[K][L][SRU][PATCH] UBUNTU: [Packaging] Revoke and rotate to new signing key
Andrea Righi
andrea.righi at canonical.com
Mon Jan 16 09:23:57 UTC 2023
On Fri, Jan 13, 2023 at 02:09:01PM +0000, Dimitri John Ledkov wrote:
> BugLink: https://bugs.launchpad.net/bugs/2002812
>
> Update revocations, which match the next Ubuntu shim v15.7
> revocations. Specifically - revoke certs that were previously
> protected with by-hash revocations, revoke lost/unused certificates.
>
> Kernels with this patch applied should be signed using ubuntu/4 pro/3
> core/2 signing streams.
I don't understand very well this part. If we apply this, do we also
need to change something in our usual signing workflow or is everything
already in place to support this change?
Thanks,
-Andrea
>
> TPM PCR values and measurements will change when changing the signing
> key.
>
> Signed-off-by: Dimitri John Ledkov <dimitri.ledkov at canonical.com>
> ---
> .../revoked-certs/canonical-uefi-2012-all.pem | 36 ++++----
> .../revoked-certs/canonical-uefi-2017-all.pem | 86 +++++++++++++++++++
> .../revoked-certs/canonical-uefi-2018-all.pem | 86 +++++++++++++++++++
> .../revoked-certs/canonical-uefi-2019-all.pem | 86 +++++++++++++++++++
> .../canonical-uefi-2021v1-all.pem | 86 +++++++++++++++++++
> .../canonical-uefi-2021v2-all.pem | 86 +++++++++++++++++++
> .../canonical-uefi-2021v3-all.pem | 86 +++++++++++++++++++
> .../canonical-uefi-uc2019-all.pem | 86 +++++++++++++++++++
> debian/rules | 5 ++
> 9 files changed, 625 insertions(+), 18 deletions(-)
> create mode 100644 debian/revoked-certs/canonical-uefi-2017-all.pem
> create mode 100644 debian/revoked-certs/canonical-uefi-2018-all.pem
> create mode 100644 debian/revoked-certs/canonical-uefi-2019-all.pem
> create mode 100644 debian/revoked-certs/canonical-uefi-2021v1-all.pem
> create mode 100644 debian/revoked-certs/canonical-uefi-2021v2-all.pem
> create mode 100644 debian/revoked-certs/canonical-uefi-2021v3-all.pem
> create mode 100644 debian/revoked-certs/canonical-uefi-uc2019-all.pem
>
> diff --git a/debian/revoked-certs/canonical-uefi-2012-all.pem b/debian/revoked-certs/canonical-uefi-2012-all.pem
> index 06c116eec5..4bdd9a3c26 100644
> --- a/debian/revoked-certs/canonical-uefi-2012-all.pem
> +++ b/debian/revoked-certs/canonical-uefi-2012-all.pem
> @@ -10,7 +10,7 @@ Certificate:
> Subject: C = GB, ST = Isle of Man, O = Canonical Ltd., OU = Secure Boot, CN = Canonical Ltd. Secure Boot Signing
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> - RSA Public-Key: (2048 bit)
> + Public-Key: (2048 bit)
> Modulus:
> 00:c9:5f:9b:62:8f:0b:b0:64:82:ac:be:c9:e2:62:
> e3:4b:d2:9f:1e:8a:d5:61:1a:2b:5d:38:f4:b7:ce:
> @@ -41,24 +41,24 @@ Certificate:
> X509v3 Subject Key Identifier:
> 61:48:2A:A2:83:0D:0A:B2:AD:5A:F1:0B:72:50:DA:90:33:DD:CE:F0
> X509v3 Authority Key Identifier:
> - keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63
> -
> + AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63
> Signature Algorithm: sha256WithRSAEncryption
> - 8f:8a:a1:06:1f:29:b7:0a:4a:d5:c5:fd:81:ab:25:ea:c0:7d:
> - e2:fc:6a:96:a0:79:93:67:ee:05:0e:25:12:25:e4:5a:f6:aa:
> - 1a:f1:12:f3:05:8d:87:5e:f1:5a:5c:cb:8d:23:73:65:1d:15:
> - b9:de:22:6b:d6:49:67:c9:a3:c6:d7:62:4e:5c:b5:f9:03:83:
> - 40:81:dc:87:9c:3c:3f:1c:0d:51:9f:94:65:0a:84:48:67:e4:
> - a2:f8:a6:4a:f0:e7:cd:cd:bd:94:e3:09:d2:5d:2d:16:1b:05:
> - 15:0b:cb:44:b4:3e:61:42:22:c4:2a:5c:4e:c5:1d:a3:e2:e0:
> - 52:b2:eb:f4:8b:2b:dc:38:39:5d:fb:88:a1:56:65:5f:2b:4f:
> - 26:ff:06:78:10:12:eb:8c:5d:32:e3:c6:45:af:25:9b:a0:ff:
> - 8e:ef:47:09:a3:e9:8b:37:92:92:69:76:7e:34:3b:92:05:67:
> - 4e:b0:25:ed:bc:5e:5f:8f:b4:d6:ca:40:ff:e4:e2:31:23:0c:
> - 85:25:ae:0c:55:01:ec:e5:47:5e:df:5b:bc:14:33:e3:c6:f5:
> - 18:b6:d9:f7:dd:b3:b4:a1:31:d3:5a:5c:5d:7d:3e:bf:0a:e4:
> - e4:e8:b4:59:7d:3b:b4:8c:a3:1b:b5:20:a3:b9:3e:84:6f:8c:
> - 21:00:c3:39
> + Signature Value:
> + 8f:8a:a1:06:1f:29:b7:0a:4a:d5:c5:fd:81:ab:25:ea:c0:7d:
> + e2:fc:6a:96:a0:79:93:67:ee:05:0e:25:12:25:e4:5a:f6:aa:
> + 1a:f1:12:f3:05:8d:87:5e:f1:5a:5c:cb:8d:23:73:65:1d:15:
> + b9:de:22:6b:d6:49:67:c9:a3:c6:d7:62:4e:5c:b5:f9:03:83:
> + 40:81:dc:87:9c:3c:3f:1c:0d:51:9f:94:65:0a:84:48:67:e4:
> + a2:f8:a6:4a:f0:e7:cd:cd:bd:94:e3:09:d2:5d:2d:16:1b:05:
> + 15:0b:cb:44:b4:3e:61:42:22:c4:2a:5c:4e:c5:1d:a3:e2:e0:
> + 52:b2:eb:f4:8b:2b:dc:38:39:5d:fb:88:a1:56:65:5f:2b:4f:
> + 26:ff:06:78:10:12:eb:8c:5d:32:e3:c6:45:af:25:9b:a0:ff:
> + 8e:ef:47:09:a3:e9:8b:37:92:92:69:76:7e:34:3b:92:05:67:
> + 4e:b0:25:ed:bc:5e:5f:8f:b4:d6:ca:40:ff:e4:e2:31:23:0c:
> + 85:25:ae:0c:55:01:ec:e5:47:5e:df:5b:bc:14:33:e3:c6:f5:
> + 18:b6:d9:f7:dd:b3:b4:a1:31:d3:5a:5c:5d:7d:3e:bf:0a:e4:
> + e4:e8:b4:59:7d:3b:b4:8c:a3:1b:b5:20:a3:b9:3e:84:6f:8c:
> + 21:00:c3:39
> -----BEGIN CERTIFICATE-----
> MIIEIDCCAwigAwIBAgIBATANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix
> FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK
