[Reproducible-builds] Reproducibility vs signatures
Ben Hutchings
ben at decadent.org.uk
Mon Aug 3 11:02:19 UTC 2015
On Mon, 2015-08-03 at 12:46 +0200, Holger Levsen wrote:
> Hi,
>
> On Montag, 3. August 2015, Ben Hutchings wrote:
> > See <https://lists.debian.org/debian-kernel/2013/08/msg00267.html>.
>
> Thanks.
>
> That seems to say that a.) only the kernel team can sign kernels, so no user
> signed kernels??
Only the FTP team will be able to get shim signed by the Microsoft CA.
Only the FTP team will be able to sign GRUB and the kernel using the
private key for which the public part is embedded in shim.
Users can add further trusted keys at boot time through the BIOS setup
program or shim; then they can use their own signed kernels.
> and b.) only amd64, while I believe uefi arm mainboards are
> there already or will be soon?
I don't think they support Secure Boot though. If they do, and if they
allow users to change the trusted keys, then we should sign for arm64
as well.
Ben.
--
Ben Hutchings
Unix is many things to many people,
but it's never been everything to anybody.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 811 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20150803/b36c2ced/attachment.sig>
More information about the Reproducible-builds
mailing list