Hi, Colin Watson writes: > On Mon, Feb 25, 2019 at 08:13:22PM +0100, Ansgar wrote: >> I added support for listing `trusted_certs`[1] as proposed by Ben >> Hutchings. This means the `files.json` structure *must* list the >> sha256sum of certificates the signed binaries will trust (this can be an >> empty list in case no hard-coded certificates are trusted). > > Do I understand correctly that this ought to be empty in the case of > grub2, since it does all its signature checking via shim? If so, done: > > > https://salsa.debian.org/grub-team/grub/commit/89c1529cd82f106dbb9a4b17bae03e828ec349b6
Yes, that looks okay. >> I would like to implement one additional change. Currently files.json >> looks like this: > [...] >> This is not extendable; therefore I would like to move everything below a >> top-level `packages` key, i.e. the file would look like this instead: > [...] >> This would allow adding additional top-level keys later should the need >> arise. (I'll prepare the archive-side changes for this later today.) > > I'm happy to do this, though presumably it's a flag day? It is a flag day change, but we already have a flag day for adding trusted_certs (as uploads without the key will no longer get signed). It also means we won't have to support the old files.json format as we never had a (stable) release using it. >> Could all maintainers (for fwupd, fwupdate, grub2, linux) please ack one >> last time that their packages are ready for switching to the production >> key? And prepare an upload with the changes described above and ready >> to use the production key? > > I don't know of any blockers from the grub2 side. Once the archive has > the "packages" key changes, I can prepare an upload - I was planning to > make one this week anyway. The changes to code-signing are done and pushed to my fork on salsa[1]; I'm just waiting to deploy them (well, and change the config to use the production key at the same time). Ansgar [1] https://salsa.debian.org/ansgar/code-signing/commits/d22b8ec28d7b50a6cda738a52e5496492edb8ba9
