On 2022-02-02 12:40:56 (+0100), Morten Linderud via arch-dev-public wrote:
# Signed SHIM
First of we need to have a signing solution for this. My idea has been to piggy-back on the existing work on the signing-enclave. However it's current focus is GnuPG and I need something which can support x509 certificates and preferably PKCS11 for hardware tokens.
I think having a separate POC for this and later folding it into the signing-enclave is a good options as well.
Once we have a key we can embed into the shim, we can build a shim package and submit it for review to Microsoft.
https://github.com/rhboot/shim-review
Once this is signed and approved by Microsoft we can provide our own "shim-signed" package.
As a short addition: This topic is (also) tracked in the context of archiso (with more links to previous mailing list and issue tracker discussions): https://gitlab.archlinux.org/archlinux/archiso/-/issues/69 I think it would be good to track this effort in an overarching meta repo using an epic though, so that we can more easily identify the blockers and or follow-up tickets towards e.g. packaging, infrastructure, archiso, etc. (this would be beneficial for a bunch of our "larger topics") FWIW: The shim package is already available in [community] (it's unsigned of course).
# RFC
I think this entire process should be an RFC along with how we want to accomplish each step.
https://gitlab.archlinux.org/archlinux/rfcs/
My main focus is mostly going to be around the Git package migration but I have been tempted writing up a POC when I have a weekend. It would mostly be to make an example signing solution and some package examples.
I believe an RFC around this would be great, to outline the various things that we would need to support to make this happen. This needs a dedicated set of people working on this and spending the time to do this right. I would love to see this happen, but currently do not see myself in any position to help with it. Best, David -- https://sleepmap.de