On Tue, 2016-04-19 at 22:08 +0200, Tollef Fog Heen wrote:
> ]] Steve McIntyre
>
> >
> > This needs an RSA 2048 key. The process: we generate the key and the
> > self-signed certificate of the correct form, which is embedded in the
> > shim package that is then submitted to Microsoft. The signing request
> > requires obtaining an EV code-signing cert, and then this has to be
> > uploaded via Windows to Microsoft.
> >
> > Tollef was organising an HSM (Yubikey $thing) to make this more
> > secure. Exact details on key management are yet TBD - we had
> > discussions about an N-of-M keyholder scheme similar-ish to what
> > Ubuntu do.
> I've now gotten to the point of actually being able to sign binaries,
> with the key stored on a yubikey, so that's pretty promising.
[...]
Which kind of Yubikey are you using? I have a Yubikey NEO, so if that
works the same way and you can provide instructions then I can update
the linux-signed signing script to work with them.
Ben.
--
Ben Hutchings
Usenet is essentially a HUGE group of people passing notes in class.
- Rachel Kadel, `A Quick Guide to Newsgroup Etiquette'Attachment:
signature.asc
Description: This is a digitally signed message part