > > I've done some minor changes to add flags to use pesign which supports > > > hardware tokens via PKCS11. Inline patch for review. > > > > > > Fortunately kbuild's sign-file already supports just passing a PKCS11 > > > URI, which makes it so much simpler. On the other hand as you most > > > likely have found out already pesign needs an NSS DB and cert nicknames > > > and tokens, and all in all it's a really awkward API to use, but that's > > > what we have to work with I suppose. > > > > > > What do you think? > > > > > > Thanks! > > > > > > Kind regards, > > > Luca Boccassi > > > > And as a followup, the build-time change to attach using pesign. The > > build-dependency is generated based on rules.defs. > [...] > > This doesn't make sense to me. It shouldn't matter which tool was used > to generate the detached signature. If pesign and sbsigntool use > different file formats for detached signatures (WTF?) then sign.py > should convert to a single format. > > Ben. I'm using this because I've seen sbattach barf at least once with a pesign detached .sig (unfortunately in a build worker with ephemeral chroot so don't have logs/files). Might have been something as silly as padding, which IIRC sbsigntool adds by default but pesign doesn't (there's a very helpfully not documented --padding option). Or it might have been gremlins. Kind regards, Luca Boccassi
Attachment:
signature.asc
Description: This is a digitally signed message part