On Tuesday, May 30, 2023 10:00:53 PM EDT Chris Murphy wrote: > On Fri, May 26, 2023, at 10:20 AM, Steve Grubb wrote: > > sbattach --detach signature /boot/efi/EFI/BOOT/BOOTX64.EFI > > openssl pkcs7 -inform DER -in signature -text -print_certs > > > shim-certs.txt> > > Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, > > > > CN=Microsoft Corporation UEFI CA 2011 > > > > Validity > > > > Not Before: Sep 9 19:40:20 2021 GMT > > Not After : Sep 1 19:40:20 2022 GMT > > What version of shim do you have installed? What edition/spin are you > using? This is plain old F38. The shim is shim-x64-15.6-2.x86_64 > I have shim-x64-15.6-2.x86_64 and it's reporting > > Not Before: Jun 27 21:22:45 2011 GMT > Not After : Jun 27 21:32:45 2026 GMT > > A possible explanation is rpm-ostree derivatives may show a current version > grub and shim, but those are not copied to the EFI System partition. > That's the job of bootupd but I'm not sure if that's fully implemented yet > in Fedora. Appearantly not. But rpm -qf /boot/efi/EFI/BOOT/BOOTX64.EFI shows it is owned by the shim. locate BOOTX64.EFI only shows one location, the previously mentioned path. I understand that certificate validation cannot take time and date into account during boot because you have no idea if the system clock is accurate until the whole OS can run a NTP sync. But I am just surprised my system has binaries with expired signatures. -Steve _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
