On Fri, Aug 09, 2019 at 08:31:06AM -0400, Paul Moore wrote: > Hello all, > > I'm not sure if this is the place for this, but if not perhaps you > could point me in the right direction? > > I'm looking for the certificate associated with the key used to sign > the Fedora kernels for UEFI Secure Boot. What little information I've > found indicates that it should be part of the "shim" package sources, > but it isn't there, and looking back and random points in it's history > I can't seem to find it. We don't package the certs to the signer, because the signatures should be verified against the issuer. That said, the whole signing chain is in the signatures, or else that wouldn't work. > I've found the CA used to sign this mystery certificate, but not the > kernel's signing certificate. Any help you can provide would be > appreciated. > > For reference, this is the certificate I'm looking for: > > Signer #0: > Subject: /CN=Fedora Secure Boot Signer > Issuer : /CN=Fedora Secure Boot CA > Serial : 9976F70F > > ... and no, I'm obviously not asking for the private key, just an > authoritative source for the public key certificate :) I've put the issuer and both signers at: https://pjones.fedorapeople.org/secure-boot/ For what it's worth, you can also extract these with: pesign -i grubx64.efi -e grub.sig openssl pkcs7 -in grubx64.efi -inform der -print_certs It doesn't matter if you pick grub, kernel, fwupdate, or any of the things in the shim package except the one thing signed by someone else. Each binary will have one of the signer certs, depending on which host it was built on, and the issuer cert. -- Peter _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
