Merge ~ubuntu-core-dev/grub/+git/ubuntu:check-known-sigs into ~ubuntu-core-dev/grub/+git/ubuntu:ubuntu
Proposed by
Mathieu Trudel-Lapierre
| Status: | Merged |
|---|---|
| Merged at revision: | e085fe375e78d4e5a6df34089cc0440b83a03281 |
| Proposed branch: | ~ubuntu-core-dev/grub/+git/ubuntu:check-known-sigs |
| Merge into: | ~ubuntu-core-dev/grub/+git/ubuntu:ubuntu |
| Diff against target: |
121 lines (+62/-2) 3 files modified
debian/canonical-uefi-ca.crt (+25/-0) debian/grub-check-signatures (+36/-2) debian/grub-common.install.in (+1/-0) |
| Related bugs: |
| Reviewer | Review Type | Date Requested | Status |
|---|---|---|---|
| Steve Langasek | Needs Fixing | ||
|
Review via email:
|
|||
Commit message
grub-check-
Description of the change
Check kernel signatures against the certs we can export from firmware, and against the Canonical cert we can ship on disk (to guard against an empty MokListRT, despite the cert really being known by our shim).
I think the low risk of false positives (saying we trust the Canonical signature when people use their own shim, etc.) is low enough, and it's an unlikely setup already, that people can deal with it on their own.
To post a comment you must log in.
Revision history for this message
| Steve Langasek (vorlon) | # |
review:
Needs Fixing
Revision history for this message
| Mathieu Trudel-Lapierre (cyphermox) | # |
Revision history for this message
| Steve Langasek (vorlon) | # |
There was an error fetching revisions from git servers. Please try again in a few minutes. If the problem persists, contact Launchpad support.
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
