last preparations for switching to production Secure Boot key
Ansgar
ansgar at debian.org
Mon Feb 25 19:13:22 GMT 2019
Hi,
I added support for listing `trusted_certs`[1] as proposed by Ben
Hutchings. This means the `files.json` structure *must* list the
sha256sum of certificates the signed binaries will trust (this can be an
empty list in case no hard-coded certificates are trusted).
I would like to implement one additional change. Currently files.json
looks like this:
```json
{
"linux-object": {
"trusted_certs": ["4e5e7bfe18206d3648aed66fbafda1381bbb2687a530ae6d989b64fee6efd760"],
"files": [
{"sig_type": "linux-module", "file": "usr/lib/linux-object/dummy.ko"}
]
}
}
```
This is not extendable; therefore I would like to move everything below a
top-level `packages` key, i.e. the file would look like this instead:
```json
{
"packages": {
"linux-object": {
"trusted_certs": ["4e5e7bfe18206d3648aed66fbafda1381bbb2687a530ae6d989b64fee6efd760"],
"files": [
{"sig_type": "linux-module", "file": "usr/lib/linux-object/dummy.ko"}
]
}
}
}
```
This would allow adding additional top-level keys later should the need
arise. (I'll prepare the archive-side changes for this later today.)
Could all maintainers (for fwupd, fwupdate, grub2, linux) please ack one
last time that their packages are ready for switching to the production
key? And prepare an upload with the changes described above and ready
to use the production key?
Ansgar
[1] https://wiki.debian.org/SecureBoot/Discussion#Describing_the_trust_chain
More information about the Pkg-grub-devel
mailing list