Re: shim-signed (was: Firmware - what are we going to do about it?)

[Ansgar <ansgar@43-1.org>]

On Sat, 2022-04-23 at 12:21 +0200, Marc Haber wrote:
> >Is the presence of shim-signed on the install media enough to make
> >people feel somehow contaminated?
>
> I think so, yes. Personally, I don't care too much but i can
> understand why some people might.

Why? Because it contains a third-party signature for which the private
key is not included in Debian? The same is true for signatures in
debian-archive-keyring, debian-keyring, ca-certificates, wireless-
regdb, and many other packages.

If we were to include more signatures in binary packages (e.g., a
signed manifest listing files (with hashes) shipped by the package,
signed executables, an embedded signature for the .deb itself), would
that be a problem?

We do include signatures for source packages (*.dsc and also for
upstream tarballs) as well.

> We can compile shim-signed and compare the signed code with our own
> object code, can't we?  That we we would only have to worry about the
> validity and benignness of the signature and not worry about having
> undocumented functionality in the signed code.

Debian's buildds build shim (binary package: shim-unsigned); the binary
generated by Debian is then signed by Microsoft's key.

Ansgar