tags 1039913 + wontfix thanks Hi
On Thu, 29 Jun 2023 15:56:31 +0200 Marco d'Itri <m...@linux.it> wrote:
On Jun 29, Jan Naumann <j...@jans-seite.de> wrote: > Could you please add a hook to the postinst that either a local script can be > called on installation time which takes care of signing the image (similar to > the `/etc/kernel/postinst.d/ mechamism) or add some call to `sbsign` yourself if > e.g. the signing key is available at a specific path. I am working on packaging sbctl (which I believe is *much* nicer[1] thansbsigntool and mokutil), so I plan to do some work in this area in the future.But I am not sure yet of which shape this interface should have.Part of the issue is that at least sbctl signs the installed binaries in place, while bootctl looks for .efi.signed files in the source directory, and "bootctl install" could also be run manually at any time.But since systemd-bootx64.efi comes from /usr/lib/systemd/boot/efi/ it would not be right to have something which is not the package manager install a .efi.signed file there, so I suspect that this cannot be solved just with some shell scripting. And for the time being there are zero chances that Debian (or anybody else, I understand) will be able to ship a signed systemd-boot, so this is not a useful interface right now.[1] https://blog.bofh.it/debian/id_465
I'm a bit concerned to add such a hook interface without a clear scope of that this interface is supposed to provide.
And to be somewhat consistent, I assume such a hook interface would actually have to be added to bootctl directly, which is then no longer ad Debian specific issue.
For your specific use case, you can probably use a dpkg hook as detailed in https://unix.stackexchange.com/questions/199511/is-it-possible-to-install-a-hook-that-will-be-called-before-removal-of-a-packa to do what you want. I'm thus closing the issue as wontfix. Regards, Michael
OpenPGP_signature.asc
Description: OpenPGP digital signature
