-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

rharwood's statement about Secure Boot on 2022-11-02:

I'm one of the upstream maintainers for
[pesign](https://github.com/rhboot/pesign), which is used for signing EFI
binaries, and I'm one of the upstream maintainers of
[shim](https://github.com/rhboot/shim), which most Linux distros use to
transition from the firmware's security domain to the kernel's.  I'm also
responsible for Fedora's, RHEL's, and CentOS's builds of pesign, shim, and
grub2.  I'm not responsible for the kernels for Fedora, RHEL, or CentOS, nor
for determining which of them finally get signed for Secure Boot.

# Fedora

At no point have I been contacted with warrants of any kind, or any similar
instrument, or in any way, from governmental or non-governmental entities,
about inclusion of any kind of malware or backdoor in Fedora's signed secure
boot binaries, including shim, grub2, the kernel, and pesign, nor have I at
any time been approached about disclosure of our signing keys.  I am also not
aware of anyone else involved in our signing that has been contacted with
warrants of any kind, or any similar instrument, or in any way, from
governmental or non-governmental entities, about inclusion of any kind of
malware or backdoor in Fedora's signed secure boot binaries, including shim,
grub2, the kernel, and pesign, nor am I aware of any other involved party
having at any time been approached about disclosure of our signing keys
(except the troll called out in pjones's statement).

# RHEL

At no point have I been contacted with warrants of any kind, or any similar
instrument, or in any way, from governmental or non-governmental entities,
about inclusion of any kind of malware or backdoor in RHEL's signed secure
boot binaries, including shim, grub2, the kernel, and pesign, nor have I at
any time been approached about disclosure of our signing keys.  I am also not
aware of anyone else involved in our signing that has been contacted with
warrants of any kind, or any similar instrument, or in any way, from
governmental or non-governmental entities, about inclusion of any kind of
malware or backdoor in RHEL's signed secure boot binaries, including shim,
grub2, the kernel, and pesign, nor am I aware of any other involved party
having at any time been approached about disclosure of our signing keys.

# CentOS

At no point have I been contacted with warrants of any kind, or any similar
instrument, or in any way, from governmental or non-governmental entities,
about inclusion of any kind of malware or backdoor in CentOS's signed secure
boot binaries, including shim, grub2, the kernel, and pesign, nor have I at
any time been approached about disclosure of our signing keys.  I am also not
aware of anyone else involved in our signing that has been contacted with
warrants of any kind, or any similar instrument, or in any way, from
governmental or non-governmental entities, about inclusion of any kind of
malware or backdoor in CentOS's signed secure boot binaries, including shim,
grub2, the kernel, and pesign, nor am I aware of any other involved party
having at any time been approached about disclosure of our signing keys.

# Upstream pesign/shim

At no point have I been contacted with warrants of any kind, or any similar
instrument, or in any way, from governmental or non-governmental entities,
about inclusion of any kind of malware or backdoor into either shim or pesign.
I am also unaware of any other contributor to shim or pesign having been
contacted with warrants of any kind, or any similar instrument, or in any way,
from governmental or non-governmental entities, about inclusion of any kind of
malware or backdoor into either shim or pesign.

# Change history

2022-03-09: created document based on [pjones's current
statement](https://blog.uncooperative.org/shim-info-2022-03-02.txt.asc).

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEA5qc6hnelQjDaHWqJTL5F2qVpEIFAmNiibMACgkQJTL5F2qV
pEJHkQ//WRlWOH7FUVPI7/4L43vEa5NLq37K9XUczrO6sNpuOo5XLRKFn8LX1Qgq
hBdqkLiY3Mxbib9uekO1CpV9uGsOuxf+Y0I9DDTT6qLX9H8qsc66fv/P4lMOku/C
OayQDyEqUn4MhmqcM+3G8pC1WllyxKGpk+x+oKQ7Rfci9f3PqiJ3xurEerHgiYhP
6M2PYVCK97K2LEwi3lC7C9Jcaj0pXcpcCDLxQgaCjxvAjuhwXp8KO9OjfzokMEwM
9DZaSlELPpc+Ez6JIRZhIdPPDCfXTF2VrZ06314aGmra39I5p/7hdnHLTzvoq9j8
t+MAk8d70ex6Rj9ZLzHLYhPIWHRXf2bwEtYwYyoGotcVwTSPlx2X6DAIyHOc+iIR
jh9h6AvBg4hu8MNi6sFC9MgqV+yW0PZ5hpxQL5NhZl2woKy+ZIwVtP0189flbGLj
xM/c5MthQ+W30x/JX1FMRHSdMfcTy7RDaKLqBurA0559aymPTJvtBDYXLGh6If6V
X6o5/IK+Gr17QV4g3E60//Pm2cmaz3a7s8l9Km2hPIsxGXE7SuKZrkT2e9hTef2K
cze2fGCvEIdrs6WZv2rBrjAcx2xnT4JJFA5CJmp4J84jNk4r231BDdExYrlkM+Hq
kLYs4e7BaCaHDiXldrt2Lf5xFV1tDcSPalaKEE8GBIjMdGwPtTM=
=qzwO
-----END PGP SIGNATURE-----