Hi folks, Time for an update on shim, I think! As I've just mentioned separataly, I've uploaded an NMU of shim-signed to unstable this evening to unblock d-i etc. That will give us a working fallback for SB in case we *don't* get our new shim signed and returned in time. I've merged the changes from Philipp and Luca (thanks for the work guys!) onto HEAD of our shim repo, and added a few obvious tweaks on top: d71a71f Change maintenance address to be the EFI team 739950c Typo fix: s,singing,signing,g In terms of packaging, I'd like to make one more tweak. I'm thinking about the confusing package names we're about to generate: source binaries ====== ======== shim shim-unsigned shim-$arch-signed-template (signing-service add sigs and generates shim-$arch-signed) shim-$arch-signed shim-$arch-signed (combining Debian sigs with helper binaries from shim-unsigned) ALSO: shim-signed shim-signed (combining MS sigs with binaries from shim-unsigned) I don't like the fact that the shim-$arch-signed packages don't contain an actual shim binary, just the fbXXX.efi.signed and mmXXX.efi.signed helper binaries. I think it *will* confuse people. So I've prepared a branch and MR to change the package names to: source binaries ====== ======== shim shim-unsigned shim-helpers-$arch-signed-template (signing-service add sigs and generates shim-helpers-$arch-signed) shim-helpers-$arch-signed shim-$arch-signed (combining Debian sigs with helper binaries from shim-unsigned) ALSO: shim-signed shim-signed (combining MS sigs with binaries from shim-unsigned) If you think this is a sensible thing to do, please review and merge https://salsa.debian.org/efi-team/shim/merge_requests/2 I think the last 3 things we need to do are: 1. update the json in the -template packages to match what Ansgar wants (to add a new top-level "packages" key). Easy! 2. add the "trusted_certs" entry for the Debian key in the json. Also easy! 3. FINALLY: test for reproducibility of the shimXXX.efi binary and push to MS for review and signing. Tollef and I already worked on this a little tonight. Once the other changes are done, I think we should be in a good state for submission in the next few days. What else am I missing here? Please shout... :-) -- Steve McIntyre, Cambridge, UK. steve@einval.com "Because heaters aren't purple!" -- Catherine Pitt
Attachment:
signature.asc
Description: PGP signature