On Sun, Aug 2, 2020 at 11:45 AM Phil Perry <pperry at elrepo.org> wrote: > On 02/08/2020 16:26, Valeri Galtsev wrote: > > > > On the side note: it is Microsoft that signs one of Linux packages now. > We seem to have made one more step away from “our” computers being _our > computers_. Am I wrong? > > > > Valeri > > > > Microsoft are the Certificate Authority for SecureBoot and most > SB-enabled hardware (most x86 hardware) comes with a copy of the > Microsoft key preinstalled allowing binaries that are signed by > Microsoft to work. In the case of linux, that is the shim which becomes > the root of trust to load everything else. If you are not happy with > that you can always become your own certificate authority by generating > your own keys, install your signing keys in the hardware's firmware (MOK > list) and sign stuff yourself to use on your own machine(s). > > However if you wish to distribute stuff to others and have it work > seamlessly on hardware outside of your direct control and without the > need for every user to import your CA SecureBoot signing key into the > MOK list on every device, you would rely on Microsoft to sign SB related > content. > > now, does Microsoft have to sign each released module themselves, or will they issue a CA cert to an authorized OS creator, like RH, then let RH sign their own modules? EG, Microsoft RootCA -> Signed Package vs, Microsoft RootCA -> RH Child CA -> Signed Package .... -- -john r pierce recycling used bits in santa cruz