On Tue, 2016-04-19 at 22:08 +0200, Tollef Fog Heen wrote: > ]] Steve McIntyre > > > > > This needs an RSA 2048 key. The process: we generate the key and the > > self-signed certificate of the correct form, which is embedded in the > > shim package that is then submitted to Microsoft. The signing request > > requires obtaining an EV code-signing cert, and then this has to be > > uploaded via Windows to Microsoft. > > > > Tollef was organising an HSM (Yubikey $thing) to make this more > > secure. Exact details on key management are yet TBD - we had > > discussions about an N-of-M keyholder scheme similar-ish to what > > Ubuntu do. > I've now gotten to the point of actually being able to sign binaries, > with the key stored on a yubikey, so that's pretty promising. [...] Which kind of Yubikey are you using? I have a Yubikey NEO, so if that works the same way and you can provide instructions then I can update the linux-signed signing script to work with them. Ben. -- Ben Hutchings Usenet is essentially a HUGE group of people passing notes in class. - Rachel Kadel, `A Quick Guide to Newsgroup Etiquette'
Description: This is a digitally signed message part