On 2022-02-02 12:40:56 (+0100), Morten Linderud via arch-dev-public wrote: > # Signed SHIM > > First of we need to have a signing solution for this. My idea has been to > piggy-back on the existing work on the signing-enclave. However it's current > focus is GnuPG and I need something which can support x509 certificates and > preferably PKCS11 for hardware tokens. > > I think having a separate POC for this and later folding it into the > signing-enclave is a good options as well. > > Once we have a key we can embed into the shim, we can build a shim package and > submit it for review to Microsoft. > > https://github.com/rhboot/shim-review > > Once this is signed and approved by Microsoft we can provide our own > "shim-signed" package.
As a short addition: This topic is (also) tracked in the context of archiso (with more links to previous mailing list and issue tracker discussions): https://gitlab.archlinux.org/archlinux/archiso/-/issues/69 I think it would be good to track this effort in an overarching meta repo using an epic though, so that we can more easily identify the blockers and or follow-up tickets towards e.g. packaging, infrastructure, archiso, etc. (this would be beneficial for a bunch of our "larger topics") FWIW: The shim package is already available in [community] (it's unsigned of course). > # RFC > > I think this entire process should be an RFC along with how we want to > accomplish each step. > > https://gitlab.archlinux.org/archlinux/rfcs/ > > My main focus is mostly going to be around the Git package migration but I > have > been tempted writing up a POC when I have a weekend. It would mostly be to > make > an example signing solution and some package examples. I believe an RFC around this would be great, to outline the various things that we would need to support to make this happen. This needs a dedicated set of people working on this and spending the time to do this right. I would love to see this happen, but currently do not see myself in any position to help with it. Best, David -- https://sleepmap.de
signature.asc
Description: PGP signature
