last preparations for switching to production Secure Boot key
Colin Watson
cjwatson at debian.org
Tue Feb 26 18:33:24 GMT 2019
On Mon, Feb 25, 2019 at 08:13:22PM +0100, Ansgar wrote:
> I added support for listing `trusted_certs`[1] as proposed by Ben
> Hutchings. This means the `files.json` structure *must* list the
> sha256sum of certificates the signed binaries will trust (this can be an
> empty list in case no hard-coded certificates are trusted).
Do I understand correctly that this ought to be empty in the case of
grub2, since it does all its signature checking via shim? If so, done:
https://salsa.debian.org/grub-team/grub/commit/89c1529cd82f106dbb9a4b17bae03e828ec349b6
> I would like to implement one additional change. Currently files.json
> looks like this:
[...]
> This is not extendable; therefore I would like to move everything below a
> top-level `packages` key, i.e. the file would look like this instead:
[...]
> This would allow adding additional top-level keys later should the need
> arise. (I'll prepare the archive-side changes for this later today.)
I'm happy to do this, though presumably it's a flag day?
> Could all maintainers (for fwupd, fwupdate, grub2, linux) please ack one
> last time that their packages are ready for switching to the production
> key? And prepare an upload with the changes described above and ready
> to use the production key?
I don't know of any blockers from the grub2 side. Once the archive has
the "packages" key changes, I can prepare an upload - I was planning to
make one this week anyway.
Thanks,
--
Colin Watson [cjwatson at debian.org]
More information about the Pkg-grub-devel
mailing list