Bug#996202: marked as done (systemd - EFI Secure Boot for systemd-boot)

[Debian Bug Tracking System]

Your message dated Sun, 12 Jan 2025 15:28:16 +0000
with message-id <d3bda5b1067d7191130fbf199397ab4bbb4c6eb1.ca...@debian.org>
and subject line Re: systemd - EFI Secure Boot for systemd-boot
has caused the Debian Bug report #996202,
regarding systemd - EFI Secure Boot for systemd-boot
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
996202: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=996202
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: systemd
Version: 247.9-4
Severity: wishlist

Hi folks

systemd already includes it's own small and EFI based bootloader.  To
make it more widely usable, it would be nice to have it secure boot
signed.  Signing for secure boot is supported in Debian via a round trip
inside the archive.

I would implement that something in the line of:

- Split off the existing EFI binary into a new package
  "systemd-boot-unsigned".
- Create the template package "systemd-boot-$arch-signed-template".  It
  contains a list of files to be signed and a source package template,
  which gets signatures injected into and uploaded by the signing
  process.
- The template creates a source and binary package
  "systemd-boot-$arch-signed", shipping the signed EFI binary.
- Add a "systemd-boot" package that contains "bootctl" and a dependency
  on "systemd-boot-$arch-signed".

I can help with that, as I'm going work on secure boot anyway.

Regards,
Bastian

-- 
There is an order of things in this universe.
                -- Apollo, "Who Mourns for Adonais?" stardate 3468.1

--- End Message ---

--- Begin Message ---

Thanks to Ansgar from FTP team and Philipp from DSA team, systemd-boot-
efi-amd64-signed and systemd-boot-efi-arm64-signed are now available in
unstable, so we can finally close this as completed. Woop woop!

https://ftp.debian.org/debian/pool/main/s/systemd-boot-efi-amd64-signed/
https://ftp.debian.org/debian/pool/main/s/systemd-boot-efi-arm64-signed/

$ sbverify --list systemd-bootx64.efi.signed 
signature 1
image signature issuers:
 - /CN=Debian Secure Boot CA
image signature certificates:
 - subject: /CN=Debian Secure Boot Signer 2024 - 20425036 - systemd-boot
   issuer:  /CN=Debian Secure Boot CA

signature.asc
Description: This is a digitally signed message part

--- End Message ---