On 17.10.2013 20:03, Jonathan McCune wrote:
> grub-mkimage is internal implementation detail. It should not be
> mentioned here.
>
>
> I tend to agree, but right now it's necessary to understand this. When
> grub-install support for --pubkey matures, this can be removed.
>
>
> > This
> > +can be done using the @code{--pubkey} option to
> @command{grub-mkimage}
> > +and manually specifying that the modules required for signature
> > +verification be embedded in @file{core.img}. For example:
> > +
> > +@example
> > +# First, wrap grub-mkimage to include your public key(s).
> > +cat <<EOF > /root/grub-mkimage-pubkey.sh
> > +#!/bin/sh
> > +/usr/bin/grub-mkimage --pubkey=/boot/pubkey.gpg $@@
> > +EOF
> > +chmod +x /root/grub-mkimage-pubkey.sh
> > +# Then, invoke grub-install, explicitly including the `verify'
> > +# module and its dependencies (as verify cannot signature-check
> > +# itself).
> > +grub-install \
> > + --grub-mkimage=/root/grub-mkimage-pubkey.sh \
> > + --modules="verify gcry_rsa gcry_dsa gcry_sha256 hashsum"\
> > +"gcry_sha1 mpi echo loadenv" \
> > + /dev/sda
> > +@end example
> > +
>
> Nor should this example really be included.
>
>
> Same thoughts as above. This should get dropped as part of some future
> cleanup, but for the moment I think it's necessary. It's also already
> committed so somewhat moot.Not true a) This part was removed b) I actually forgot Andrey's message when I committed your patch. Sorry for this. Most of problems he mentions are valid and should be fixed. Also, interestingly, I removed most of parts he had problem with even though I didn't look at his email at that time.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Grub-devel mailing list [email protected] https://lists.gnu.org/mailman/listinfo/grub-devel
