last preparations for switching to production Secure Boot key

Ansgar ansgar at debian.org
Tue Feb 26 20:23:58 GMT 2019 

Hi,

Colin Watson writes:
> On Mon, Feb 25, 2019 at 08:13:22PM +0100, Ansgar wrote:
>> I added support for listing `trusted_certs`[1] as proposed by Ben
>> Hutchings.  This means the `files.json` structure *must* list the
>> sha256sum of certificates the signed binaries will trust (this can be an
>> empty list in case no hard-coded certificates are trusted).
>
> Do I understand correctly that this ought to be empty in the case of
> grub2, since it does all its signature checking via shim?  If so, done:
>
>   https://salsa.debian.org/grub-team/grub/commit/89c1529cd82f106dbb9a4b17bae03e828ec349b6

Yes, that looks okay.

>> I would like to implement one additional change.  Currently files.json
>> looks like this:
> [...]
>> This is not extendable; therefore I would like to move everything below a
>> top-level `packages` key, i.e. the file would look like this instead:
> [...]
>> This would allow adding additional top-level keys later should the need
>> arise.  (I'll prepare the archive-side changes for this later today.)
>
> I'm happy to do this, though presumably it's a flag day?

It is a flag day change, but we already have a flag day for adding
trusted_certs (as uploads without the key will no longer get signed).
It also means we won't have to support the old files.json format as we
never had a (stable) release using it.

>> Could all maintainers (for fwupd, fwupdate, grub2, linux) please ack one
>> last time that their packages are ready for switching to the production
>> key?  And prepare an upload with the changes described above and ready
>> to use the production key?
>
> I don't know of any blockers from the grub2 side.  Once the archive has
> the "packages" key changes, I can prepare an upload - I was planning to
> make one this week anyway.

The changes to code-signing are done and pushed to my fork on salsa[1]; I'm
just waiting to deploy them (well, and change the config to use the
production key at the same time).

Ansgar

  [1] https://salsa.debian.org/ansgar/code-signing/commits/d22b8ec28d7b50a6cda738a52e5496492edb8ba9

More information about the Pkg-grub-devel mailing list