| 2023-01-23 11:53:36 |
Dimitri John Ledkov |
description |
When signing UEFI applications, the signature includes signing timestamp.
Kernels, upon kexec, check that message signature is within the validity of the X.509 signing certificate.
When using original canonical kernel team test key, I no longer can kexec kernels, as the test key has expired.
UEFI specifications in general ignore signing time.
IMHO we should remove / not include signing timestamp in the UEFI signatures to avoid this. |
When signing UEFI applications, the signature includes signing timestamp.
Kernels, upon kexec, check that message signature is within the validity of the X.509 signing certificate.
When using original canonical kernel team test key, I no longer can kexec kernels, as the test key has expired.
UEFI specifications in general ignore signing time.
IMHO we should remove / not include signing timestamp in the UEFI signatures to avoid this.
---
i guess openssl needs to provide ability to create signatures without signingtime attribute. |
|
