On Sat, 2025-08-30 at 08:55 -0600, Antonio Russo wrote:
[...]
> The changes here will certainly affect my build scripts for the kernel packages,
> but I do think there should be a relatively simple pathway available for people
> to build a new/different kernel using the debian packaging that integrates
> nicely with the rest of Debian.
>
> Maybe I just need to build the signed packages (Is that difficult? My
> understanding that a second build process needs to happen with my own signing
> key that would also need to be deployed to all of my machines to allow for
> secure boot to be enabled.)
The signing is not particularly difficult; we use the script
<https://salsa.debian.org/kernel-team/kernel-team/-/blob/master/scripts/debian-test-sign>
to do it in CI. But deployment is indeed more complicated.
> If that process is too difficult to describe
> simply, maybe I'm asking to please not remove the ability to actually use the
> unsigned images.
Since Secure Boot is only supported on some architectures, there is per-
architecture configuration ("enabled_signed" in the "build" section) for
whether we build an "unsigned" package in preparation for signing, or
just build the final package directly. You can override that in your
local build process.
Ben.
--
Ben Hutchings
If more than one person is responsible for a bug, no one is at fault.
Attachment:
signature.asc
Description: This is a digitally signed message part