Marc Haber wrote: >On Sat, 23 Apr 2022 18:21:47 +0100, Steve McIntyre <st...@einval.com> > >>Better than that, our shim-signed source package always double-checks >>things here. At build time it removes the Microsoft signature and >>compares that shim binary to the binary that we submitted for >>signing. We would spot immediately if there was any code added. > >And if that check fails at build time, the Debian process refrains >from putting a Debian signature on the deb and from uploading? Can the >end user build the shim herself, remove the signature from the signed >shim and compare the binary, preferably in a documented way?
Look at the shim-signed source - the build will fail if the code has changed. -- Steve McIntyre, Cambridge, UK. st...@einval.com "We're the technical experts. We were hired so that management could ignore our recommendations and tell us how to do our jobs." -- Mike Andrews