> diff --git a/debian/revoked-certs/canonical-uefi-2017-all.pem b/debian/revoked-certs/canonical-uefi-2017-all.pem
> new file mode 100644
> index 0000000000..6f722331d1
> --- /dev/null
> +++ b/debian/revoked-certs/canonical-uefi-2017-all.pem
> @@ -0,0 +1,86 @@
> +Certificate:
> + Data:
> + Version: 3 (0x2)
> + Serial Number: 2 (0x2)
> + Signature Algorithm: sha256WithRSAEncryption
> + Issuer: C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., CN = Canonical Ltd. Master Certificate Authority
> + Validity
> + Not Before: Sep 26 21:52:11 2017 GMT
> + Not After : Sep 25 21:52:11 2047 GMT
> + Subject: C = GB, ST = Isle of Man, O = Canonical Ltd., OU = Secure Boot, CN = Canonical Ltd. Secure Boot Signing (2017)
> + Subject Public Key Info:
> + Public Key Algorithm: rsaEncryption
> + Public-Key: (2048 bit)
> + Modulus:
> + 00:ef:9f:fa:9f:19:3a:9d:38:23:91:cc:c4:f9:42:
> + e0:f8:54:12:82:dc:97:2c:d6:5b:c1:35:eb:ff:4a:
> + 74:06:b5:9d:32:aa:7b:f3:fc:31:5a:34:3e:a1:a4:
> + 44:db:7b:6d:16:af:35:76:e0:9b:99:ad:21:11:c6:
> + 12:4b:ae:24:8f:bb:d3:b2:00:fe:c5:1d:9b:3a:1a:
> + 4a:6c:ca:fa:16:37:85:22:f9:ff:22:fc:40:e0:58:
> + 35:c1:39:27:b4:c6:42:1a:96:d8:a5:c5:95:2e:f7:
> + c5:1e:21:6e:36:84:f7:a9:a1:e1:f1:03:08:96:65:
> + 71:f8:eb:83:cf:82:f7:9a:44:58:72:00:14:39:29:
> + 4b:e9:78:2f:65:20:b3:80:76:3b:ba:0d:2d:46:f6:
> + 37:05:e7:05:fe:bd:6c:c7:a2:65:b5:06:6e:07:24:
> + 99:a1:c1:cf:e1:0e:5e:49:41:71:17:a8:50:e7:38:
> + 99:e5:6e:b6:db:9f:63:db:56:f4:9c:7d:89:f6:d2:
> + 03:6c:99:83:e0:99:23:39:36:bd:cb:b5:26:7c:7d:
> + b0:c6:fe:82:7c:52:ed:f9:2c:8f:79:71:3d:a9:2f:
> + b5:aa:7e:77:a0:fd:69:f9:97:10:a8:b2:c6:7d:88:
> + 9e:a2:19:bd:31:b8:02:2d:34:4d:9d:98:60:82:ad:
> + 04:ff
> + Exponent: 65537 (0x10001)
> + X509v3 extensions:
> + X509v3 Basic Constraints: critical
> + CA:FALSE
> + X509v3 Extended Key Usage:
> + Code Signing, 1.3.6.1.4.1.311.10.3.6
> + Netscape Comment:
> + OpenSSL Generated Certificate
> + X509v3 Subject Key Identifier:
> + 24:2A:DE:75:AC:4A:15:E5:0D:50:C8:4B:0D:45:FF:3E:AE:70:7A:03
> + X509v3 Authority Key Identifier:
> + AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63
> + Signature Algorithm: sha256WithRSAEncryption
> + Signature Value:
> + 00:b2:b7:57:b5:2b:5d:16:d3:04:88:6a:d7:77:d5:0d:89:f1:
> + d2:6e:11:d1:8e:f5:62:05:c4:6a:57:df:eb:d2:86:68:f2:fd:
> + a7:37:11:3c:f4:ce:5d:fe:32:5f:31:a2:6b:3a:da:28:c2:88:
> + fa:7f:70:b5:25:99:ea:27:9a:56:6a:9d:b2:0f:14:99:e2:b7:
> + c6:39:1e:8e:a7:76:31:d9:ed:c5:05:8d:48:ae:1b:68:18:14:
> + 51:a1:7d:f6:c7:df:cb:9d:eb:a4:3b:0b:ff:c2:07:c5:42:bc:
> + 0d:b2:11:fa:37:17:2b:1c:b5:84:48:2d:f9:31:4a:57:49:8e:
> + 61:a6:82:11:06:4c:34:ea:9c:2a:47:4d:eb:e0:26:af:da:d2:
> + c2:08:a0:37:35:7b:73:71:de:0b:c4:ba:c8:34:de:20:04:03:
> + 6f:46:26:0d:b9:91:02:5b:71:76:cc:45:e4:08:d0:a6:dd:a4:
> + 50:d3:d9:04:91:2b:d9:5c:34:88:fc:c2:37:fd:c6:d4:3e:57:
> + f7:6b:ba:7b:d7:02:7a:84:0c:c8:c1:19:cc:bc:fa:52:d5:7f:
> + b3:35:c4:53:5d:70:0a:f6:44:60:8d:a9:11:7a:1b:7d:ae:7b:
> + 20:5a:4c:8d:44:f6:c1:a9:61:cb:dc:cb:90:37:d5:28:24:73:
> + 87:d0:e0:d8
> +-----BEGIN CERTIFICATE-----
> +MIIEKDCCAxCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix
> +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK
> +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy
> +IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNzA5MjYyMTUyMTFaFw00NzA5MjUy
> +MTUyMTFaMIGGMQswCQYDVQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xFzAV
> +BgNVBAoMDkNhbm9uaWNhbCBMdGQuMRQwEgYDVQQLDAtTZWN1cmUgQm9vdDEyMDAG
> +A1UEAwwpQ2Fub25pY2FsIEx0ZC4gU2VjdXJlIEJvb3QgU2lnbmluZyAoMjAxNykw
> +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvn/qfGTqdOCORzMT5QuD4
> +VBKC3Jcs1lvBNev/SnQGtZ0yqnvz/DFaND6hpETbe20WrzV24JuZrSERxhJLriSP
> +u9OyAP7FHZs6GkpsyvoWN4Ui+f8i/EDgWDXBOSe0xkIaltilxZUu98UeIW42hPep
> +oeHxAwiWZXH464PPgveaRFhyABQ5KUvpeC9lILOAdju6DS1G9jcF5wX+vWzHomW1
> +Bm4HJJmhwc/hDl5JQXEXqFDnOJnlbrbbn2PbVvScfYn20gNsmYPgmSM5Nr3LtSZ8
> +fbDG/oJ8Uu35LI95cT2pL7Wqfneg/Wn5lxCossZ9iJ6iGb0xuAItNE2dmGCCrQT/
> +AgMBAAGjgaAwgZ0wDAYDVR0TAQH/BAIwADAfBgNVHSUEGDAWBggrBgEFBQcDAwYK
> +KwYBBAGCNwoDBjAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2Vy
> +dGlmaWNhdGUwHQYDVR0OBBYEFCQq3nWsShXlDVDISw1F/z6ucHoDMB8GA1UdIwQY
> +MBaAFK2RmQvCKrH1FwSMI7ZlWiaONFpjMA0GCSqGSIb3DQEBCwUAA4IBAQAAsrdX
> +tStdFtMEiGrXd9UNifHSbhHRjvViBcRqV9/r0oZo8v2nNxE89M5d/jJfMaJrOtoo
> +woj6f3C1JZnqJ5pWap2yDxSZ4rfGOR6Op3Yx2e3FBY1IrhtoGBRRoX32x9/Lneuk
> +Owv/wgfFQrwNshH6NxcrHLWESC35MUpXSY5hpoIRBkw06pwqR03r4Cav2tLCCKA3
> +NXtzcd4LxLrINN4gBANvRiYNuZECW3F2zEXkCNCm3aRQ09kEkSvZXDSI/MI3/cbU
> +Plf3a7p71wJ6hAzIwRnMvPpS1X+zNcRTXXAK9kRgjakReht9rnsgWkyNRPbBqWHL
> +3MuQN9UoJHOH0ODY
> +-----END CERTIFICATE-----
> diff --git a/debian/revoked-certs/canonical-uefi-2018-all.pem b/debian/revoked-certs/canonical-uefi-2018-all.pem
> new file mode 100644
> index 0000000000..4a591b2107
> --- /dev/null
