--- shim-info-2017-10-05.txt.asc 2017-11-07 10:20:34.528924232 -0500 +++ shim-info-2017-11-07.txt.asc 2017-11-07 10:20:49.739016866 -0500 @@ -1,7 +1,7 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -pjones' statement about Secure Boot on 2017-10-05: +pjones' statement about Secure Boot on 2017-11-07: I'm involved in Secure Boot signing in various distros in several ways. @@ -16,17 +16,17 @@ As the guy who gets shim signed for Fedora: -At no point have I been contacted with warrants of any kind, or any -similar instrument, or in any way, from governmental or non-governmental -entities, about inclusion of any kind of malware or backdoor in Fedora's -signed secure boot binaries, including shim, grub2, the kernel, and pesign, -nor have I at any time been approached about disclosure of our signing -keys. I am also not aware of anyone else involved in our signing that has -been contacted with warrants of any kind, or any similar instrument, or in -any way, from governmental or non-governmental entities, about inclusion of -any kind of malware or backdoor in Fedora's signed secure boot binaries, -including shim, grub2, the kernel, and pesign, nor am I aware of any other -involved party having at any time been approached about disclosure of +At no point have I been contacted with warrants of any kind, or any similar +instrument, or in any way, from governmental or non-governmental entities, +about inclusion of any kind of malware or backdoor in Fedora's signed secure +boot binaries, including shim, grub2, the kernel, and pesign, nor have I at any +time been approached about disclosure of our signing keys, except by one lazy +troll on the internet. I am also not aware of anyone else involved in our +signing that has been contacted with warrants of any kind, or any similar +instrument, or in any way, from governmental or non-governmental entities, +about inclusion of any kind of malware or backdoor in Fedora's signed secure +boot binaries, including shim, grub2, the kernel, and pesign, nor am I aware of +any other involved party having at any time been approached about disclosure of our signing keys. As the guy who gets shim signed for RHEL: @@ -65,19 +65,46 @@ entities, about inclusion of any kind of malware or backdoor into either shim or pesign. +November 2017 update: One rando from the internet has sent me an email +to tell me that I should "consider myself approached" regarding the +Fedora signing keys. Here's what the guy with way too much time on his +hands said: + +- ------------------------------------------------------------------------------ +Date: Tue, 31 Oct 2017 14:46:07 -0400 +From: Eduardo Gines +Subject: Fedora SecureBoot signing keys + +Hey Peter, + +I'd like you to share with me key used for signing shim in Fedora Project Linux. + +Consider yourself approached. + +AdiĆ³s, +Eduardo +- ------------------------------------------------------------------------------ + +Just so we're clear, I don't consider a lazy email to be the sort of +contact we're talking about here. So while I've changed the language +on the Fedora section above to reflect that I have, in fact, been +contacted in /some/ way by a non-governmental entity, in the future if +this is the amount of effort you put into this, I'm just going to mark +it spam. Congratulations, you found a new way to be bad for the world, +and it's mostly just tedious. Most people just stick to the old ways. -----BEGIN PGP SIGNATURE----- -iQIcBAEBCgAGBQJZ1mjlAAoJEO7SZrcPT+8QoEwQAIK3qU3AZBPyMQahecmfzL8S -gcZUBwfndVx3s/4jB1VaIXurLGY9ZaPlwZ704yZSH+W5/hpNdiGOilJ7dj7T7Md6 -mgHrABOaeUb1gyvq1SY85+bjCM5x3Y49Et1Acsr35LeZE8QO4omo8ZTEhYFwxc1v -FtGFS8B9SojN579d3Zd1jdE9jiSO5GMXhaDvAI7pY0AFDOxnLweXx0Wq9eDZX8IT -Z4swr51xpDTQI6PM65JfdCKQi+p6m7PTOu6Tk71eMhM2i3JMveja2XnDjVflIYnu -IdhKPLKpXQOS26vtrQpTGgQ5C+ujo6WPguxZGtuipwcSGoXa618G7PGCbyEAZlMH -/xdy9nT34Ik1/99lllUQQxvaxcwE406KtweR9Nrm8lJCpwHvVp+WjB4mx7fDuSrJ -9fwRW1Ehm930G/Tg//C4arkb5tyeUK2yt7G/iH51cLsLoQiuKXlVJ7TfeDTwi4D6 -UIl9biZFBfm4GZSPuyRmXwcXxMegp1jTaHiMqAxFhmaLuBixfGJ91+w7unvEB+YN -8ADz8J2sByR15WMP59E2NuYpl2wXCk45v2nLjjwQUBuXfHSv7ThrYqxfr5KPIt1/ -7aPUVfJrkZAmsYLHod6/KYwOF3PwWGNKdPDQ747Kp+VunmlDM7tLjXzPzO7Z49OL -LuLnI1LaY71QczuC1z6T -=4/kx +iQIcBAEBCgAGBQJaAc9MAAoJEO7SZrcPT+8QQRwP/06oFjj3fqQVzICj1eJrbesP +AwuruSisUXlKa3fKfJoCfMFBBF53BH71uevSRfowMZypGxgQ28KPHBQ6qz/Rx3oc +sPAFIbMIldLtD6zdzJWPJ4oZI0cReVtzJvFK9KXNtIjUG+aAW7NVfQgPgmIrI+rk +1QIFa5oX9b0/0VD3FnCuFbrpwebVWkg4Nqc7oEpGJwNS/rxGi9qOPjAus2WuC683 +ai5fFss/9ZZBx00FPx7ehKCAWhrAkLdWOrXXfuNudOVdYIsWVw4la5oDm3oq+VV1 +olNiNUAFP4hvLXkcwEvbShDFoDKOTrpmjeuxhsiXdnYmKEKmnNnhglYcXYigfVpn +JJPEUw9Yx2hIOCKIpnYyRK19Z64gBKcQgXixyPD3WxI4iAuJzuIwY2/v45l8PQua +fNmIz6uR9zHl3z+xGbTcBHIGs3GrYXtYqghkVui2oo42ukyQ4OxAlvUdfXKcR7Ja +JT425cPQCGStLP6ZLVb6rq4C7IuG2MUe/AJm5Zyu4DBQME1YZPGCmHWbKVEsqB/o +uZu5G69KN2snE3GoZsNXOptjh+xosO8HHS5XwQmRqOAxQo3ZadYQe+oqwIe+foP1 +lLfWzNQcFtpdLCG0hryswWzFiAFoNxV6Fuo5ju57FTHbYCTT/9iQ8AAStf1oUMak +modjpCkSjBUpvaCj9O+a +=/4uR -----END PGP SIGNATURE-----