=== JanC is now known as Guest89378
=== JanC_ is now known as JanC
=== tyhicks` is now known as tyhicks
rtgcyphermox, I think a Yakkety shim/mok update in my locally keyed VM broke the boot, i.e., shim and mok no longer have the correct signature.20:29
rtgthat seems like a bad thing to me.20:29
apwrtg, a new version would always be signed by canonical, so you'd have to resign them no ?20:36
rtgapw, agreed, but how would you know to do that with an automated update ?20:37
apwrtg, indeed, but it is a limitation of self-signing20:37
rtgseems a bit harsh20:38
pkernA Dpkg::Post-Invoke hook?20:38
apwrtg, i would guess we should be telling people that pinning the version they signed or something20:38
apwis a good idea ...20:39
rtghmm, I think I'll get back to it tomorrow and file a bug so that this deficiency at least gets considered.20:41
cyphermoxerr, wtf20:41
cyphermoxthere is no point in self-signing if you're testing from proposed.20:42
apwcyphermox, i think the point was say you had a self-signed setup, and you get an update, it gets unsigned20:42
cyphermoxwell, if you have a self-signed setup, you'd still have microsoft keys in your BIOS -- things should still validate, just signed by Microsoft20:43
apwcyphermox, a fair point indeed20:43
cyphermoxthose who do not have keys just usually don't have secureboot (ie. no keys setup at all) or their own PKI (in which case they already know what to do)20:43
cyphermoxif you have your own PKI with your own keys in, I expect you would already know you should re-sign shim with your key, that's nothing particularly new20:44

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!