On 17/05/2024 22:19, Steve McIntyre wrote:
The process of getting a new version of shim-signed is long and
complex, and not entirely under our control:
1. Build shim, test the hell out of it.
2. Upload shim, wait for it to build, check that the binary is
reproducible.
3. Submit a shim-review issue (or several) at
https://github.com/rhboot/shim-review/issues .
4. Upload our binaries to Microsoft's site for signing.
5. Wait for the review (and maybe fix things), potentially multiple
passes here.
6. Wait for the signature to come back.
7. Prepare the shim-signed package with the signed binaries, and test
like hell.
8. Upload shim-signed.
We're currently at step 5.
For sure I knew that M$ was involved for signing the binaries so that
BIOS EFI accept to load it. Thanks for the detailled explanation.
What remains not so clear for me is:
1) Why do you publish other package that are parts of the same source
code until shim-signed did pass the 5) step and have step 6),
2) Why shim-helpers-amd64-signed does not depend on shim-signed instead
of shim-unsigned.
But, again, thanks for the rationale and explanations.
-- eric
