[Bug 1876875] Re: Improve download-signed script to support current & grub2
Dimitri John Ledkov
launchpad at surgut.co.uk
Wed May 20 12:27:01 UTC 2020
linux-signed patch looks good to apw. Will start backporting those
changes to grub2-signed and s390-tools-signed.
** Changed in: linux-signed (Ubuntu)
Status: New => In Progress
** Description changed:
[Impact]
- * Improve and generalise download-signed script to allow using it with any signed binaries we care about
- * Add support to download simply the most current version
- * Add support to download /uefi/ signed binaries
- * Clean up arg parsing, add help, drop unused statements & imports.
+ * Improve and generalise download-signed script to allow using it with any signed binaries we care about
+ * Add support to download simply the most current version
+ * Add support to download /uefi/ signed binaries
+ * Clean up arg parsing, add help, drop unused statements & imports.
[Test Case]
- * Test downloading signed kernel works with public & private archives
- * Test that rebuilt signed .debs are the same
+ * Test downloading signed kernel works with public & private archives
+ * Test that rebuilt signed .debs are the same
[Regression Potential]
- * This is a built time script, as long the binaries are downloaded &
+ * This is a built time script, as long the binaries are downloaded &
packaged up the same, there is no end-user facing impact.
[Other Info]
-
- * With these changes, download-signed script can be used by s390-tools-signed & grub2-signed, as well as all the kernels.
+
+ * With these changes, download-signed script can be used by s390-tools-signed & grub2-signed, as well as all the kernels.
+ * This is needed to support resigning with different keys for different ubuntu products. For example, UC20 uses the same grub binaries, but wants an additional trustpath to UC20 CA for grade:secured core images. At the moment creating such a signature is only possible via a round-trip in a PPA.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to s390-tools-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1876875
Title:
Improve download-signed script to support current & grub2
Status in grub2-signed package in Ubuntu:
New
Status in linux-signed package in Ubuntu:
In Progress
Status in s390-tools-signed package in Ubuntu:
New
Bug description:
[Impact]
* Improve and generalise download-signed script to allow using it with any signed binaries we care about
* Add support to download simply the most current version
* Add support to download /uefi/ signed binaries
* Clean up arg parsing, add help, drop unused statements & imports.
[Test Case]
* Test downloading signed kernel works with public & private archives
* Test that rebuilt signed .debs are the same
[Regression Potential]
* This is a built time script, as long the binaries are downloaded &
packaged up the same, there is no end-user facing impact.
[Other Info]
* With these changes, download-signed script can be used by s390-tools-signed & grub2-signed, as well as all the kernels.
* This is needed to support resigning with different keys for different ubuntu products. For example, UC20 uses the same grub binaries, but wants an additional trustpath to UC20 CA for grade:secured core images. At the moment creating such a signature is only possible via a round-trip in a PPA.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1876875/+subscriptions
More information about the foundations-bugs
mailing list