Your message dated Sat, 09 Mar 2019 14:10:48 +0000
with message-id <[email protected]>
and subject line Bug#922228: fixed in shim 15+1533136590.3beb971-3
has caused the Debian Bug report #922228,
regarding shim: unreproducible build due to embedded ephemeral certificate
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
922228: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922228
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: shim
Version: 15+1533136590.3beb971-2
Severity: normal
X-Debbugs-CC: [email protected]

Dear Mantainer,

As requested on debian-efi, opening a bug trying to collate all
information and rationale with regards to using the Debian key to sign
MoK and FB.

The debian-efi developers and collaborators, as discussed during the
secure boot sprint [1], would like the things we (Debian) sign to be
reproducible so anybody can make sure that nobody (including Debian)
sneaked in any changes.
Albeit the shim binary gets signed by Microsoft (and not by Debian) the
same logic should apply to it: We want to make sure that nothing got
changed in shim by anybody.

Although a run of diffoscope would show that the only things changing
are the ephemeral embedded key (and the host kernel version), this is a
manual step that would not be easily accessible to non-tech-savvy
users. Having reproducibility "just work" by default means that the CI
can take care of it, and notice regressions automatically.

The Debian key, other than for fwupdate, kernel image and GRUB, is
already used to also sign all the Linux kernel modules, which are ~3.4k
for linux-image-4.9.0-8-amd64, multiplied by our number of
architectures and sub-architectures. So, using it for MoK and FB as
well doesn't seem to add much more exposure, in the grand scheme of
things.

The work to make src:shim use the Debian signing infrastructure was
already done last year by Philipp, and is available on Salsa [2].

In case it can help to share the workload, I will try to do some work
later today to cherry-pick those commits and send an MR on Salsa for
the latest version.

Thank you for your work on Shim!

-- 
Kind regards,
Luca Boccassi

[1] https://etherpad.wikimedia.org/p/debian-secure-boot-2018
[2] https://salsa.debian.org/pmhahn/shim

Attachment: signature.asc
Description: This is a digitally signed message part


--- End Message ---
--- Begin Message ---
Source: shim
Source-Version: 15+1533136590.3beb971-3

