[Bug 1880197] Re: mokmanager is signed using ephemeral key, instead of Vendor Key
Steve Langasek
1880197 at bugs.launchpad.net
Fri May 22 17:42:26 UTC 2020
** Information type changed from Public Security to Public
** Changed in: shim-signed (Ubuntu)
Importance: Undecided => Low
** Changed in: shim-signed (Ubuntu)
Status: New => Triaged
** Summary changed:
- mokmanager is signed using ephemeral key, instead of Vendor Key
+ ephemeral key used to sign mokmanager should have better certificate attributes
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1880197
Title:
ephemeral key used to sign mokmanager should have better certificate
attributes
Status in shim-signed package in Ubuntu:
Triaged
Bug description:
I try to boot mokmanager. It fails to boot, as it's not signed with
canonical online key, chained to canonical CA, which shim tries to
validate and fails. I see scary blue screen of death with validation
errors.
# sbverify --list /boot/efi/EFI/ubuntu/mmx64.efi
warning: data remaining[1114272 vs 1269496]: gaps between PE/COFF sections?
signature 1
image signature issuers:
- /C=US/L=SomeCity/O=SomeOrg
image signature certificates:
- subject: /C=US/L=SomeCity/O=SomeOrg/CN=shim
issuer: /C=US/L=SomeCity/O=SomeOrg
shouldn't shim builds, submit shix64.efi mmx64.efi for Canonical online key signing?
Maybe as separate shim-canonical & shim-canonical-signed packages,
which chain off src:shim? (since we can't easily rebuild shim)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1880197/+subscriptions
More information about the foundations-bugs
mailing list