| === JanC is now known as Guest89378 | ||
| === JanC_ is now known as JanC | ||
| === tyhicks` is now known as tyhicks | ||
| rtg | cyphermox, I think a Yakkety shim/mok update in my locally keyed VM broke the boot, i.e., shim and mok no longer have the correct signature. | 20:29 |
|---|---|---|
| rtg | that seems like a bad thing to me. | 20:29 |
| apw | rtg, a new version would always be signed by canonical, so you'd have to resign them no ? | 20:36 |
| rtg | apw, agreed, but how would you know to do that with an automated update ? | 20:37 |
| apw | rtg, indeed, but it is a limitation of self-signing | 20:37 |
| rtg | seems a bit harsh | 20:38 |
| pkern | A Dpkg::Post-Invoke hook? | 20:38 |
| apw | rtg, i would guess we should be telling people that pinning the version they signed or something | 20:38 |
| apw | is a good idea ... | 20:39 |
| rtg | hmm, I think I'll get back to it tomorrow and file a bug so that this deficiency at least gets considered. | 20:41 |
| cyphermox | err, wtf | 20:41 |
| cyphermox | there is no point in self-signing if you're testing from proposed. | 20:42 |
| apw | cyphermox, i think the point was say you had a self-signed setup, and you get an update, it gets unsigned | 20:42 |
| cyphermox | well, if you have a self-signed setup, you'd still have microsoft keys in your BIOS -- things should still validate, just signed by Microsoft | 20:43 |
| apw | cyphermox, a fair point indeed | 20:43 |
| cyphermox | those who do not have keys just usually don't have secureboot (ie. no keys setup at all) or their own PKI (in which case they already know what to do) | 20:43 |
| cyphermox | if you have your own PKI with your own keys in, I expect you would already know you should re-sign shim with your key, that's nothing particularly new | 20:44 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!