We believe that the bug you reported is fixed in the latest version of
shim, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve McIntyre <[email protected]> (supplier of updated shim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 08 Mar 2019 21:59:43 +0000
Source: shim
Binary: shim-helpers-amd64-signed-template shim-unsigned
Architecture: source amd64
Version: 15+1533136590.3beb971-3
Distribution: unstable
Urgency: medium
Maintainer: Debian EFI team <[email protected]>
Changed-By: Steve McIntyre <[email protected]>
Description:
 shim-helpers-amd64-signed-template - boot loader to chain-load signed boot 
loaders (signing template)
 shim-unsigned - boot loader to chain-load signed boot loaders under Secure Boot
Closes: 922228
Changes:
 shim (15+1533136590.3beb971-3) unstable; urgency=medium
 .
   [ Philipp Hahn ]
   * debian/rules: fixing permissions no longer required
   * debian/rules: Disable ephemeral key on Debian.
   * Rename binary package to 'shim-unsigned'
   * Add template for signing {mm,fb}$ARCH.efi. (Closes: #922228)
 .
   [ Luca Boccassi ]
   * Override lintian error about template rules file.
   * Include /usr/share/dpkg/architecture.mk instead of shelling out.
   * Add uname.patch to avoid embedding the kernel architecture in the
     binary and to use a fixed string instead.
 .
   [ Steve McIntyre ]
   * Change maintenance address to be the EFI team
   * Add me and vorlon to the Uploaders list
   * Rename the helper binary packages to shim-helpers-$arch.
   * Update the signing-template JSON metadata to match new practice:
     + Move all the data under a new top-level "packages" key
     + Add an empty "trusted_certs" key - the helper binaries do not do any
       further verification with an embedded key.
Checksums-Sha1:
 94a68266ec084ebbf0d6fc1633a7861d43f10ef0 2358 shim_15+1533136590.3beb971-3.dsc
 c1f96a0af8345e624c043c1ab2a58b6386ebed17 12092 
shim_15+1533136590.3beb971-3.debian.tar.xz
 691e938ef2ea21a46b992368999450d46bd0ff8b 10200 
shim-helpers-amd64-signed-template_15+1533136590.3beb971-3_amd64.deb
 1640ceee5e5f0d379263dcc51ae17274c2e3469e 578032 
shim-unsigned_15+1533136590.3beb971-3_amd64.deb
 6cfa6da0da43fce43f08bd97a6b1dfebad236db5 5943 
shim_15+1533136590.3beb971-3_amd64.buildinfo
Checksums-Sha256:
 edc35e1abeec814a23494866b27c35bdbdb3bcfc277c0ad0b47c66514577e8c0 2358 
shim_15+1533136590.3beb971-3.dsc
 c45b7fc65668427561021187577ae0ae3ac2b6d2b55837dffe772b2bbf9ecb2a 12092 
shim_15+1533136590.3beb971-3.debian.tar.xz
 80d89b14da8df34bb2c15d3107c637b29c0ae0e0759d7d4ba73edefc5a5f924f 10200 
shim-helpers-amd64-signed-template_15+1533136590.3beb971-3_amd64.deb
 dab63f2484b65e6e369aba64630770fe17cff3740db54d2134d3e25c44a2bd38 578032 
shim-unsigned_15+1533136590.3beb971-3_amd64.deb
 cba3cfe94a9ee92fb4c939e8c9c697e3b2e9976221595349460682a8c8e5d155 5943 
shim_15+1533136590.3beb971-3_amd64.buildinfo
Files:
 8d39441f20b8d30bc9cf38e78f0183f5 2358 admin optional 
shim_15+1533136590.3beb971-3.dsc
 b92c241bfb4723f78074997bf0a54112 12092 admin optional 
shim_15+1533136590.3beb971-3.debian.tar.xz
 7ddf1024db149a6a290e24f16ffce846 10200 admin optional 
shim-helpers-amd64-signed-template_15+1533136590.3beb971-3_amd64.deb
 1f5d0b07f7fe52a03e21b7066320b9d9 578032 admin optional 
shim-unsigned_15+1533136590.3beb971-3_amd64.deb
 b134d6f7e5a4c606157d0d994a320dad 5943 admin optional 
shim_15+1533136590.3beb971-3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCAAvFiEEzrtSMB1hfpEDkP4WWHl5VzRCaE4FAlyDwLcRHDkzc2FtQGRl
Ymlhbi5vcmcACgkQWHl5VzRCaE4gRQ/8CxNTE7rkyV35L16QiAc1hBRJvXzatWSn
P+AugKfNkNmqzioMTNmz3oC+yZSypDpEYpob2qQsy8k2f2KaBTFr9/1IBKZ0lsRV
2V4XgKDmFQ+XFlXaGtidD4zO177h+q02JZfDZlmggM0PdN0JlLjEy98wj26lK+ip
+0fLo0qlIaPZXLm+TUHYzSe72FtHuMyBWGpRWnqdGtrrAWm/YKtItQsQMMTSxOjx
ymzRj/rCOai8X9YDkPZ4ittYQYRWj1aoGKPteVVnB9tYe60+i27MmY2onT4yn+fV
m3YtZ1IxBGJTPZb8faeG5uvnpXpx2JNcf4b+Mmg7chRKnI8Il5qKiU6FjP0kfwF6
DpQ7Q9MqpPivM4MngOFRSzYScW7ROB9Dbzwoh7mDHxWtl0QnqTpQB2asGzXJKaEs
h1pw1XHbmd76zdiwe4lpypS4k2xzKvJ9VE/XkM+6cevbz1pypwNOJKIoaeC+HNr8
EvOWBUOFVDl6bHcTtuGd9qrtFg0fV4+hIos0OhXv2x5I/sQrPsAWrV7zrqeuA3hJ
sKX7+6p51Cf59X9qA7ZLuA1HOBYAPs/nTjDF1ENT5KoRxL1jeBnpZVRBlr7977W/
9Sv72asedHC5mvTNbW/qKt4YS+1Aaw7gVtsu4gArBQEgU6x5sBlWQ2o076NXGgdv
FnROpRufuZM=
=6JOn
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to