debian/README.source: Document code signing and how to test it

1 files changed, 27 insertions, 0 deletions

diff --git a/debian/README.source b/debian/README.source
index b955a77ad7d7..dc357cbc7ce6 100644
--- a/debian/README.source
+++ b/debian/README.source
@@ -278,3 +278,30 @@ linux-source-<version> binary package.  Currently kernel builds use
 debian/build/build_<arch>_<featureset>_<flavour>, userland code uses
 debian/build/build-tools/<source-dir> and documentation uses
 debian/build/build-doc.
+
+Code signing
+============
+
+The kernel image and modules may be signed after building, to support
+a Secure Boot or Trusted Boot policy.  In Debian, this is performed by
+a "code signing service" that is separate from the normal package
+build process.
+
+The initial package build generates binary packages named
+linux-image-<arch>-signed-template, that contain a source package
+template and metadata about the files to be signed.  The code signing
+service will download this and the linux-image packages to be signed.
+It will add detached signatures to the source package, then upload it
+(without ever running debian/rules).
+
+The source package template is generated by
+debian/bin/gencontrol_signed.py and debian/rules.real with files from
+debian/signing_templates and debian/templates.  To test changes to
+these:
+
+1. Build the linux source package.
+2. Generate the signed source package by running the script
+   "debian-test-sign" from the kernel-team.git repository.  It is
+   also possible to set up a development configuration of the
+   official code signing service, but this is more complicated.
+3. Build the signed source package.