Improve download-signed script to support current & grub2
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
grub2-signed (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
linux-signed (Ubuntu) |
Fix Released
|
Wishlist
|
Unassigned | ||
s390-tools-signed (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* Improve and generalise download-signed script to allow using it with any signed binaries we care about
* Add support to download simply the most current version
* Add support to download /uefi/ signed binaries
* Clean up arg parsing, add help, drop unused statements & imports.
[Test Case]
* Test downloading signed kernel works with public & private archives
* Test that rebuilt signed .debs are the same
[Regression Potential]
* This is a built time script, as long the binaries are downloaded & packaged up the same, there is no end-user facing impact.
[Other Info]
* With these changes, download-signed script can be used by s390-tools-signed & grub2-signed, as well as all the kernels.
* This is needed to support resigning with different keys for different ubuntu products. For example, UC20 uses the same grub binaries, but wants an additional trustpath to UC20 CA for grade:secured core images. At the moment creating such a signature is only possible via a round-trip in a PPA.
tags: | added: patch |
tags: | added: id-5eb1356d8ee9193c6cf7fc0b |
Changed in s390-tools-signed (Ubuntu): | |
status: | New → Won't Fix |
Changed in linux-signed (Ubuntu): | |
importance: | Undecided → Wishlist |
status: | In Progress → Fix Committed |
https:/ /lists. ubuntu. com/archives/ kernel- team/2020- May/109572. html