> +++ b/debian/revoked-certs/canonical-uefi-2018-all.pem
> @@ -0,0 +1,86 @@
> +Certificate:
> + Data:
> + Version: 3 (0x2)
> + Serial Number: 3 (0x3)
> + Signature Algorithm: sha256WithRSAEncryption
> + Issuer: C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., CN = Canonical Ltd. Master Certificate Authority
> + Validity
> + Not Before: Oct 26 18:31:14 2018 GMT
> + Not After : Oct 24 18:31:14 2048 GMT
> + Subject: C = GB, ST = Isle of Man, O = Canonical Ltd., OU = Secure Boot, CN = Canonical Ltd. Secure Boot Signing (ESM 2018)
> + Subject Public Key Info:
> + Public Key Algorithm: rsaEncryption
> + Public-Key: (2048 bit)
> + Modulus:
> + 00:bf:6a:e5:6d:55:7a:ec:7a:11:37:45:9c:4c:8f:
> + 6b:2d:56:d3:74:2b:32:ac:84:2d:ba:cb:cc:ec:8d:
> + 92:22:69:48:a5:d4:f6:75:11:66:2f:cb:b2:fd:9e:
> + 56:ab:e6:f1:52:8e:75:3e:50:bd:25:b3:50:fc:ef:
> + 3d:76:f3:3f:7f:03:f6:e2:a1:25:69:5c:14:98:54:
> + bd:11:bf:e9:a5:ac:46:91:4b:1d:de:b7:18:2b:c8:
> + 22:83:15:a7:4a:00:8d:9d:e4:c0:da:f7:41:02:fd:
> + 9f:5f:79:93:56:cc:86:e1:b5:e0:39:0e:3c:a2:5b:
> + fe:c0:56:f0:92:50:5a:2b:67:67:93:56:d7:7a:75:
> + 99:6a:25:b4:63:a8:5f:69:7e:3a:49:58:2a:a7:80:
> + f6:5a:b4:be:b2:be:a8:8c:45:41:c9:f2:fc:76:a8:
> + 65:ef:99:29:0d:c9:9c:54:6b:0a:f0:4a:0e:61:0d:
> + ed:99:32:af:12:e2:12:7b:9f:7b:ec:05:c4:e0:b6:
> + d5:c3:71:28:ae:dd:0b:ba:97:ad:68:0b:76:e9:bf:
> + e7:01:7e:64:54:39:23:85:36:c8:9d:dd:27:a1:ff:
> + df:46:36:14:7e:cb:cc:a1:cd:49:0b:6d:c2:0c:45:
> + 99:56:58:7c:87:0d:59:9a:dc:4a:39:3b:1d:d9:15:
> + 2e:b5
> + Exponent: 65537 (0x10001)
> + X509v3 extensions:
> + X509v3 Basic Constraints: critical
> + CA:FALSE
> + X509v3 Extended Key Usage:
> + Code Signing, 1.3.6.1.4.1.311.10.3.6
> + Netscape Comment:
> + OpenSSL Generated Certificate
> + X509v3 Subject Key Identifier:
> + 36:51:88:C1:D3:74:D6:B0:7C:3C:8F:24:0F:8E:F7:22:43:3D:6A:8B
> + X509v3 Authority Key Identifier:
> + AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63
> + Signature Algorithm: sha256WithRSAEncryption
> + Signature Value:
> + 4c:0f:cd:77:60:b4:6f:53:87:f3:3c:4f:e6:81:5f:a7:1c:cc:
> + 60:29:b6:34:6c:4d:08:9b:e2:d2:bd:f6:17:1a:62:79:b8:17:
> + bc:a2:60:59:fd:03:51:c3:b7:6b:de:73:b3:48:95:f5:0b:aa:
> + b6:3c:b4:34:dc:1d:0b:c4:97:62:87:e7:48:d5:8f:c9:ea:e8:
> + 91:8f:2a:40:cd:b7:b3:ee:b2:98:9e:fb:37:31:29:e6:8e:2f:
> + 0a:39:99:1e:c6:aa:b8:05:62:85:d3:a8:3e:60:38:98:0f:f0:
> + fe:c7:ab:01:a5:6a:a5:7f:70:a6:26:94:76:23:2f:08:89:74:
> + 97:c2:2a:ca:22:3e:7a:ea:22:22:08:07:f4:bb:f6:bc:69:9c:
> + 4e:44:33:e2:8e:70:17:b0:9b:cb:33:94:66:6d:ff:9a:7d:e9:
> + 50:b2:e8:90:14:e4:2b:91:cb:a0:c5:2e:0e:cf:19:ef:44:ef:
> + 84:f0:bd:57:9e:26:c2:63:3d:df:fc:a1:84:de:5c:d7:5f:3b:
> + fb:94:61:f0:93:89:1f:cf:c3:b2:d1:90:97:35:7d:b9:8a:ad:
> + e6:05:f0:e8:3b:a1:7c:af:2b:c4:af:18:33:2e:5e:87:db:9d:
> + 80:b5:04:fd:00:d0:60:ab:ff:85:77:0f:cb:47:22:c9:b2:85:
> + a8:48:16:e2
> +-----BEGIN CERTIFICATE-----
> +MIIELDCCAxSgAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix
> +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK
> +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy
> +IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xODEwMjYxODMxMTRaFw00ODEwMjQx
> +ODMxMTRaMIGKMQswCQYDVQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xFzAV
> +BgNVBAoMDkNhbm9uaWNhbCBMdGQuMRQwEgYDVQQLDAtTZWN1cmUgQm9vdDE2MDQG
> +A1UEAwwtQ2Fub25pY2FsIEx0ZC4gU2VjdXJlIEJvb3QgU2lnbmluZyAoRVNNIDIw
> +MTgpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv2rlbVV67HoRN0Wc
> +TI9rLVbTdCsyrIQtusvM7I2SImlIpdT2dRFmL8uy/Z5Wq+bxUo51PlC9JbNQ/O89
> +dvM/fwP24qElaVwUmFS9Eb/ppaxGkUsd3rcYK8gigxWnSgCNneTA2vdBAv2fX3mT
> +VsyG4bXgOQ48olv+wFbwklBaK2dnk1bXenWZaiW0Y6hfaX46SVgqp4D2WrS+sr6o
> +jEVByfL8dqhl75kpDcmcVGsK8EoOYQ3tmTKvEuISe5977AXE4LbVw3Eort0Lupet
> +aAt26b/nAX5kVDkjhTbInd0nof/fRjYUfsvMoc1JC23CDEWZVlh8hw1ZmtxKOTsd
> +2RUutQIDAQABo4GgMIGdMAwGA1UdEwEB/wQCMAAwHwYDVR0lBBgwFgYIKwYBBQUH
> +AwMGCisGAQQBgjcKAwYwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk
> +IENlcnRpZmljYXRlMB0GA1UdDgQWBBQ2UYjB03TWsHw8jyQPjvciQz1qizAfBgNV
> +HSMEGDAWgBStkZkLwiqx9RcEjCO2ZVomjjRaYzANBgkqhkiG9w0BAQsFAAOCAQEA
> +TA/Nd2C0b1OH8zxP5oFfpxzMYCm2NGxNCJvi0r32FxpiebgXvKJgWf0DUcO3a95z
> +s0iV9Quqtjy0NNwdC8SXYofnSNWPyerokY8qQM23s+6ymJ77NzEp5o4vCjmZHsaq
> +uAVihdOoPmA4mA/w/serAaVqpX9wpiaUdiMvCIl0l8IqyiI+euoiIggH9Lv2vGmc
> +TkQz4o5wF7CbyzOUZm3/mn3pULLokBTkK5HLoMUuDs8Z70TvhPC9V54mwmM93/yh
> +hN5c1187+5Rh8JOJH8/DstGQlzV9uYqt5gXw6DuhfK8rxK8YMy5eh9udgLUE/QDQ
> +YKv/hXcPy0ciybKFqEgW4g==
> +-----END CERTIFICATE-----
> diff --git a/debian/revoked-certs/canonical-uefi-2019-all.pem b/debian/revoked-certs/canonical-uefi-2019-all.pem
> new file mode 100644
> index 0000000000..c4a89e10eb
> --- /dev/null
> +++ b/debian/revoked-certs/canonical-uefi-2019-all.pem
> @@ -0,0 +1,86 @@
> +Certificate:
> + Data:
> + Version: 3 (0x2)
> + Serial Number: 4 (0x4)
> + Signature Algorithm: sha256WithRSAEncryption
