From: Jan Stancek <jstancek@xxxxxxxxxx> redhat: replace redhatsecureboot303 signing key with redhatsecureboot601 Forward-port of c9s commit 50f1da0079cb ("redhat: replace redhatsecureboot303 signing key with redhatsecureboot601") Intent is to separate trust between the different architectures, and to avoid shipping 2 CAs on ppc, since grub is also signed with redhatsecureboot601. Signed-off-by: Jan Stancek <jstancek@xxxxxxxxxx> diff --git a/redhat/Makefile b/redhat/Makefile index blahblah..blahblah 100644 --- a/redhat/Makefile +++ b/redhat/Makefile @@ -702,7 +702,7 @@ sources-rh: $(TARBALL) generate-testpatch-tmp setup-source dist-configs-check @cat $$(ls -1 $(SPECPACKAGE_NAME).changelog-* | sort -t '.' -k 3 -n -r) \ > $(SOURCES)/kernel.changelog @if [ "$(RELEASED_KERNEL)" -ne 0 ]; then \ - cp keys/redhatsecureboot{302,303,501,ca5,ca3}.cer $(SOURCES)/; \ + cp keys/redhatsecureboot{302,501,601,ca3,ca5,ca6}.cer $(SOURCES)/; \ else \ cp keys/redhatsecureboot{401,ca4}.cer $(SOURCES)/; \ fi diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template index blahblah..blahblah 100644 --- a/redhat/kernel.spec.template +++ b/redhat/kernel.spec.template @@ -813,24 +813,25 @@ Source2: kernel.changelog Source10: redhatsecurebootca5.cer Source11: redhatsecurebootca3.cer -Source12: redhatsecureboot501.cer -Source13: redhatsecureboot302.cer -Source14: redhatsecureboot303.cer +Source12: redhatsecurebootca6.cer +Source13: redhatsecureboot501.cer +Source14: redhatsecureboot302.cer +Source15: redhatsecureboot601.cer %ifarch x86_64 aarch64 %define secureboot_ca_0 %{SOURCE10} -%define secureboot_key_0 %{SOURCE12} +%define secureboot_key_0 %{SOURCE13} %define pesign_name_0 redhatsecureboot501 %endif %ifarch s390x %define secureboot_ca_0 %{SOURCE11} -%define secureboot_key_0 %{SOURCE13} +%define secureboot_key_0 %{SOURCE14} %define pesign_name_0 redhatsecureboot302 %endif %ifarch ppc64le -%define secureboot_ca_0 %{SOURCE11} -%define secureboot_key_0 %{SOURCE14} -%define pesign_name_0 redhatsecureboot303 +%define secureboot_ca_0 %{SOURCE12} +%define secureboot_key_0 %{SOURCE15} +%define pesign_name_0 redhatsecureboot601 %endif # released_kernel diff --git a/redhat/keys/redhatsecureboot303.cer b/redhat/keys/redhatsecureboot303.cer deleted file mode 100644 index blahblah..blahblah 0 --- a/redhat/keys/redhatsecureboot303.cer +++ /dev/null Binary files a/redhat/keys/redhatsecureboot303.cer and /dev/null differ diff --git a/redhat/keys/redhatsecureboot601.cer b/redhat/keys/redhatsecureboot601.cer new file mode 100644 index blahblah..blahblah 100644 --- /dev/null +++ b/redhat/keys/redhatsecureboot601.cer diff --git a/redhat/keys/redhatsecurebootca6.cer b/redhat/keys/redhatsecurebootca6.cer new file mode 100644 index blahblah..blahblah 100644 --- /dev/null +++ b/redhat/keys/redhatsecurebootca6.cer -- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2849 -- _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue