[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#826959: linux-signed is not yet suitable for testing



On Mon, 2017-01-23 at 14:52 +0000, Ben Hutchings wrote:
> On Mon, 2017-01-23 at 12:02 +0000, Luca Boccassi wrote:
> > > On Fri, 02 Sep 2016 16:54:10 +0100 Ben Hutchings <ben@decadent.org.uk> wrote:
> > > Control: severity -1 important
> > > 
> > > On Fri, 10 Jun 2016 16:55:43 +0100 Ben Hutchings <ben@decadent.org.uk>
> > > wrote:
> > > > Package: src:linux-signed
> > > > Version: 1.1
> > > > Severity: serious
> > > > 
> > > > Several changes are needed before it's ready for release:
> > > > 
> > > > 1. Building signed udebs
> > > > 2. Removing the -signed suffix from signed image packages
> > > 
> > > These are now done as of version 2.2.
> > > 
> > > > 3. Signing with an HSM
> > > 
> > > This is not, and it really should be, but I think we can't treat this
> > > as a blocker for testing propagation.
> > > 
> > > Ben.
> > 
> > Hello Ben,
> > 
> > I've done some minor changes to add flags to use pesign which supports
> > hardware tokens via PKCS11. Inline patch for review.
> > 
> > Fortunately kbuild's sign-file already supports just passing a PKCS11
> > URI, which makes it so much simpler. On the other hand as you most
> > likely have found out already pesign needs an NSS DB and cert nicknames
> > and tokens, and all in all it's a really awkward API to use, but that's
> > what we have to work with I suppose.
> > 
> > What do you think?
> 
> What I left implicit in step 3 was '...held by the FTP team'.  I could
> use a smartcard for signing but there's never going to be a trust path
> from a Microsoft or OEM certificate to my personal key (nor do I want
> to be the only uploader of src:linux-signed).  The work towards that is
> tracked by #821051.
> 
> Ben.

Hi,

Yep I'm following that bug and others. I just thought having support in
linux-sign itself would be useful for users who want to self-sign and
for downstream distros that rebuild the kernel and don't use dak. The
latter is my case hence these changes, and I thought to share them back
in case they could be useful for others.

Kind regards,
Luca Boccassi

Attachment: signature.asc
Description: This is a digitally signed message part


Reply to: