Hello all, As you probably already know, Debian doesn't support the Secure Boot chain yet. To support it we need to sign Grub and the Kernel with our key, so we are discussing the best infrastructure for this workflow.
The first approach we had was to add a by-hand script in Dak as described here https://wiki.debian.org/SecureBoot#First_option:_by-hand_script_in_dak But this option wasn't well received by the ftpteam The second approach we have is to add some debhelper scripts (e.g dh_sign...) that will access a signing service which will sign the binaries with Debian's key. We would use the dh_sign... helpers when making an extra binary package. buildd would then publish the -signed version of the package in the archives. Please see a more detailed explanation here https://wiki.debian.org/SecureBoot#Second_option:_use_buildd_.2B-_debhelper_instead_of_dak A current known issue with this approach is the NEW queue: it requires the maintainer to also upload binaries for an architecture on first upload, and these binaries are not rebuilt by the buildd ( see https://wiki.debian.org/SecureBoot#Issues ). I would like to know everyone's opinions about these approaches, if you agree to go forward with the second approach described above and how do we solve the NEW queue policy issue. Thanks Helen Koike