[Bug 1880197] Re: ephemeral key used to sign mokmanager should have better certificate attributes
Brian Murray
1880197 at bugs.launchpad.net
Thu May 28 15:19:41 UTC 2020
** Tags removed: rls-gg-incoming
** Tags added: rls-gg-notfixing
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1880197
Title:
ephemeral key used to sign mokmanager should have better certificate
attributes
Status in shim-signed package in Ubuntu:
Triaged
Bug description:
I try to boot mokmanager. It fails to boot, as it's not signed with
canonical online key, chained to canonical CA, which shim tries to
validate and fails. I see scary blue screen of death with validation
errors.
# sbverify --list /boot/efi/EFI/ubuntu/mmx64.efi
warning: data remaining[1114272 vs 1269496]: gaps between PE/COFF sections?
signature 1
image signature issuers:
- /C=US/L=SomeCity/O=SomeOrg
image signature certificates:
- subject: /C=US/L=SomeCity/O=SomeOrg/CN=shim
issuer: /C=US/L=SomeCity/O=SomeOrg
shouldn't shim builds, submit shix64.efi mmx64.efi for Canonical online key signing?
Maybe as separate shim-canonical & shim-canonical-signed packages,
which chain off src:shim? (since we can't easily rebuild shim)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1880197/+subscriptions
More information about the foundations-bugs
mailing list