> + Issuer: C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., CN = Canonical Ltd. Master Certificate Authority
> + Validity
> + Not Before: Sep 18 16:10:17 2019 GMT
> + Not After : Sep 16 16:10:17 2049 GMT
> + Subject: C = GB, ST = Isle of Man, O = Canonical Ltd., OU = Secure Boot, CN = Canonical Ltd. Secure Boot Signing (2019)
> + Subject Public Key Info:
> + Public Key Algorithm: rsaEncryption
> + Public-Key: (2048 bit)
> + Modulus:
> + 00:e6:47:d8:75:e5:87:59:26:87:83:7d:5b:7a:b8:
> + 58:3d:7c:ef:36:f8:a0:7a:b7:14:56:58:7d:01:f1:
> + 1c:3b:8c:e6:5b:03:77:7d:a0:ed:47:0a:45:e6:75:
> + 5c:de:95:38:0d:38:fa:41:79:89:56:31:87:e7:a3:
> + 9a:36:70:b6:cf:24:2f:99:26:89:08:39:0e:14:c3:
> + 35:be:02:8b:52:e1:8e:7b:0c:a6:9d:78:ff:01:60:
> + d7:f5:c3:d5:f0:5e:dc:e4:23:09:59:72:93:d3:b5:
> + 22:af:7c:cd:e0:84:0f:af:11:2d:bc:c6:72:42:af:
> + ea:67:63:c4:10:41:78:02:80:62:0d:43:74:b4:1c:
> + ed:50:d7:94:f1:b0:bb:f9:57:80:e4:69:0f:83:4b:
> + a2:e6:2c:4a:9a:e1:7d:7c:62:19:29:27:97:1f:4c:
> + f1:85:f0:39:f5:31:9f:3a:39:0e:d4:4d:07:3a:40:
> + 55:4b:a6:6c:9d:04:89:51:2d:7c:b0:ef:40:b5:42:
> + 29:16:cc:65:73:38:62:21:f6:e3:2c:17:50:9d:74:
> + 34:4e:df:7c:4a:33:a4:bb:40:cf:d5:e5:ed:05:07:
> + cd:4c:f9:af:7f:a6:5c:b9:f7:c5:16:45:4e:44:40:
> + d7:85:32:de:ac:e5:75:ad:9b:d7:c0:26:33:1f:77:
> + a5:37
> + Exponent: 65537 (0x10001)
> + X509v3 extensions:
> + X509v3 Basic Constraints: critical
> + CA:FALSE
> + X509v3 Extended Key Usage:
> + Code Signing, 1.3.6.1.4.1.311.10.3.6
> + Netscape Comment:
> + OpenSSL Generated Certificate
> + X509v3 Subject Key Identifier:
> + C0:74:6F:D6:C5:DA:3A:E8:27:86:46:51:AD:66:AE:47:FE:24:B3:E8
> + X509v3 Authority Key Identifier:
> + AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63
> + Signature Algorithm: sha256WithRSAEncryption
> + Signature Value:
> + aa:12:6c:d1:9d:6a:da:f0:ec:7c:17:46:3b:57:b8:d6:76:5f:
> + 24:e6:06:a2:0a:55:1f:2f:d3:5e:8f:de:cf:02:f2:ff:e0:dd:
> + d3:c7:bd:75:59:aa:cd:34:f3:28:80:73:cc:28:69:e7:a2:70:
> + 88:a2:c7:dc:66:f0:92:0e:ff:64:bf:30:04:54:01:1b:96:ad:
> + 15:c5:61:fd:32:61:d7:5e:b5:ba:91:fd:31:fc:6b:15:df:ee:
> + 22:d9:e4:1f:f3:cc:8b:0c:9f:f5:e8:f7:e2:62:3f:40:52:c9:
> + f0:f1:1c:63:fc:6c:90:e1:5b:74:03:b9:df:d1:3e:a8:ec:db:
> + 2b:6e:83:6f:9f:7f:ba:b4:79:fc:3d:e7:12:2f:4a:e7:17:8c:
> + 2b:77:a5:90:74:3c:bd:cf:75:83:0d:1a:95:d5:56:ef:07:9b:
> + a6:b3:31:e3:8c:97:ce:68:11:b5:7b:25:03:72:1c:ea:67:e9:
> + 7c:3e:73:c7:7c:3e:fc:f5:ae:8a:b2:07:0d:15:6a:66:09:d7:
> + 23:b9:5d:80:7a:26:d6:b6:22:30:aa:84:af:c0:42:e9:75:c3:
> + 59:ab:a3:84:87:6b:0c:b7:ab:4e:92:69:ae:2c:82:6f:ab:01:
> + 24:ab:ff:78:6d:59:85:c2:3b:23:c0:bd:0d:d8:6e:3a:29:82:
> + e1:c4:5f:db
> +-----BEGIN CERTIFICATE-----
> +MIIEKDCCAxCgAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix
> +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK
> +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy
> +IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xOTA5MTgxNjEwMTdaFw00OTA5MTYx
> +NjEwMTdaMIGGMQswCQYDVQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xFzAV
> +BgNVBAoMDkNhbm9uaWNhbCBMdGQuMRQwEgYDVQQLDAtTZWN1cmUgQm9vdDEyMDAG
> +A1UEAwwpQ2Fub25pY2FsIEx0ZC4gU2VjdXJlIEJvb3QgU2lnbmluZyAoMjAxOSkw
> +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDmR9h15YdZJoeDfVt6uFg9
> +fO82+KB6txRWWH0B8Rw7jOZbA3d9oO1HCkXmdVzelTgNOPpBeYlWMYfno5o2cLbP
> +JC+ZJokIOQ4UwzW+AotS4Y57DKadeP8BYNf1w9XwXtzkIwlZcpPTtSKvfM3ghA+v
> +ES28xnJCr+pnY8QQQXgCgGINQ3S0HO1Q15TxsLv5V4DkaQ+DS6LmLEqa4X18Yhkp
> +J5cfTPGF8Dn1MZ86OQ7UTQc6QFVLpmydBIlRLXyw70C1QikWzGVzOGIh9uMsF1Cd
> +dDRO33xKM6S7QM/V5e0FB81M+a9/ply598UWRU5EQNeFMt6s5XWtm9fAJjMfd6U3
> +AgMBAAGjgaAwgZ0wDAYDVR0TAQH/BAIwADAfBgNVHSUEGDAWBggrBgEFBQcDAwYK
> +KwYBBAGCNwoDBjAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2Vy
> +dGlmaWNhdGUwHQYDVR0OBBYEFMB0b9bF2jroJ4ZGUa1mrkf+JLPoMB8GA1UdIwQY
> +MBaAFK2RmQvCKrH1FwSMI7ZlWiaONFpjMA0GCSqGSIb3DQEBCwUAA4IBAQCqEmzR
> +nWra8Ox8F0Y7V7jWdl8k5gaiClUfL9Nej97PAvL/4N3Tx711WarNNPMogHPMKGnn
> +onCIosfcZvCSDv9kvzAEVAEblq0VxWH9MmHXXrW6kf0x/GsV3+4i2eQf88yLDJ/1
> +6PfiYj9AUsnw8Rxj/GyQ4Vt0A7nf0T6o7NsrboNvn3+6tHn8PecSL0rnF4wrd6WQ
> +dDy9z3WDDRqV1VbvB5umszHjjJfOaBG1eyUDchzqZ+l8PnPHfD789a6KsgcNFWpm
> +CdcjuV2AeibWtiIwqoSvwELpdcNZq6OEh2sMt6tOkmmuLIJvqwEkq/94bVmFwjsj
> +wL0N2G46KYLhxF/b
> +-----END CERTIFICATE-----
> diff --git a/debian/revoked-certs/canonical-uefi-2021v1-all.pem b/debian/revoked-certs/canonical-uefi-2021v1-all.pem
> new file mode 100644
> index 0000000000..a573a2cb7e
> --- /dev/null
> +++ b/debian/revoked-certs/canonical-uefi-2021v1-all.pem
> @@ -0,0 +1,86 @@
> +Certificate:
> + Data:
> + Version: 3 (0x2)
> + Serial Number: 6 (0x6)
> + Signature Algorithm: sha256WithRSAEncryption
> + Issuer: C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., CN = Canonical Ltd. Master Certificate Authority
> + Validity
> + Not Before: Sep 23 19:29:32 2021 GMT
> + Not After : Sep 22 19:29:32 2051 GMT
> + Subject: C = GB, ST = Isle of Man, O = Canonical Ltd., OU = Secure Boot, CN = Canonical Ltd. Secure Boot Signing (2021 v1)
> + Subject Public Key Info:
> + Public Key Algorithm: rsaEncryption
> + Public-Key: (2048 bit)
> + Modulus:
> + 00:aa:b8:34:5b:b6:ae:44:bf:41:e1:78:11:b9:7a:
> + c8:88:b3:b0:26:50:10:9c:98:d1:f3:98:9f:23:50:
> + 64:f6:39:dd:50:3a:23:44:53:65:fc:f3:9f:f5:a5:
> + 8b:ae:8b:df:47:9f:e9:d5:a0:92:19:f1:21:ea:cc:
> + 59:3a:74:df:45:71:bc:de:64:15:a5:f6:db:ca:71:
> + fa:19:d4:44:0d:12:ec:47:3a:43:e2:f2:dd:8b:fe:
> + 0d:7b:dc:4d:db:53:06:22:61:e5:8b:35:49:b6:33:
> + c4:0a:69:5f:5b:81:09:84:6b:42:33:18:09:9d:a0:
> + 35:f7:9c:1e:de:6e:de:90:69:1a:e8:32:e4:49:ad:
> + c3:31:e9:f8:4a:a2:28:1d:db:0d:29:b6:48:0a:44:
> + 93:86:41:62:8f:73:97:60:10:8a:74:46:66:55:fe:
> + a0:95:35:9e:ef:9f:af:11:fa:5b:a3:7c:c2:35:64:
> + 11:67:28:1e:14:0a:7d:68:61:9c:cd:c7:46:39:30:
> + 31:79:94:56:b3:45:16:9a:b5:77:66:fe:41:43:0f:
> + 00:48:6e:99:dd:0c:d4:47:2c:86:8c:50:04:61:20:
> + dd:aa:8e:73:4f:21:b4:ee:09:4d:d3:40:01:d0:f2:
> + a7:5b:7d:05:3d:c1:e7:65:26:aa:8c:9a:58:5a:7c:
> + 6d:6f
> + Exponent: 65537 (0x10001)
> + X509v3 extensions:
> + X509v3 Basic Constraints: critical
> + CA:FALSE
> + X509v3 Extended Key Usage:
> + Code Signing, 1.3.6.1.4.1.311.10.3.6
> + Netscape Comment:
> + OpenSSL Generated Certificate
> + X509v3 Subject Key Identifier:
> + A8:D5:4B:BB:38:25:CF:B9:4F:A1:3C:9F:8A:59:4A:19:5C:10:7B:8D
> + X509v3 Authority Key Identifier:
> + AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63
> + Signature Algorithm: sha256WithRSAEncryption
> + Signature Value:
> + 24:25:25:7e:01:a5:c8:3d:54:8c:1b:05:73:d1:06:d8:db:d4:
> + 3a:71:d5:19:9d:97:1c:85:3c:ca:38:5a:0c:25:25:39:1a:67:
> + bc:6c:9d:98:6c:f3:7d:5f:b7:40:f9:73:a0:f5:7b:40:a8:66:
> + a5:f1:53:b1:78:80:24:3f:19:50:2f:02:09:ec:a1:8a:e6:0d:
> + df:c4:ae:24:9e:69:0d:5c:dc:44:4c:38:3a:53:4e:4b:a1:4b:
> + 92:9f:43:a4:9d:1e:76:33:18:1b:bf:62:e5:f5:bc:93:3c:4e:
> + 21:d5:5b:20:69:11:28:c1:c5:93:b5:8e:96:1d:1b:ca:72:79:
> + 24:de:67:2a:50:9d:ce:8b:41:dd:3e:82:dd:a5:04:75:54:fb:
> + 35:70:98:87:b4:f3:ea:41:23:23:80:0e:99:d7:03:16:ee:7e:
> + 11:e2:c8:29:ab:73:c5:6d:5c:a8:2f:32:03:9f:8e:66:d6:cb:
> + 54:84:55:75:ab:9a:dd:95:fd:05:1e:11:85:37:1e:63:d2:f4:
> + 7f:34:64:32:a1:63:91:91:50:39:14:1a:ea:54:78:e6:0d:04:
> + 23:c7:83:51:c5:25:27:07:6c:f8:65:b7:da:95:89:76:83:cc:
> + f3:7e:06:74:d3:6c:ef:e9:17:de:29:1e:ab:5c:d7:ec:df:f1:
> + 98:b8:e9:66
> +-----BEGIN CERTIFICATE-----
> +MIIELTCCAxWgAwIBAgIBBjANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix
> +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK
> +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy
> +IENlcnRpZmljYXRlIEF1dGhvcml0eTAgFw0yMTA5MjMxOTI5MzJaGA8yMDUxMDky
> +MjE5MjkzMlowgYkxCzAJBgNVBAYTAkdCMRQwEgYDVQQIDAtJc2xlIG9mIE1hbjEX
> +MBUGA1UECgwOQ2Fub25pY2FsIEx0ZC4xFDASBgNVBAsMC1NlY3VyZSBCb290MTUw
> +MwYDVQQDDCxDYW5vbmljYWwgTHRkLiBTZWN1cmUgQm9vdCBTaWduaW5nICgyMDIx
> +IHYxKTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKq4NFu2rkS/QeF4
> +Ebl6yIizsCZQEJyY0fOYnyNQZPY53VA6I0RTZfzzn/Wli66L30ef6dWgkhnxIerM
> +WTp030VxvN5kFaX228px+hnURA0S7Ec6Q+Ly3Yv+DXvcTdtTBiJh5Ys1SbYzxApp
> +X1uBCYRrQjMYCZ2gNfecHt5u3pBpGugy5EmtwzHp+EqiKB3bDSm2SApEk4ZBYo9z
> +l2AQinRGZlX+oJU1nu+frxH6W6N8wjVkEWcoHhQKfWhhnM3HRjkwMXmUVrNFFpq1
> +d2b+QUMPAEhumd0M1EcshoxQBGEg3aqOc08htO4JTdNAAdDyp1t9BT3B52Umqoya
> +WFp8bW8CAwEAAaOBoDCBnTAMBgNVHRMBAf8EAjAAMB8GA1UdJQQYMBYGCCsGAQUF
> +BwMDBgorBgEEAYI3CgMGMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRl
> +ZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUqNVLuzglz7lPoTyfillKGVwQe40wHwYD
> +VR0jBBgwFoAUrZGZC8IqsfUXBIwjtmVaJo40WmMwDQYJKoZIhvcNAQELBQADggEB
> +ACQlJX4Bpcg9VIwbBXPRBtjb1Dpx1RmdlxyFPMo4WgwlJTkaZ7xsnZhs831ft0D5
> +c6D1e0CoZqXxU7F4gCQ/GVAvAgnsoYrmDd/EriSeaQ1c3ERMODpTTkuhS5KfQ6Sd
> +HnYzGBu/YuX1vJM8TiHVWyBpESjBxZO1jpYdG8pyeSTeZypQnc6LQd0+gt2lBHVU
> ++zVwmIe08+pBIyOADpnXAxbufhHiyCmrc8VtXKgvMgOfjmbWy1SEVXWrmt2V/QUe
> +EYU3HmPS9H80ZDKhY5GRUDkUGupUeOYNBCPHg1HFJScHbPhlt9qViXaDzPN+BnTT
> +bO/pF94pHqtc1+zf8Zi46WY=
> +-----END CERTIFICATE-----
> diff --git a/debian/revoked-certs/canonical-uefi-2021v2-all.pem b/debian/revoked-certs/canonical-uefi-2021v2-all.pem
> new file mode 100644
> index 0000000000..6c68bcc97a
> --- /dev/null
> +++ b/debian/revoked-certs/canonical-uefi-2021v2-all.pem
> @@ -0,0 +1,86 @@
> +Certificate:
> + Data:
> + Version: 3 (0x2)
> + Serial Number: 7 (0x7)
> + Signature Algorithm: sha256WithRSAEncryption
> + Issuer: C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., CN = Canonical Ltd. Master Certificate Authority
> + Validity
> + Not Before: Sep 23 19:29:42 2021 GMT
> + Not After : Sep 22 19:29:42 2051 GMT
> + Subject: C = GB, ST = Isle of Man, O = Canonical Ltd., OU = Secure Boot, CN = Canonical Ltd. Secure Boot Signing (2021 v2)
> + Subject Public Key Info:
