On Tue, 05 Apr 2016 00:02:46 +0100 Ben Hutchings <ben@decadent.org.uk> wrote: > Package: kernel-wedge > Version: 2.94 > Severity: normal > > We will probably implement module signing using detached signatures > which kmod will concatenate to the modules at load time (see #820010). > mkinitramfs will need to copy the detached signatures along with all > the modules it includes in each udeb. This is copypasta from the initramfs-tools bug. Since kernel-wedge runs as part of the kernel build process, before any code is signed, it can't include signatures in module udebs unless we revert to building udebs separately (which I really don't want to do). > It might also be necessary to add special support for signed kernel > images, although linux-signed may end up generating the udebs for > that directly. We could extend kernel-wedge to build one or more udebs containing only the module signatures. This makes a certain amount of sense because we will otherwise end up including all detached signature files in the installer images (bloat) or replicating some of kernel-wedge's logic to work out which are needed (fragile). Ben. -- Ben Hutchings No political challenge can be met by shopping. - George Monbiot
Attachment:
signature.asc
Description: This is a digitally signed message part