On 8/12/19 8:35 AM, Josh Boyer wrote: > On Mon, Aug 12, 2019 at 11:23 AM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: >> >> On Fri, Aug 9, 2019 at 8:31 AM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: >>> >>> Hello all, >>> >>> I'm not sure if this is the place for this, but if not perhaps you >>> could point me in the right direction? >>> >>> I'm looking for the certificate associated with the key used to sign >>> the Fedora kernels for UEFI Secure Boot. What little information I've >>> found indicates that it should be part of the "shim" package sources, Well, you likely want to look at the pesign package for the signing information, but the cert isn't in there either. It's in smart cards attached to kernel builder machines. When the kernel builds on those the spec sees that and uses pesign to sign them, otherwise it uses a 'test' cert to sign things. May I ask why you want the cert? >>> but it isn't there, and looking back and random points in it's history >>> I can't seem to find it. I've found the CA used to sign this mystery >>> certificate, but not the kernel's signing certificate. Any help you >>> can provide would be appreciated. >>> >>> For reference, this is the certificate I'm looking for: >>> >>> Signer #0: >>> Subject: /CN=Fedora Secure Boot Signer >>> Issuer : /CN=Fedora Secure Boot CA >>> Serial : 9976F70F >>> >>> ... and no, I'm obviously not asking for the private key, just an >>> authoritative source for the public key certificate :) We don't have one currently, because I guess we didn't think this would be of use to anyone. If there is some use case for it to be published, we can do so... >> Nobody knows where to find the "CN=Fedora Secure Boot Signer" >> certificate? That's a little scary :) > > The people that can answer this question were all at Flock last week > and are traveling back from it now. Yep. I saw the email, but was at/traveling back from the conference, and it sure didn't look urgent. ;) > Generally speaking, Fedora infrastructure has a key they use that two > specific build hosts have access to. Yep. See above. kevin
_______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx