[OS-BUILD PATCHv3 4/6] redhat: replace redhatsecureboot303 signing key with redhatsecureboot601

"Jan Stancek (via Email Bridge)" <cki-gitlab@xxxxxxxxxx> · Mon, 22 Apr 2024 13:35:40 -0000

From: Jan Stancek <jstancek@xxxxxxxxxx>

redhat: replace redhatsecureboot303 signing key with redhatsecureboot601

Forward-port of c9s commit
    50f1da0079cb ("redhat: replace redhatsecureboot303 signing key with redhatsecureboot601")

Intent is to separate trust between the different architectures,
and to avoid shipping 2 CAs on ppc, since grub is also signed
with redhatsecureboot601.

Signed-off-by: Jan Stancek <jstancek@xxxxxxxxxx>

diff --git a/redhat/Makefile b/redhat/Makefile
index blahblah..blahblah 100644
--- a/redhat/Makefile
+++ b/redhat/Makefile
@@ -709,7 +709,7 @@ sources-rh: $(TARBALL) $(KABI_TARBALL) $(KABIDW_TARBALL) generate-testpatch-tmp
 	@cat $$(ls -1 $(SPECPACKAGE_NAME).changelog-* | sort -t '.' -k 3 -n -r) \
 		> $(SOURCES)/kernel.changelog
 	@if [ "$(RELEASED_KERNEL)" -ne 0 ]; then \
-		cp keys/redhatsecureboot{302,303,501,ca5,ca3}.cer $(SOURCES)/; \
+		cp keys/redhatsecureboot{302,501,601,ca3,ca5,ca6}.cer $(SOURCES)/; \
 	else \
 		cp keys/redhatsecureboot{401,ca4}.cer $(SOURCES)/; \
 	fi
diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
index blahblah..blahblah 100644
--- a/redhat/kernel.spec.template
+++ b/redhat/kernel.spec.template
@@ -816,24 +816,25 @@ Source2: kernel.changelog
 
 Source10: redhatsecurebootca5.cer
 Source11: redhatsecurebootca3.cer
-Source12: redhatsecureboot501.cer
-Source13: redhatsecureboot302.cer
-Source14: redhatsecureboot303.cer
+Source12: redhatsecurebootca6.cer
+Source13: redhatsecureboot501.cer
+Source14: redhatsecureboot302.cer
+Source15: redhatsecureboot601.cer
 
 %ifarch x86_64 aarch64
 %define secureboot_ca_0 %{SOURCE10}
-%define secureboot_key_0 %{SOURCE12}
+%define secureboot_key_0 %{SOURCE13}
 %define pesign_name_0 redhatsecureboot501
 %endif
 %ifarch s390x
 %define secureboot_ca_0 %{SOURCE11}
-%define secureboot_key_0 %{SOURCE13}
+%define secureboot_key_0 %{SOURCE14}
 %define pesign_name_0 redhatsecureboot302
 %endif
 %ifarch ppc64le
-%define secureboot_ca_0 %{SOURCE11}
-%define secureboot_key_0 %{SOURCE14}
-%define pesign_name_0 redhatsecureboot303
+%define secureboot_ca_0 %{SOURCE12}
+%define secureboot_key_0 %{SOURCE15}
+%define pesign_name_0 redhatsecureboot601
 %endif
 
 # released_kernel
diff --git a/redhat/keys/redhatsecureboot303.cer b/redhat/keys/redhatsecureboot303.cer
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/keys/redhatsecureboot303.cer
+++ /dev/null
Binary files a/redhat/keys/redhatsecureboot303.cer and /dev/null differ
diff --git a/redhat/keys/redhatsecureboot601.cer b/redhat/keys/redhatsecureboot601.cer
new file mode 100644
index blahblah..blahblah 100644
--- /dev/null
+++ b/redhat/keys/redhatsecureboot601.cer
diff --git a/redhat/keys/redhatsecurebootca6.cer b/redhat/keys/redhatsecurebootca6.cer
new file mode 100644
index blahblah..blahblah 100644
--- /dev/null
+++ b/redhat/keys/redhatsecurebootca6.cer

--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2849
--
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue







