Re: last preparations for switching to production Secure Boot key

[Ansgar <ansgar@debian.org>]

On Thu, 2019-03-07 at 03:11 +0000, Steve McIntyre wrote:
> On Mon, Feb 25, 2019 at 08:13:22PM +0100, Ansgar wrote:
> So, shim clearly will embed the Debian key so AFAICS we need to list
> it in trusted_certs. Yes? Basically ready to upload with the
> following (templated) json included:

Which part of shim does embed the Debian key?  Is it only included in
the part that Microsoft signs?

I think trusted_certs is supposed to list keys that the binaries that
Debian signs itself embeds?  Whatever Microsoft signs is not affected
by our regular signing infrastracture after all.

But either way should work.

> Could all maintainers (for fwupd, fwupdate, grub2, linux) please
> > ack one
> > last time that their packages are ready for switching to the production
> > key?  And prepare an upload with the changes described above and ready
> > to use the production key?
> 
> There's a new (minor) improvement here. We're now changing the shim
> build process so we'll also need to add shim-helpers-*-template as
> extra targets for the signing service. We've removed the ephemeral
> key that used to be used for signing fbXXX.efi and mmXXX.efi, and
> instead we're going to be submitting those for proper signing. This
> will significantly improve the reproducibility of the shim binary,
> which I think we all agree is a good thing! :-)

Submit them to signing by the Debian key?  Please tell me the names of
the template packages before you upload them then so I can update the
dak configuration[1].

  [1] https://salsa.debian.org/ftp-team/dak/blob/master/config/debian/external-signatures.conf

> I'll go and tweak fwupd and fwupdate next, to change their json
> signing information. Just like with grub, I think they need an empty
> "trusted_certs" array as they don't do any signature validation
> themselves. Yes?

Yes.  That should be correct.

Ansgar