Secure boot signing infrastructure - feedback request
As you probably already know, Debian doesn't support the Secure Boot
To support it we need to sign Grub and the Kernel with our key, so we
are discussing the best infrastructure for this workflow.
The first approach we had was to add a by-hand script in Dak as
But this option wasn't well received by the ftpteam
The second approach we have is to add some debhelper scripts (e.g
dh_sign...) that will access a signing service which will sign the
binaries with Debian's key. We would use the dh_sign... helpers when
making an extra binary package. buildd would then publish the -signed
version of the package in the archives.
Please see a more detailed explanation here
A current known issue with this approach is the NEW queue: it requires
the maintainer to also upload binaries for an architecture on first
upload, and these binaries are not rebuilt by the buildd ( see
I would like to know everyone's opinions about these approaches, if you
agree to go forward with the second approach described above and how do
we solve the NEW queue policy issue.