certs: Revert switch to production certificate

This reverts commit b91655bf3e and part
of commit 16dec97798.

The signing service is still using secure-boot-test-key-lfaraone and
we should make at least one more upload to be signed by it.

debian/certs/debian-uefi-ca.pem

@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDnjCCAoagAwIBAgIRAO1UodWvh0iUjZ+JMu6cfDQwDQYJKoZIhvcNAQELBQAw
-IDEeMBwGA1UEAxMVRGViaWFuIFNlY3VyZSBCb290IENBMB4XDTE2MDgxNjE4MDkx
-OFoXDTQ2MDgwOTE4MDkxOFowIDEeMBwGA1UEAxMVRGViaWFuIFNlY3VyZSBCb290
-IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnZXUi5vaEKwuyoI3
-waTLSsMbQpPCeinTbt1kr4Cv6maiG2GcgwzFa7k1Jf/F++gpQ97OSz3GEk2x7yZD
-lWjNBBH+wiSb3hTYhlHoOEO9sZoV5Qhr+FRQi7NLX/wU5DVQfAux4gOEqDZI5IDo
-6p/6v8UYe17OHL4sgHhJNRXAIc/vZtWKlggrZi9IF7Hn7IKPB+bK4F9xJDlQCo7R
-cihQpZ0h9ONhugkDZsjfTiY2CxUPYx8rr6vEKKJWZIWNplVBrjyIld3Qbdkp29jE
-aLX89FeJaxTb4O/uQA1iH+pY1KPYugOmly7FaxOkkXemta0jp+sKSRRGfHbpnjK0
-ia9XeQIDAQABo4HSMIHPMEEGCCsGAQUFBwEBBDUwMzAxBggrBgEFBQcwAoYlaHR0
-cHM6Ly9kc2EuZGViaWFuLm9yZy9zZWN1cmUtYm9vdC1jYTAfBgNVHSMEGDAWgBRs
-zs5+TGwNH2FJ890n38xcu0GeoTAUBglghkgBhvhCAQEBAf8EBAMCAPcwEwYDVR0l
-BAwwCgYIKwYBBQUHAwMwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8w
-HQYDVR0OBBYEFGzOzn5MbA0fYUnz3SffzFy7QZ6hMA0GCSqGSIb3DQEBCwUAA4IB
-AQB3lj5Hyc4Jz4uJzlntJg4mC7mtqSu9oeuIeQL/Md7+9WoH72ETEXAev5xOZmzh
-YhKXAVdlR91Kxvf03qjxE2LMg1esPKaRFa9VJnJpLhTN3U2z0WAkLTJPGWwRXvKj
-8qFfYg8wrq3xSGZkfTZEDQY0PS6vjp3DrcKR2Dfg7npfgjtnjgCKxKTfNRbCcitM
-UdeTk566CA1Zl/LiKaBETeru+D4CYMoVz06aJZGEP7dax+68a4Cj2f2ybXoeYxTr
-7/GwQCXV6A6B62v3y//lIQAiLC6aNWASS1tfOEaEDAacz3KTYhjuXJjWs30GJTmV
-305gdrAGewiwbuNknyFWrTkP
------END CERTIFICATE-----

debian/certs/test-signing-certs.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJjCCAg6gAwIBAgIJAOmHdbieZFH0MA0GCSqGSIb3DQEBCwUAMCgxJjAkBgNV
+BAMMHXNlY3VyZS1ib290LXRlc3Qta2V5LWxmYXJhb25lMB4XDTE4MDQwODA5NDYz
+OFoXDTE4MDUwODA5NDYzOFowKDEmMCQGA1UEAwwdc2VjdXJlLWJvb3QtdGVzdC1r
+ZXktbGZhcmFvbmUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDP2ZKT
+CXiUNldWounP5xoLtG6uavjCARJSXhWskBOOKoHsPSekv2db5l8iBLDlkIkuox0B
+ozN+tuw/9wv3BVUYyRCLkLhvgHq+EpLUxnmRViO4YuxtkmXkJ8QFy/4RozjKTpPt
+ViToFpaFdgJrWwSaIjJVSyeRWX3nm/ir4TCrQB32QG2Fm7rN+k28nigeiSsvDscu
+A8zQsdvk3tI1p8Kxez9lFwUvfHPraL0wgA47GE71Lu+8aqrIsjBA+6ZVCwD6OGSN
+brqFkYnE43+Yo3HDabu67It7tU+e1+c+Pw2lVij2lWMX9jj0qSShnIby/iqC7nb1
+NgIrjs4WqntGRsD/AgMBAAGjUzBRMB0GA1UdDgQWBBSXwbJc3fmHPKeKWPPXO/cn
+0s94/zAfBgNVHSMEGDAWgBSXwbJc3fmHPKeKWPPXO/cn0s94/zAPBgNVHRMBAf8E
+BTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAjbSD3myNwzu32tHIJhbiIXX/qtSPt
+TNDiWNdMU/GN7NljirWbKG2GJERkmLyuQw1odcEGWcErvyznLzFTHJefCm0PkwwE
+zLH3eKwwloR3a/zY+CQsvrC+FIduq3XvRsOKilVR/JSx4PHY75zvntYh0/lvYmFN
+4mCTZzHeig9E5ybVOdab4V3WIzWW6f840uTHDoAQ9u194OtAEBabThO/q0uslovj
+n0cDwTzuVFIR/GtVlI9ig+jWX/JKuXi3TjLMQckt2s4yog6H6NqiBpje/IYXO8P+
+lsPViykeO1tGalEB2OvB78OBHWWx5IQUqPYvsZnjJA6D3sPmjEBVQz+S
+-----END CERTIFICATE-----

debian/changelog

@@ -11,9 +11,7 @@ linux (4.18-1~exp1) UNRELEASED; urgency=medium
   * spi: Enable CONFIG_SPI_SPIDEV (Closes: #904043)
 
   [ Ben Hutchings ]
-  * certs: Remove certificates for test key used in Debian signing service and
-    for my personal signing key
-  * certs: Add certificate for production key used in Debian signing service
+  * certs: Remove certificate for my personal signing key
   * Update policy version to 4.2.0:
     - linux-kbuild: Change "#!/usr/bin/env perl" to "#!/usr/bin/perl"
     - Build with KBUILD_VERBOSE=1 by default

debian/config/config

@@ -71,7 +71,7 @@ CONFIG_EFI_PARTITION=y
 #. Signatures are added in linux-signed
 CONFIG_MODULE_SIG_KEY=""
 #. Actually a file containing X.509 certificates, not keys
-CONFIG_SYSTEM_TRUSTED_KEYS="debian/certs/debian-uefi-ca.pem"
+CONFIG_SYSTEM_TRUSTED_KEYS="debian/certs/test-signing-certs.pem"
 
 ##
 ## file: crypto/Kconfig

debian/config/featureset-rt/config

@@ -2,7 +2,7 @@
 ## file: certs/Kconfig
 ##
 #. Certificate paths are resolved relative to debian/build/source_rt
-CONFIG_SYSTEM_TRUSTED_KEYS="../../certs/debian-uefi-ca.pem"
+CONFIG_SYSTEM_TRUSTED_KEYS="../../certs/test-signing-certs.pem"
 
 ##
 ## file: kernel/Kconfig.preempt