*countable infinities only

Adam Jackson ajax at redhat.com
Thu May 31 19:18:54 UTC 2012


On 5/31/12 2:17 PM, Peter Jones wrote:
> On 05/31/2012 12:37 PM, Adam Jackson wrote:
>
>> Now if you're suggesting Fedora should ship another version of the
>> shimloader that's signed with a common Fedora key... sure, why not,
>> that could be nice.
>
> Of course since we have to /install/ a bootloader, for this to be
> effective it needs to be the same bootloader signed twice, which is
> not currently supported by the binary format. (It can, of course, be
> adapted to support it trivially without even changing the bits on the
> disk if we can talk them in to it, and my tools currently includes a
> partial implementation of this that's merely #define'd away.)

Not that I want to discourage multiple signatures - quite the opposite - 
but could we not install the bootloader after (and based on) looking at 
the enrolled keys?

- ajax


More information about the devel mailing list