On Mon, 2017-01-23 at 14:52 +0000, Ben Hutchings wrote: > On Mon, 2017-01-23 at 12:02 +0000, Luca Boccassi wrote: > > > On Fri, 02 Sep 2016 16:54:10 +0100 Ben Hutchings <ben@decadent.org.uk> wrote: > > > Control: severity -1 important > > > > > > On Fri, 10 Jun 2016 16:55:43 +0100 Ben Hutchings <ben@decadent.org.uk> > > > wrote: > > > > Package: src:linux-signed > > > > Version: 1.1 > > > > Severity: serious > > > > > > > > Several changes are needed before it's ready for release: > > > > > > > > 1. Building signed udebs > > > > 2. Removing the -signed suffix from signed image packages > > > > > > These are now done as of version 2.2. > > > > > > > 3. Signing with an HSM > > > > > > This is not, and it really should be, but I think we can't treat this > > > as a blocker for testing propagation. > > > > > > Ben. > > > > Hello Ben, > > > > I've done some minor changes to add flags to use pesign which supports > > hardware tokens via PKCS11. Inline patch for review. > > > > Fortunately kbuild's sign-file already supports just passing a PKCS11 > > URI, which makes it so much simpler. On the other hand as you most > > likely have found out already pesign needs an NSS DB and cert nicknames > > and tokens, and all in all it's a really awkward API to use, but that's > > what we have to work with I suppose. > > > > What do you think? > > What I left implicit in step 3 was '...held by the FTP team'. I could > use a smartcard for signing but there's never going to be a trust path > from a Microsoft or OEM certificate to my personal key (nor do I want > to be the only uploader of src:linux-signed). The work towards that is > tracked by #821051. > > Ben. Hi, Yep I'm following that bug and others. I just thought having support in linux-sign itself would be useful for users who want to self-sign and for downstream distros that rebuild the kernel and don't use dak. The latter is my case hence these changes, and I thought to share them back in case they could be useful for others. Kind regards, Luca Boccassi
Attachment:
signature.asc
Description: This is a digitally signed message part