ACK/Cmnt: [PATCH 0/3] [B][F][J][K][L][SRU][PATCH] UBUNTU: [Packaging] Expose built-in trusted and revoked certificates
Dimitri John Ledkov
dimitri.ledkov at canonical.com
Mon Nov 21 14:58:34 UTC 2022
On Fri, 18 Nov 2022 at 18:12, Tim Gardner <tim.gardner at canonical.com> wrote:
>
> On 11/17/22 9:38 AM, Dimitri John Ledkov wrote:
> > BugLink: https://bugs.launchpad.net/bugs/1996892
> >
> > Kernels have a set of builtin trusted and revoked certificates as a
> > bundle.
> >
> > It is not very easy to access them, one needs to either download linux
> > kernel package source code; or boot the kernel to look up builtin
> > hashes; and then find certificates externally.
> >
> > It would be more convenient for inspection to expose these in the
> > buildinfo package, which already exposes auxiliary kernel information.
> >
> > Dimitri John Ledkov (1):
> > [J][K][L][SRU][PATCH] UBUNTU: [Packaging] Expose built-in trusted and
> > revoked certificates
> > [F][SRU][PATCH] UBUNTU: [Packaging] Expose built-in trusted and
> > revoked certificates
> > [B][SRU][PATCH] UBUNTU: [Packaging] Expose built-in trusted and
> > revoked certificates
> >
> > debian/rules.d/2-binary-arch.mk | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> Acked-by: Tim Gardner <tim.gardner at canonical.com>
>
> Seems fine as long as those keys aren't secret.
These are not keys, but public well-known x.509 certificates embedded
in the pkcs7 signature on every signed vmlinuz.
The private keys for all of those are obviously inaccessible to any of
us, and are sealed in the singing service.
--
okurrr,
Dimitri
More information about the kernel-team
mailing list