Ben Hutchings: > On Mon, 2015-08-03 at 10:27 +0200, Jérémy Bobbio wrote: > > Ben Hutchings: > > > At some point we're hopefully going to support Secure Boot on amd64. > > > That means there will be a signed kernel image (separate from the > > > current linux-image packages) and a signed GRUB image. The kernel > > > modules in the linux-image packages will also be signed, probably with > > > an ephemeral key. > > > > > > All these signatures will all be embedded within binaries and will of > > > course not be reproducible. The locations of differences will however > > > be predictable. > > > > > > How should we deal with this limited variability? Could source > > > packages or buildinfo describe the expected variations somehow? > > > > One way to solve this, although a bit wasteful on resource, is to use > > the clean rule to perform a first build and create a signature to be > > added to the source package. > > That sort of works as long as there's only one architecture we want to > do this for. But the ability to verify modules is useful in general so > I would like to turn that on for all architectures.
Here's a solution I had in my mind when opening my eyes this morning [1]: Ship signatures in a separate source package, e.g. linux-signatures. Have linux-image Recommends linux-signatures. Ideally, I think the signatures should be shipped in extra files. Another solution would be to use xattrs and set them in a postinst script [2]. Or mangle the files in place to add signatures, but that would prevent using debsums. Both linux-image and linux-signatures can be built reproducibly. linux-signatures will have the actual signatures in its source, generated for a specific linux-image version. That way the release process can be: upload new linux, wait for buildds, retrieve results from archive, create linux-signatures, upload linux-signatures. Have linux build reproducibly can help the signers gain exta confidence that the buildd are not compromised by performing extra builds on different systems. What do you think? [1]: Yes, human brains seem to also have background tasks. [2]: xattrs are used by IMA, see <https://lwn.net/Articles/488906/> and #766267. -- Lunar .''`. lu...@debian.org : :Ⓐ : # apt-get install anarchism `. `'` `-
signature.asc
Description: Digital signature
_______________________________________________ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds
