On Tue, Oct 12, 2021 at 01:10:37PM +0200, Michael Biebl wrote: > > I would implement that something in the line of: > > > > - Split off the existing EFI binary into a new package > > "systemd-boot-unsigned". > > - Create the template package "systemd-boot-$arch-signed-template". It > > contains a list of files to be signed and a source package template, > > which gets signatures injected into and uploaded by the signing > > process. > > - The template creates a source and binary package > > "systemd-boot-$arch-signed", shipping the signed EFI binary. > > - Add a "systemd-boot" package that contains "bootctl" and a dependency > > on "systemd-boot-$arch-signed". > > Would all those binary packages be built from src:systemd?
>From the perspective of the maintainer: yes. Everything comes out of src:systemd. In perspective of the archive: no. Secure boot in Debian is done in two steps. src:systemd will provide: - systemd-boot - systemd-boot-unsigned - systemd-boot-$arch-signed-template src:systemd-boot-$arch-signed is created internally and will provide: - systemd-boot-$arch-signed > I don't have any experience with Secure Boot (especially in Debian's > context), so would need help with that. > Would you mind prepping a MR? Sure, can do. Regards, Bastian -- Those who hate and fight must stop themselves -- otherwise it is not stopped. -- Spock, "Day of the Dove", stardate unknown