On Thu, 07 Jun 2012 16:21:41 -0400, Andrew Joakimsen wrote:
Let's say each kernel/complete packaged os release requires a unique certificate.
I don't expect it'd be a unique certificate per release - the certificate is used for generating a digital signature (checksum + chain of trust), so as long as the certificate is within it's certificate validity interval (I've seen some issued for as few as 2 years and as much as 10 years, though certainly other intervals can be valid as well). The purpose of the signature is to prove that the compiled kernel was built by a trusted source and is unmodified. So being my own "devil's advocate", if we did issue certs (assuming an intermediate signing CA could be approved), what steps would we need to put in place to ensure that those using OBS or Studio were trustworthy? Come to think of it, though, a separate signature probably wouldn't be necessary for Studio as long as a validly signed kernel were used in the build. If a custom kernel were used (from an unofficial repo without a signed key), then that's where the additional kernel would be signed. But the more I think about it, the more I wonder if the official kernels are signed so UEFI could work, whether it would be necessary to have Studio builds have any additional signing done. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org