On Mon, Sep 25, 2023 at 10:52:26AM +, Holger Levsen wrote:
> FYI, "this will make the build unreproducible"... :/
fwiw, after reading the replies to this thread (on the debian kernel list,
not here) I don't think this proposal will be implemented...
--
cheers,
Holger
⢀⣴⠾⠻⢶⣦⠀
If they sign with something that is detached (like a SLSA / in-toto
attestation), then this would still be reproducible. Of course, then you
have to ship that along with the artifact you are checking though...
Thanks,
Justin
On Mon, Sep 25, 2023 at 12:23 PM Mattia Rizzolo wrote:
> On Mon, Sep
On Mon, Sep 25, 2023 at 11:41:09AM -0400, David A. Wheeler wrote:
> > ## Kernel modules will be signed with an ephemeral key
> >
> > The modules will not longer be signed using the Secure Boot CA like the
> > EFI kernel image itself. Instead a key will be created during the build
> > and thrown
> On Sep 25, 2023, at 6:52 AM, Holger Levsen wrote:
>
> FYI, "this will make the build unreproducible"... :/
>
> - Forwarded message from Bastian Blank -
>
> Date: Sun, 24 Sep 2023 15:01:47 +0200
> From: Bastian Blank
> To: debian-ker...@lists.debian.org
> ...
> ## Kernel modules
bian-secur...@lists.debian.org,
d...@packages.debian.org
Subject: Upcoming changes to Debian Linux kernel packages
Message-ID: <20230924130147.qwnjrq4nvkm75...@shell.thinkmo.de>
List-Id:
Hi folks
Debian currently does Secure Boot signing using a shim chained to the
Microsoft key. This use require