Re: Certificate used to sign Fedora kernels for UEFI Secure Boot?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Aug 12, 2019 at 11:23 AM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
>
> On Fri, Aug 9, 2019 at 8:31 AM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> >
> > Hello all,
> >
> > I'm not sure if this is the place for this, but if not perhaps you
> > could point me in the right direction?
> >
> > I'm looking for the certificate associated with the key used to sign
> > the Fedora kernels for UEFI Secure Boot.  What little information I've
> > found indicates that it should be part of the "shim" package sources,
> > but it isn't there, and looking back and random points in it's history
> > I can't seem to find it.  I've found the CA used to sign this mystery
> > certificate, but not the kernel's signing certificate.  Any help you
> > can provide would be appreciated.
> >
> > For reference, this is the certificate I'm looking for:
> >
> >         Signer #0:
> >                Subject: /CN=Fedora Secure Boot Signer
> >                Issuer : /CN=Fedora Secure Boot CA
> >                Serial : 9976F70F
> >
> > ... and no, I'm obviously not asking for the private key, just an
> > authoritative source for the public key certificate :)
>
> Nobody knows where to find the "CN=Fedora Secure Boot Signer"
> certificate?  That's a little scary :)

The people that can answer this question were all at Flock last week
and are traveling back from it now.

Generally speaking, Fedora infrastructure has a key they use that two
specific build hosts have access to.

josh

> I guess I can just extract it from the signed kernel image and verify
> it with the CA but that seems like a bad answer to me.
>
> --
> paul moore
> www.paul-moore.com
> _______________________________________________
> kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Tux]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [USB]     [Asterisk PBX]

  Powered by Linux