Re: Certificate used to sign Fedora kernels for UEFI Secure Boot?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 8/12/19 8:35 AM, Josh Boyer wrote:
> On Mon, Aug 12, 2019 at 11:23 AM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
>>
>> On Fri, Aug 9, 2019 at 8:31 AM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
>>>
>>> Hello all,
>>>
>>> I'm not sure if this is the place for this, but if not perhaps you
>>> could point me in the right direction?
>>>
>>> I'm looking for the certificate associated with the key used to sign
>>> the Fedora kernels for UEFI Secure Boot.  What little information I've
>>> found indicates that it should be part of the "shim" package sources,

Well, you likely want to look at the pesign package for the signing
information, but the cert isn't in there either. It's in smart cards
attached to kernel builder machines. When the kernel builds on those the
spec sees that and uses pesign to sign them, otherwise it uses a 'test'
cert to sign things.

May I ask why you want the cert?

>>> but it isn't there, and looking back and random points in it's history
>>> I can't seem to find it.  I've found the CA used to sign this mystery
>>> certificate, but not the kernel's signing certificate.  Any help you
>>> can provide would be appreciated.
>>>
>>> For reference, this is the certificate I'm looking for:
>>>
>>>         Signer #0:
>>>                Subject: /CN=Fedora Secure Boot Signer
>>>                Issuer : /CN=Fedora Secure Boot CA
>>>                Serial : 9976F70F
>>>
>>> ... and no, I'm obviously not asking for the private key, just an
>>> authoritative source for the public key certificate :)

We don't have one currently, because I guess we didn't think this would
be of use to anyone. If there is some use case for it to be published,
we can do so...

>> Nobody knows where to find the "CN=Fedora Secure Boot Signer"
>> certificate?  That's a little scary :)
> 
> The people that can answer this question were all at Flock last week
> and are traveling back from it now.

Yep. I saw the email, but was at/traveling back from the conference, and
it sure didn't look urgent. ;)

> Generally speaking, Fedora infrastructure has a key they use that two
> specific build hosts have access to.
 Yep. See above.

kevin


_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Tux]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [USB]     [Asterisk PBX]

  Powered by Linux