Le 21/05/2025 à 20:41, Bastian Blank a écrit :
On Wed, May 21, 2025 at 06:53:15PM +0200, Raphaël Halimi wrote:
This patch adds a debconf question to configure a MOK (defaults to false;
also translated to French), and maintainer scripts to generate a MOK,
request its enrollment (one-time password: machine's hostname), and generate
conffiles for DKMS and systemd-ukify (managed by ucf).
Isn't dkms already doing this key import for the user? And why do you
think a question most users can't answer is suitable to show to
everyone?
No, DKMS doesn't import the key into the shim (I didn't find any trace
of this action into the code). It does generate a key, but in its own
path (/var/lib/dkms), which is not the standard path stated in the
Debian Wiki. Also, it names the certificate in DER format "mok.pub",
which is confusing for users (sbsign needs it in PEM format). Having the
certificate in both formats, with extensions clearly indicating the
format, is a benefit for the users.
For the debconf question, its priority is set to high, why would users
not see it ?
Sorry to contribute this so late in Trixie's release cycle, I hope it can
get in in time (I know it's not a "small, targeted fix", but it's also a
feature that was requested for a long time; if it can't, well, we'll wait
for Forky!).
Too late and the maintainers already said they don't want this package
to do it.
Which maintainers ?
Steve McIntyre said in this very bug report 8 months ago :
A patch to add a script to do the key generation for users, and
(maybe?) a debconf question to ask them if they'd like it to be run
would be nice, though!
Also, do you have to be so bitter in your answer ? Is that your way to
welcome contributions that were specifically suggested by package
maintainers ?
--
Raphaël Halimi
