You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently signing (secureboot, verity) is done inline, ie: mkosi expects access to the private key material during the build. This doesn't work in many setups where the private key is kept on a detached system, accessible only through infrastructure-specific interfaces. The standard pattern there is to do the first build pass, get a list of hashes to sign, ship them off via some method, and get back detached signatures, and do a second build pass to apply such signatures. This is how OBS works for example: https://en.opensuse.org/openSUSE:Build_Service_Signer
So we'd need to support a build mode that creates the partitions and EFI images, but doesn't actually store signatures, and a second mode that takes a stubbed image and detached signatures, and applies them.
The text was updated successfully, but these errors were encountered:
Currently signing (secureboot, verity) is done inline, ie: mkosi expects access to the private key material during the build. This doesn't work in many setups where the private key is kept on a detached system, accessible only through infrastructure-specific interfaces. The standard pattern there is to do the first build pass, get a list of hashes to sign, ship them off via some method, and get back detached signatures, and do a second build pass to apply such signatures. This is how OBS works for example: https://en.opensuse.org/openSUSE:Build_Service_Signer
So we'd need to support a build mode that creates the partitions and EFI images, but doesn't actually store signatures, and a second mode that takes a stubbed image and detached signatures, and applies them.
The text was updated successfully, but these errors were encountered: