Ben Hutchings:
> At some point we're hopefully going to support Secure Boot on amd64.
> That means there will be a signed kernel image (separate from the
> current linux-image packages) and a signed GRUB image. The kernel
> modules in the linux-image packages will also be signed, probably with
> an ephemeral key.
>
> All these signatures will all be embedded within binaries and will of
> course not be reproducible. The locations of differences will however
> be predictable.
>
> How should we deal with this limited variability? Could source
> packages or buildinfo describe the expected variations somehow?
One way to solve this, although a bit wasteful on resource, is to use
the clean rule to perform a first build and create a signature to be
added to the source package.
See my suggest patch for wireless-regdb which implements this idea:
https://bugs.debian.org/725803#29
Would that be a good fit for Linux or GRUB?
--
Lunar .''`.
lunar@debian.org : :Ⓐ : # apt-get install anarchism
`. `'`
`-
Attachment:
signature.asc
Description: Digital signature