[20:29] <rtg> cyphermox, I think a Yakkety shim/mok update in my locally keyed VM broke the boot, i.e., shim and mok no longer have the correct signature.
[20:29] <rtg> that seems like a bad thing to me.
[20:36] <apw> rtg, a new version would always be signed by canonical, so you'd have to resign them no ?
[20:37] <rtg> apw, agreed, but how would you know to do that with an automated update ?
[20:37] <apw> rtg, indeed, but it is a limitation of self-signing
[20:38] <rtg> seems a bit harsh
[20:38] <pkern> A Dpkg::Post-Invoke hook?
[20:38] <apw> rtg, i would guess we should be telling people that pinning the version they signed or something
[20:39] <apw> is a good idea ...
[20:41] <rtg> hmm, I think I'll get back to it tomorrow and file a bug so that this deficiency at least gets considered.
[20:41] <cyphermox> err, wtf
[20:42] <cyphermox> there is no point in self-signing if you're testing from proposed.
[20:42] <apw> cyphermox, i think the point was say you had a self-signed setup, and you get an update, it gets unsigned
[20:43] <cyphermox> well, if you have a self-signed setup, you'd still have microsoft keys in your BIOS -- things should still validate, just signed by Microsoft
[20:43] <apw> cyphermox, a fair point indeed
[20:43] <cyphermox> those who do not have keys just usually don't have secureboot (ie. no keys setup at all) or their own PKI (in which case they already know what to do)
[20:44] <cyphermox> if you have your own PKI with your own keys in, I expect you would already know you should re-sign shim with your key, that's nothing particularly new