dm-verity and secureboot

[ulrichard]

No description provided.

[ulrichard]

@gnapoli23
57bdb07f0097d9c67caa793991684c5c523d49e8b22bcde00f6e07aed340d183 output/livedeb.iso
1304ba13dbcbbe82f984c32e2f63d10efdfa09e47c2a8d3ad2c1b51b2fb88f0c output/livedeb-nosb.iso

[gnapoli23]

Is it worth removing our PGP key (and so the secureboot certificates) in favour of some random generated ones? Or even better, generate them each time a new iso is created (just as a reference on how it works). As is, we are the only ones who can build this repo.

[ulrichard]

d947c046f9764709fb6eea4cd3456d482b4e641f684d78ab67ef2cbedc16968f output/livedeb.iso
04227cbff514f22c2cdda5a19f162031cd5becc203996763074c996b56a06029 output/livedeb-nosb.iso

Everybody can build the version without secureboot. And everybody could fork with their own keys. I think our verts can serve as a good reference. I don' know what new keys for each build would improve. With our certs we can use the ISOs directly, and everybody who trusts us enough.

[gnapoli23]

Yes and no. Building the version without secureboot it's like saying this PR does not make sense, or at least that you (as random user) are able to use it with seureboot only if you know how to generate those certificates, which can be ok but not for everybody. I honestly think that adding also the possibility to generate the keys and certificates with some optional command would really be helpful, so that the random user can then copy and import the related secureboot keys with ease. I will take care of it., sooner or later.

BTW, not matching
bc9c2f59339484b5a317b59fd1d4e6615096c2d4cdbf109f37ca99afb4f521fb output/livedeb.iso