Hi Are there any news regarding the signed binary verification with sbverify? It still fails when used with the provided secure boot CA from https://dsa.debian.org/secure-boot-ca.
I managed to verify the certificate used to sign the binaries with the following commands - but I hope we get a version with sbverify and the root CA directly :) 1. Download CA cert from https://dsa.debian.org/secure-boot-ca 2. Convert downloaded CA cert to pem openssl x509 -inform der -outform pem -in secure-boot-ca -out debian-ca.pem 3. Extract the signature from the binary osslsigncode extract-signature -pem /boot/vmlinuz-... vmlinuz.sig 4. Show the signer cert and use it for verification openssl pkcs7 -inform pem -print_certs -text -in vmlinuz.sig 5. Verify the used signing cert against the CA from d.o openssl verify -verbose -CAfile debian-ca.pem debian-signer.pem debian-signer.pem: OK I would also add a section to https://wiki.debian.org/SecureBoot or to a subpage for how to verify signed secure boot binaries (e.g. a new subpage like https://wiki.debian.org/SecureBoot/Verification) Thanks Andreas -- OpenPGP Key AE852913B3757F790297FA2CF04BCF398957A857 @ https://keys.openpgp.org