> + Public Key Algorithm: rsaEncryption
> + Public-Key: (2048 bit)
> + Modulus:
> + 00:ba:06:8b:ee:58:b7:8b:49:7b:53:7a:d1:df:02:
> + e3:f2:d8:b0:8c:03:5c:f4:2d:0b:d8:18:3b:23:fa:
> + 68:b0:e8:e9:9d:dc:a2:eb:5e:d3:06:a9:28:d4:9f:
> + 14:b6:1e:1c:1d:ef:69:0e:7f:44:f2:cc:4a:f1:b1:
> + d0:71:30:6a:50:1e:b0:d3:f8:a4:19:d0:4a:f1:e3:
> + eb:7a:e5:57:4c:a1:fb:d1:87:b9:48:e0:55:37:52:
> + f9:de:99:2e:95:85:36:ce:d3:1d:67:2f:14:cb:7f:
> + 05:82:75:21:b6:aa:a5:14:ac:da:4a:f4:fe:fa:5c:
> + 33:49:3d:6f:de:fd:9d:75:ba:e2:c4:02:38:b5:69:
> + f5:ff:a8:67:4b:3a:e0:34:f6:3b:07:03:a5:7e:59:
> + 6f:3a:d2:28:a4:2f:25:ac:d8:a9:1f:59:52:5d:24:
> + 36:58:51:b5:f0:12:a8:d3:78:56:57:b1:e0:a9:df:
> + 14:05:65:7c:b5:a5:00:f0:88:39:14:44:18:85:2d:
> + 0c:28:69:7b:b9:b4:1c:47:6f:43:66:4c:22:ad:f7:
> + f6:19:75:e1:14:2c:0d:33:3f:c1:3f:fc:73:56:b2:
> + 68:05:b5:92:03:9b:65:6b:81:80:92:35:03:9b:66:
> + 68:58:c5:66:11:b6:8c:7f:05:09:9a:45:a6:0e:5e:
> + 5f:bf
> + Exponent: 65537 (0x10001)
> + X509v3 extensions:
> + X509v3 Basic Constraints: critical
> + CA:FALSE
> + X509v3 Extended Key Usage:
> + Code Signing, 1.3.6.1.4.1.311.10.3.6
> + Netscape Comment:
> + OpenSSL Generated Certificate
> + X509v3 Subject Key Identifier:
> + 4C:F0:46:89:2D:6F:D3:C9:A5:B0:3F:98:D8:45:F9:08:51:DC:6A:8C
> + X509v3 Authority Key Identifier:
> + AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63
> + Signature Algorithm: sha256WithRSAEncryption
> + Signature Value:
> + 93:9d:49:7d:9f:3e:3e:27:79:97:d9:c2:fc:0b:f7:30:b7:f4:
> + 78:b2:c9:e4:5e:42:d3:27:26:70:cf:88:96:d1:f2:ea:a0:75:
> + 7e:3c:f6:b7:d2:e7:95:30:e3:a6:67:a7:ee:b9:53:8f:fd:b2:
> + cb:db:e1:98:32:be:98:79:09:46:c6:63:6a:57:87:4d:b2:26:
> + 46:f6:34:5e:18:75:ca:82:80:8e:33:c2:1d:c7:76:d7:14:57:
> + ef:2e:0e:9e:58:5c:81:8e:ed:53:2c:07:46:0a:8a:fc:2f:f5:
> + b2:c8:58:f5:fa:fa:bb:f9:7d:47:13:39:f0:f2:1c:15:9c:75:
> + 90:40:bd:08:04:b3:6a:de:c2:cd:34:21:7e:ba:31:48:bc:a1:
> + 23:bc:ee:93:b2:62:96:27:30:86:c2:d4:f7:b4:e6:3c:71:47:
> + 37:84:ff:3d:0c:1e:ec:f3:0e:da:6b:dc:64:7a:b8:c0:7e:45:
> + 13:09:bf:02:b3:b7:5b:6d:09:2d:6a:4e:0b:93:94:29:4c:a6:
> + c3:c7:05:fa:69:08:04:53:3c:4c:64:c0:7e:89:00:91:1b:a6:
> + c2:d7:ea:c4:db:86:38:fe:66:03:85:7b:fc:39:24:99:4c:2a:
> + 3e:10:8b:91:c3:6e:20:9d:0c:ee:51:70:b5:98:58:f3:5c:ac:
> + 16:98:7b:ce
> +-----BEGIN CERTIFICATE-----
> +MIIELTCCAxWgAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix
> +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK
> +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy
> +IENlcnRpZmljYXRlIEF1dGhvcml0eTAgFw0yMTA5MjMxOTI5NDJaGA8yMDUxMDky
> +MjE5Mjk0MlowgYkxCzAJBgNVBAYTAkdCMRQwEgYDVQQIDAtJc2xlIG9mIE1hbjEX
> +MBUGA1UECgwOQ2Fub25pY2FsIEx0ZC4xFDASBgNVBAsMC1NlY3VyZSBCb290MTUw
> +MwYDVQQDDCxDYW5vbmljYWwgTHRkLiBTZWN1cmUgQm9vdCBTaWduaW5nICgyMDIx
> +IHYyKTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALoGi+5Yt4tJe1N6
> +0d8C4/LYsIwDXPQtC9gYOyP6aLDo6Z3coute0wapKNSfFLYeHB3vaQ5/RPLMSvGx
> +0HEwalAesNP4pBnQSvHj63rlV0yh+9GHuUjgVTdS+d6ZLpWFNs7THWcvFMt/BYJ1
> +IbaqpRSs2kr0/vpcM0k9b979nXW64sQCOLVp9f+oZ0s64DT2OwcDpX5ZbzrSKKQv
> +JazYqR9ZUl0kNlhRtfASqNN4Vlex4KnfFAVlfLWlAPCIORREGIUtDChpe7m0HEdv
> +Q2ZMIq339hl14RQsDTM/wT/8c1ayaAW1kgObZWuBgJI1A5tmaFjFZhG2jH8FCZpF
> +pg5eX78CAwEAAaOBoDCBnTAMBgNVHRMBAf8EAjAAMB8GA1UdJQQYMBYGCCsGAQUF
> +BwMDBgorBgEEAYI3CgMGMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRl
> +ZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUTPBGiS1v08mlsD+Y2EX5CFHcaowwHwYD
> +VR0jBBgwFoAUrZGZC8IqsfUXBIwjtmVaJo40WmMwDQYJKoZIhvcNAQELBQADggEB
> +AJOdSX2fPj4neZfZwvwL9zC39HiyyeReQtMnJnDPiJbR8uqgdX489rfS55Uw46Zn
> +p+65U4/9ssvb4Zgyvph5CUbGY2pXh02yJkb2NF4YdcqCgI4zwh3HdtcUV+8uDp5Y
> +XIGO7VMsB0YKivwv9bLIWPX6+rv5fUcTOfDyHBWcdZBAvQgEs2rews00IX66MUi8
> +oSO87pOyYpYnMIbC1Pe05jxxRzeE/z0MHuzzDtpr3GR6uMB+RRMJvwKzt1ttCS1q
> +TguTlClMpsPHBfppCARTPExkwH6JAJEbpsLX6sTbhjj+ZgOFe/w5JJlMKj4Qi5HD
> +biCdDO5RcLWYWPNcrBaYe84=
> +-----END CERTIFICATE-----
> diff --git a/debian/revoked-certs/canonical-uefi-2021v3-all.pem b/debian/revoked-certs/canonical-uefi-2021v3-all.pem
> new file mode 100644
> index 0000000000..679684ed76
> --- /dev/null
> +++ b/debian/revoked-certs/canonical-uefi-2021v3-all.pem
> @@ -0,0 +1,86 @@
> +Certificate:
> + Data:
> + Version: 3 (0x2)
> + Serial Number: 8 (0x8)
> + Signature Algorithm: sha256WithRSAEncryption
> + Issuer: C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., CN = Canonical Ltd. Master Certificate Authority
> + Validity
> + Not Before: Sep 23 19:30:02 2021 GMT
> + Not After : Sep 22 19:30:02 2051 GMT
> + Subject: C = GB, ST = Isle of Man, O = Canonical Ltd., OU = Secure Boot, CN = Canonical Ltd. Secure Boot Signing (2021 v3)
> + Subject Public Key Info:
> + Public Key Algorithm: rsaEncryption
> + Public-Key: (2048 bit)
> + Modulus:
> + 00:d6:29:96:87:ae:07:42:45:bb:65:09:b2:9b:de:
> + 5d:8e:78:61:10:d5:6d:ae:ae:26:08:6a:06:ec:4a:
> + dd:2b:e7:1a:a9:ad:78:e3:fc:cf:8f:d1:47:bd:1e:
> + 33:d8:7a:e3:66:9b:e9:73:c1:5f:42:e2:fe:bc:c3:
> + 41:f7:cd:d7:85:d7:42:c9:ea:31:e5:47:b1:93:5b:
> + 43:2b:07:51:b8:75:08:ad:0f:e7:0d:81:38:5a:21:
> + df:b1:43:5b:db:37:c5:ac:aa:14:3a:33:19:6a:26:
> + e0:05:fe:cd:41:31:af:5d:a8:ab:31:77:44:fc:da:
> + 00:e2:7a:44:33:c3:a7:ed:13:54:9f:19:5d:c9:98:
> + a2:3b:af:4d:0d:87:29:9c:90:9e:42:9e:9a:06:6a:
> + 70:27:c5:aa:f7:a2:f2:88:e0:b9:66:9a:72:a0:f6:
> + 61:7e:30:8f:14:9f:44:0d:dd:54:ae:47:c8:82:ba:
> + d2:b2:db:6f:24:c1:f4:0a:81:07:90:47:49:5f:57:
> + d6:3f:bf:2a:73:98:f2:f6:24:1a:74:03:d7:35:f0:
> + 42:d8:14:c5:94:27:5d:3c:49:0c:b0:f0:7a:61:1b:
> + d7:5a:e3:a3:40:57:e9:a4:07:ee:02:a3:32:27:94:
> + bb:f3:36:c5:5f:ef:d3:07:04:3a:80:4c:9c:0a:b7:
> + 88:9f
> + Exponent: 65537 (0x10001)
> + X509v3 extensions:
> + X509v3 Basic Constraints: critical
> + CA:FALSE
> + X509v3 Extended Key Usage:
> + Code Signing, 1.3.6.1.4.1.311.10.3.6
> + Netscape Comment:
> + OpenSSL Generated Certificate
> + X509v3 Subject Key Identifier:
> + 10:04:37:BB:6D:E6:E4:69:B5:81:E6:1C:D6:6B:CE:3E:F4:ED:53:AF
> + X509v3 Authority Key Identifier:
> + AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63
> + Signature Algorithm: sha256WithRSAEncryption
> + Signature Value:
> + 3b:37:d6:a8:8d:cd:d2:df:13:35:ac:8c:92:d6:b0:ac:d1:38:
> + a8:00:97:47:59:b8:4a:84:8c:80:a5:1d:c7:29:bf:00:66:e5:
> + 10:40:26:2e:31:f5:e1:13:c0:1b:29:f3:0b:7e:2d:71:d8:db:
> + e1:32:8f:79:8e:e3:97:0c:40:a9:a0:12:c1:fc:c2:50:88:72:
> + 44:c5:bc:8b:45:6e:28:fd:d2:37:d6:db:17:cf:4e:61:33:08:
> + 5a:5d:08:94:73:44:e2:76:00:44:1b:b8:00:a1:86:00:64:8a:
> + f1:42:32:3c:28:11:67:7c:8b:aa:06:34:74:58:e8:b3:3a:36:
> + 8d:f6:04:5d:37:f5:66:52:c9:48:b0:a7:6f:34:09:dd:60:2a:
> + 86:b9:14:f1:09:f6:06:16:56:e0:51:b1:e8:75:7f:fa:37:dc:
> + e0:98:a7:69:ae:7b:1a:73:89:0d:06:67:cc:01:ef:80:31:45:
> + 9e:bb:03:2a:eb:89:70:d6:19:b2:c7:ce:bc:81:df:da:c8:6f:
> + a9:4b:2d:d7:a7:e1:af:c6:e8:fb:f0:61:c9:cd:d2:91:cd:8b:
> + c2:6c:ef:e0:b6:7f:f1:c4:81:f9:bb:76:9c:26:e3:fa:a1:a0:
> + cd:5e:05:de:ee:f9:1b:5b:50:0a:8b:0f:47:e3:90:32:ac:2a:
> + e7:65:02:80
> +-----BEGIN CERTIFICATE-----
> +MIIELTCCAxWgAwIBAgIBCDANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix
> +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK
> +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy
> +IENlcnRpZmljYXRlIEF1dGhvcml0eTAgFw0yMTA5MjMxOTMwMDJaGA8yMDUxMDky
> +MjE5MzAwMlowgYkxCzAJBgNVBAYTAkdCMRQwEgYDVQQIDAtJc2xlIG9mIE1hbjEX
> +MBUGA1UECgwOQ2Fub25pY2FsIEx0ZC4xFDASBgNVBAsMC1NlY3VyZSBCb290MTUw
> +MwYDVQQDDCxDYW5vbmljYWwgTHRkLiBTZWN1cmUgQm9vdCBTaWduaW5nICgyMDIx
> +IHYzKTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANYploeuB0JFu2UJ
> +spveXY54YRDVba6uJghqBuxK3SvnGqmteOP8z4/RR70eM9h642ab6XPBX0Li/rzD
> +QffN14XXQsnqMeVHsZNbQysHUbh1CK0P5w2BOFoh37FDW9s3xayqFDozGWom4AX+
> +zUExr12oqzF3RPzaAOJ6RDPDp+0TVJ8ZXcmYojuvTQ2HKZyQnkKemgZqcCfFqvei
> +8ojguWaacqD2YX4wjxSfRA3dVK5HyIK60rLbbyTB9AqBB5BHSV9X1j+/KnOY8vYk
> +GnQD1zXwQtgUxZQnXTxJDLDwemEb11rjo0BX6aQH7gKjMieUu/M2xV/v0wcEOoBM
> +nAq3iJ8CAwEAAaOBoDCBnTAMBgNVHRMBAf8EAjAAMB8GA1UdJQQYMBYGCCsGAQUF
> +BwMDBgorBgEEAYI3CgMGMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRl
> +ZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUEAQ3u23m5Gm1geYc1mvOPvTtU68wHwYD
> +VR0jBBgwFoAUrZGZC8IqsfUXBIwjtmVaJo40WmMwDQYJKoZIhvcNAQELBQADggEB
> +ADs31qiNzdLfEzWsjJLWsKzROKgAl0dZuEqEjIClHccpvwBm5RBAJi4x9eETwBsp
> +8wt+LXHY2+Eyj3mO45cMQKmgEsH8wlCIckTFvItFbij90jfW2xfPTmEzCFpdCJRz
> +ROJ2AEQbuAChhgBkivFCMjwoEWd8i6oGNHRY6LM6No32BF039WZSyUiwp280Cd1g
> +Koa5FPEJ9gYWVuBRseh1f/o33OCYp2muexpziQ0GZ8wB74AxRZ67AyrriXDWGbLH
> +zryB39rIb6lLLden4a/G6PvwYcnN0pHNi8Js7+C2f/HEgfm7dpwm4/qhoM1eBd7u
> ++RtbUAqLD0fjkDKsKudlAoA=
> +-----END CERTIFICATE-----
> diff --git a/debian/revoked-certs/canonical-uefi-uc2019-all.pem b/debian/revoked-certs/canonical-uefi-uc2019-all.pem
> new file mode 100644
> index 0000000000..1424ebb7a1
> --- /dev/null
> +++ b/debian/revoked-certs/canonical-uefi-uc2019-all.pem
> @@ -0,0 +1,86 @@
> +Certificate:
> + Data:
> + Version: 3 (0x2)
> + Serial Number: 3 (0x3)
> + Signature Algorithm: sha256WithRSAEncryption
> + Issuer: C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., CN = Canonical Ltd. Master Certificate Authority
> + Validity
> + Not Before: Mar 4 10:27:14 2020 GMT
> + Not After : Mar 3 10:27:14 2050 GMT
> + Subject: C = GB, ST = Isle of Man, O = Canonical Ltd., OU = Secure Boot, CN = Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019)
> + Subject Public Key Info:
> + Public Key Algorithm: rsaEncryption
> + Public-Key: (2048 bit)
> + Modulus:
> + 00:b9:10:47:2e:75:5d:f3:10:23:bb:a0:75:d2:fa:
> + 02:2d:ff:22:df:c1:e6:cd:38:7c:36:0f:ae:74:15:
> + 6e:a5:34:52:2b:c3:a4:3a:60:d7:06:ee:1d:99:93:
> + ff:66:91:a3:18:52:2c:8c:58:e6:b4:2f:4b:c5:fb:
> + 83:e6:f3:19:bd:1b:ca:23:ec:97:1f:d8:f1:9a:f1:
> + 04:da:da:10:04:53:4b:ec:1d:b6:26:47:7c:bb:8f:
