Bug#826959: linux-signed is not yet suitable for testing

To: Ben Hutchings <ben@decadent.org.uk>
Cc: 826959@bugs.debian.org
Subject: Bug#826959: linux-signed is not yet suitable for testing
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Mon, 23 Jan 2017 15:44:40 +0000
Message-id: <[🔎] 1485186280.10577.4.camel@gmail.com>
Reply-to: Luca Boccassi <luca.boccassi@gmail.com>, 826959@bugs.debian.org
In-reply-to: <[🔎] 1485183175.2998.107.camel@decadent.org.uk>
References: <146557414388.22845.8753753334649503352.reportbug@deadeye.wl.decadent.org.uk> <1472831650.25374.63.camel@decadent.org.uk> <[🔎] 1485172924.32307.51.camel@gmail.com> <[🔎] 1485183175.2998.107.camel@decadent.org.uk>

On Mon, 2017-01-23 at 14:52 +0000, Ben Hutchings wrote:
> On Mon, 2017-01-23 at 12:02 +0000, Luca Boccassi wrote:
> > > On Fri, 02 Sep 2016 16:54:10 +0100 Ben Hutchings <ben@decadent.org.uk> wrote:
> > > Control: severity -1 important
> > > 
> > > On Fri, 10 Jun 2016 16:55:43 +0100 Ben Hutchings <ben@decadent.org.uk>
> > > wrote:
> > > > Package: src:linux-signed
> > > > Version: 1.1
> > > > Severity: serious
> > > > 
> > > > Several changes are needed before it's ready for release:
> > > > 
> > > > 1. Building signed udebs
> > > > 2. Removing the -signed suffix from signed image packages
> > > 
> > > These are now done as of version 2.2.
> > > 
> > > > 3. Signing with an HSM
> > > 
> > > This is not, and it really should be, but I think we can't treat this
> > > as a blocker for testing propagation.
> > > 
> > > Ben.
> > 
> > Hello Ben,
> > 
> > I've done some minor changes to add flags to use pesign which supports
> > hardware tokens via PKCS11. Inline patch for review.
> > 
> > Fortunately kbuild's sign-file already supports just passing a PKCS11
> > URI, which makes it so much simpler. On the other hand as you most
> > likely have found out already pesign needs an NSS DB and cert nicknames
> > and tokens, and all in all it's a really awkward API to use, but that's
> > what we have to work with I suppose.
> > 
> > What do you think?
> 
> What I left implicit in step 3 was '...held by the FTP team'.  I could
> use a smartcard for signing but there's never going to be a trust path
> from a Microsoft or OEM certificate to my personal key (nor do I want
> to be the only uploader of src:linux-signed).  The work towards that is
> tracked by #821051.
> 
> Ben.

Hi,

Yep I'm following that bug and others. I just thought having support in
linux-sign itself would be useful for users who want to self-sign and
for downstream distros that rebuild the kernel and don't use dak. The
latter is my case hence these changes, and I thought to share them back
in case they could be useful for others.

Kind regards,
Luca Boccassi

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

References:
- Bug#826959: linux-signed is not yet suitable for testing
  - From: Luca Boccassi <luca.boccassi@gmail.com>
- Bug#826959: linux-signed is not yet suitable for testing
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Bug#852324: x86/mm: Found insecure W+X mapping
Next by Date: Bug#826959: linux-signed is not yet suitable for testing
Previous by thread: Bug#826959: linux-signed is not yet suitable for testing
Next by thread: Bug#852311: firmware-atheros: wifi has gone (settings, configs, device, network manager)
Index(es):
- Date
- Thread