Meta: Requiring a signing transparency log

[julian-klode]

(I've discussed this with a couple of people before, I don't know if it's been raised off record by anyone yet, but here we go)

We should know what has been signed, hence vendors should provide a public signing transparency log listing each binary with the following information:

• When it was signed
• The PE hash
• The sources it was built from (e.g. source package versions for linux distros or something I can follow there)

Plan:

• Flesh out log service requirements and format
• Require log presence starting for shim SBAT level 4 or June (now + 6 months), whatever earlier
• Record all vendors that were signed with log service requirement and their vendor DB certificates
• Feature in fwupd (@hughsie) to submit hashes of installed EFI binaries from known vendors to LVFS on opt-in, so that it can be detected if binaries were omitted from the signing log.

[hughsie]

Sigstore?