Bug#1039913: Please add hook for self-signing systemd-boot after upgrade
Marco d'Itri
md at Linux.IT
Thu Jun 29 14:56:31 BST 2023
On Jun 29, Jan Naumann <jan at jans-seite.de> wrote:
> Could you please add a hook to the postinst that either a local script can be
> called on installation time which takes care of signing the image (similar to
> the `/etc/kernel/postinst.d/ mechamism) or add some call to `sbsign` yourself if
> e.g. the signing key is available at a specific path.
I am working on packaging sbctl (which I believe is *much* nicer[1] than
sbsigntool and mokutil), so I plan to do some work in this area in the
future.
But I am not sure yet of which shape this interface should have.
Part of the issue is that at least sbctl signs the installed binaries in
place, while bootctl looks for .efi.signed files in the source
directory, and "bootctl install" could also be run manually at any time.
But since systemd-bootx64.efi comes from /usr/lib/systemd/boot/efi/ it
would not be right to have something which is not the package manager
install a .efi.signed file there, so I suspect that this cannot be
solved just with some shell scripting.
And for the time being there are zero chances that Debian (or anybody
else, I understand) will be able to ship a signed systemd-boot, so this
is not a useful interface right now.
[1] https://blog.bofh.it/debian/id_465
--
ciao,
Marco
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20230629/e849898e/attachment.sig>
More information about the Pkg-systemd-maintainers
mailing list