=== himcesjf_ is now known as him-cesjf
[17:16] <leitao> cascardo, 
[17:17] <leitao> On ppc64el kernel, we are seeing "PKCS#7 signature not signed with a trusted key". Do you know if something changed?
[17:18] <leitao> mainly because now I see the unsigned kernels. 
[18:43] <cascardo> leitao: hum, don't really know much about it
[18:43] <cascardo> apw: ^
[20:41] <apw> leitao, this would be because the primary binaries are now signed, they should be signed with the official key
[20:42] <leitao> apw, that is why we have the signed and unsiged kernels?
[20:43] <apw> leitao, we have unsigned packages because otherwise there is no delivery mechanism for test kernels (which are not signed)
[20:44] <leitao> apw, let me ask a more silly question. What is the difference between signed and unsigned kernels? If I plan to use dkms, should I move to unsigned?
[20:45] <apw> leitao, for ppc64el it all depends how enforced things are; in an efi world we would either load a personal key, or disable signature enforcement
[20:46] <leitao> apw, how do I disable enforcement?
[20:47] <apw> leitao, i am not sure i know the answer to that
[20:47] <leitao> we rebuilt a custom kernel and now we see a lot of "PKCS#7 signature not signed with a trusted key". If I disable enforcement, will it not happen?
[20:48] <apw> is that built in a PPA ?
[20:48] <apw> as those would be signed by the per PPA key
[20:52] <apw> i am slightly confused, i assume there is something more amiss when the signature is present over when the image unsigned
[20:52] <leitao> apw, no, we did a in-house custom built
[20:53] <leitao> apw, I am wondering if we missed some step as adding our key somewhere.
[20:53] <apw> previous images would have been completely unsigned, how is it behaving different ?
[20:54] <apw> perhaps you could enumerate that for me in a bug so we can better understand
=== himcesjf_ is now known as him-cesjf