> + a7:0a:6e:2e:e8:91:e6:c4:bb:64:34:78:3c:fa:09:
> + 15:1c:8f:9e:eb:04:99:36:22:c6:8d:07:15:0f:b9:
> + 69:08:fa:ff:4b:45:bd:ba:2b:cd:01:0e:e7:01:23:
> + c9:e5:7a:39:3b:91:b0:45:3c:d5:77:ba:ca:f9:29:
> + 3d:11:3f:1c:6b:5b:8e:6c:4b:3f:c9:29:05:cb:59:
> + d6:b1:c1:c0:2d:56:88:70:27:fa:73:05:5c:c2:11:
> + d4:27:11:f7:0b:c2:d5:68:d3:1a:cd:ed:d0:e4:10:
> + ff:34:cb:b7:45:70:34:2c:23:53:b6:9c:30:70:b4:
> + 5c:d1:e2:64:18:82:8f:62:b1:5e:aa:0b:d4:89:f2:
> + 1c:53:c4:32:7d:ef:53:ee:9b:6e:02:ab:78:bd:25:
> + 67:8b:39:36:d8:84:3b:06:99:02:d6:75:73:4e:f2:
> + f6:b9
> + Exponent: 65537 (0x10001)
> + X509v3 extensions:
> + X509v3 Basic Constraints: critical
> + CA:FALSE
> + X509v3 Extended Key Usage:
> + Code Signing, 1.3.6.1.4.1.311.10.3.6
> + Netscape Comment:
> + OpenSSL Generated Certificate
> + X509v3 Subject Key Identifier:
> + C1:D5:7B:8F:6B:74:3F:23:EE:41:F4:F7:EE:29:2F:06:EE:CA:DF:B9
> + X509v3 Authority Key Identifier:
> + AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63
> + Signature Algorithm: sha256WithRSAEncryption
> + Signature Value:
> + 2d:b5:11:a8:d2:a0:af:81:a0:18:22:18:2c:08:d0:f4:63:e8:
> + 8f:9a:f4:f5:20:dd:eb:22:77:19:9a:1a:09:3d:7f:aa:7d:c9:
> + 81:bc:26:98:65:94:46:30:4b:c2:51:7c:f7:21:41:63:87:31:
> + fc:a4:c9:41:28:c7:2e:2a:2e:d8:a8:75:7a:72:77:3b:1b:9f:
> + 72:15:0d:0c:96:8d:8b:51:f3:ce:37:b6:ca:9f:ca:59:40:4a:
> + fc:73:7a:94:12:99:aa:c2:8d:52:ce:91:19:2e:b4:da:ff:e5:
> + 2c:67:74:d9:58:47:38:2f:61:88:c5:cf:a7:48:e1:08:ba:bc:
> + ec:d5:3a:47:d9:8c:dc:c3:bc:cb:98:2b:79:7a:02:46:ef:85:
> + 19:2f:03:4b:05:84:eb:56:98:5f:6d:cf:a5:8b:a2:b6:e5:50:
> + 51:7c:33:44:bd:7a:94:2e:0d:90:39:39:3e:62:60:ae:3a:e2:
> + f5:17:fa:f1:94:06:1d:ae:a3:f8:19:20:7f:4b:4c:07:c4:e6:
> + 2d:0d:e5:94:84:51:6d:6f:0f:c4:c6:79:1d:f0:e8:0e:23:9e:
> + fd:f9:46:2c:b9:ec:97:38:56:7e:b8:13:f6:d2:e1:8e:a5:93:
> + 02:7b:6e:dd:33:9a:bf:10:a8:1b:3d:fa:c4:f2:15:f0:27:73:
> + 26:a6:94:d1
> +-----BEGIN CERTIFICATE-----
> +MIIENjCCAx6gAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix
> +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK
> +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy
> +IENlcnRpZmljYXRlIEF1dGhvcml0eTAgFw0yMDAzMDQxMDI3MTRaGA8yMDUwMDMw
> +MzEwMjcxNFowgZIxCzAJBgNVBAYTAkdCMRQwEgYDVQQIDAtJc2xlIG9mIE1hbjEX
> +MBUGA1UECgwOQ2Fub25pY2FsIEx0ZC4xFDASBgNVBAsMC1NlY3VyZSBCb290MT4w
> +PAYDVQQDDDVDYW5vbmljYWwgTHRkLiBTZWN1cmUgQm9vdCBTaWduaW5nIChVYnVu
> +dHUgQ29yZSAyMDE5KTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALkQ
> +Ry51XfMQI7ugddL6Ai3/It/B5s04fDYPrnQVbqU0UivDpDpg1wbuHZmT/2aRoxhS
> +LIxY5rQvS8X7g+bzGb0byiPslx/Y8ZrxBNraEARTS+wdtiZHfLuPpwpuLuiR5sS7
> +ZDR4PPoJFRyPnusEmTYixo0HFQ+5aQj6/0tFvborzQEO5wEjyeV6OTuRsEU81Xe6
> +yvkpPRE/HGtbjmxLP8kpBctZ1rHBwC1WiHAn+nMFXMIR1CcR9wvC1WjTGs3t0OQQ
> +/zTLt0VwNCwjU7acMHC0XNHiZBiCj2KxXqoL1InyHFPEMn3vU+6bbgKreL0lZ4s5
> +NtiEOwaZAtZ1c07y9rkCAwEAAaOBoDCBnTAMBgNVHRMBAf8EAjAAMB8GA1UdJQQY
> +MBYGCCsGAQUFBwMDBgorBgEEAYI3CgMGMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM
> +IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUwdV7j2t0PyPuQfT37ikv
> +Bu7K37kwHwYDVR0jBBgwFoAUrZGZC8IqsfUXBIwjtmVaJo40WmMwDQYJKoZIhvcN
> +AQELBQADggEBAC21EajSoK+BoBgiGCwI0PRj6I+a9PUg3esidxmaGgk9f6p9yYG8
> +JphllEYwS8JRfPchQWOHMfykyUEoxy4qLtiodXpydzsbn3IVDQyWjYtR8843tsqf
> +yllASvxzepQSmarCjVLOkRkutNr/5SxndNlYRzgvYYjFz6dI4Qi6vOzVOkfZjNzD
> +vMuYK3l6AkbvhRkvA0sFhOtWmF9tz6WLorblUFF8M0S9epQuDZA5OT5iYK464vUX
> ++vGUBh2uo/gZIH9LTAfE5i0N5ZSEUW1vD8TGeR3w6A4jnv35Riy57Jc4Vn64E/bS
> +4Y6lkwJ7bt0zmr8QqBs9+sTyFfAncyamlNE=
> +-----END CERTIFICATE-----
> diff --git a/debian/rules b/debian/rules
> index 3cb6e8f2ea..45b7334d96 100755
> --- a/debian/rules
> +++ b/debian/rules
> @@ -178,11 +178,15 @@ ifneq (,$(wildcard $(DEBIAN)/control.d/linux-doc.stub))
> endif
> endif
>
> +# Calculate Ubuntu Compatible Signing levels
> +UBUNTU_COMPATIBLE_SIGNING=$(shell grep -qx ' *Subject: C = GB, ST = Isle of Man, O = Canonical Ltd., OU = Secure Boot, CN = Canonical Ltd. Secure Boot Signing (2021 v3)' debian/canonical-revoked-certs.pem && echo ubuntu/4 pro/3)
> +
> # Misc stuff
> .PHONY: $(DEBIAN)/control.stub
> $(DEBIAN)/control.stub: \
> $(DROOT)/scripts/control-create \
> $(control_files) \
> + debian/canonical-revoked-certs.pem \
> $(DROOT)/control.d/flavour-module.stub \
> $(DEBIAN)/changelog \
> $(wildcard $(DEBIAN)/control.d/* $(DEBIAN)/sub-flavours/*.vars)
> @@ -194,6 +198,7 @@ $(DEBIAN)/control.stub: \
> -e 's/SRCPKGNAME/$(src_pkg_name)/g' \
> -e 's/=HUMAN=/$(human_arch)/g' \
> -e 's/=SERIES=/$(series)/g' \
> + -e 's|\(^Maintainer:.*\)|\1\nXSC-Ubuntu-Compatible-Signing: $(UBUNTU_COMPATIBLE_SIGNING)|g' \
> -e 's/\(^Build-Depends:$$\)/\1\n$(GCC_BUILD_DEPENDS)/g' \
> > $(DEBIAN)/control.stub;
> flavours="$(sort $(wildcard $(DEBIAN)/control.d/vars.* $(DEBIAN)/sub-flavours/*.vars))";\
> --
> 2.34.1
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list