Steve McIntyre writes: > As discussed with various people in the past, for UEFI Secure Boot to > work we'll need changes in dak (and elsewhere?) to support upload and > signing of EFI executables. > > Colin has pointed at the code in launchpad as inspiration: > > https://git.launchpad.net/launchpad/tree/lib/lp/archivepublisher/uefi.py > https://git.launchpad.net/launchpad/tree/lib/lp/archivepublisher/tests/test_uefi.py > > We'd love to make this happen in time for stretch if at all possible.
Is there any documentation how this is supposed to work? Which files do need to be signed? And by what key? What uses the signatures the archive is planned to write to dists/*? It looks wrong to bypass embargoed for the signatures. We avoid showing which packages will get security updates in the future. Is there a way to not pass the pin via command-line arguments as currently implemented in [1]? Ansgar [1] <https://bugs.debian.org/821051#82>
