diff options
Diffstat (limited to 'debian/README.source')
-rw-r--r-- | debian/README.source | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/debian/README.source b/debian/README.source index b955a77ad7d7..dc357cbc7ce6 100644 --- a/debian/README.source +++ b/debian/README.source @@ -278,3 +278,30 @@ linux-source-<version> binary package. Currently kernel builds use debian/build/build_<arch>_<featureset>_<flavour>, userland code uses debian/build/build-tools/<source-dir> and documentation uses debian/build/build-doc. + +Code signing +============ + +The kernel image and modules may be signed after building, to support +a Secure Boot or Trusted Boot policy. In Debian, this is performed by +a "code signing service" that is separate from the normal package +build process. + +The initial package build generates binary packages named +linux-image-<arch>-signed-template, that contain a source package +template and metadata about the files to be signed. The code signing +service will download this and the linux-image packages to be signed. +It will add detached signatures to the source package, then upload it +(without ever running debian/rules). + +The source package template is generated by +debian/bin/gencontrol_signed.py and debian/rules.real with files from +debian/signing_templates and debian/templates. To test changes to +these: + +1. Build the linux source package. +2. Generate the signed source package by running the script + "debian-test-sign" from the kernel-team.git repository. It is + also possible to set up a development configuration of the + official code signing service, but this is more complicated. +3. Build the signed source package. |