From 35ab00b41b32459c9e276647ce613517b9665050 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sat, 18 Aug 2018 19:56:53 +0100 Subject: [PATCH] certs: Revert switch to production certificate This reverts commit b91655bf3eaa2d0d04e449352b5d2396368bbdf1 and part of commit 16dec977981aafbc943695391e37c7343b21578f. The signing service is still using secure-boot-test-key-lfaraone and we should make at least one more upload to be signed by it. --- debian/certs/debian-uefi-ca.pem | 22 ---------------------- debian/certs/test-signing-certs.pem | 19 +++++++++++++++++++ debian/changelog | 4 +--- debian/config/config | 2 +- debian/config/featureset-rt/config | 2 +- 5 files changed, 22 insertions(+), 27 deletions(-) delete mode 100644 debian/certs/debian-uefi-ca.pem create mode 100644 debian/certs/test-signing-certs.pem diff --git a/debian/certs/debian-uefi-ca.pem b/debian/certs/debian-uefi-ca.pem deleted file mode 100644 index 315301e73..000000000 --- a/debian/certs/debian-uefi-ca.pem +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDnjCCAoagAwIBAgIRAO1UodWvh0iUjZ+JMu6cfDQwDQYJKoZIhvcNAQELBQAw -IDEeMBwGA1UEAxMVRGViaWFuIFNlY3VyZSBCb290IENBMB4XDTE2MDgxNjE4MDkx -OFoXDTQ2MDgwOTE4MDkxOFowIDEeMBwGA1UEAxMVRGViaWFuIFNlY3VyZSBCb290 -IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnZXUi5vaEKwuyoI3 -waTLSsMbQpPCeinTbt1kr4Cv6maiG2GcgwzFa7k1Jf/F++gpQ97OSz3GEk2x7yZD -lWjNBBH+wiSb3hTYhlHoOEO9sZoV5Qhr+FRQi7NLX/wU5DVQfAux4gOEqDZI5IDo -6p/6v8UYe17OHL4sgHhJNRXAIc/vZtWKlggrZi9IF7Hn7IKPB+bK4F9xJDlQCo7R -cihQpZ0h9ONhugkDZsjfTiY2CxUPYx8rr6vEKKJWZIWNplVBrjyIld3Qbdkp29jE -aLX89FeJaxTb4O/uQA1iH+pY1KPYugOmly7FaxOkkXemta0jp+sKSRRGfHbpnjK0 -ia9XeQIDAQABo4HSMIHPMEEGCCsGAQUFBwEBBDUwMzAxBggrBgEFBQcwAoYlaHR0 -cHM6Ly9kc2EuZGViaWFuLm9yZy9zZWN1cmUtYm9vdC1jYTAfBgNVHSMEGDAWgBRs -zs5+TGwNH2FJ890n38xcu0GeoTAUBglghkgBhvhCAQEBAf8EBAMCAPcwEwYDVR0l -BAwwCgYIKwYBBQUHAwMwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8w -HQYDVR0OBBYEFGzOzn5MbA0fYUnz3SffzFy7QZ6hMA0GCSqGSIb3DQEBCwUAA4IB -AQB3lj5Hyc4Jz4uJzlntJg4mC7mtqSu9oeuIeQL/Md7+9WoH72ETEXAev5xOZmzh -YhKXAVdlR91Kxvf03qjxE2LMg1esPKaRFa9VJnJpLhTN3U2z0WAkLTJPGWwRXvKj -8qFfYg8wrq3xSGZkfTZEDQY0PS6vjp3DrcKR2Dfg7npfgjtnjgCKxKTfNRbCcitM -UdeTk566CA1Zl/LiKaBETeru+D4CYMoVz06aJZGEP7dax+68a4Cj2f2ybXoeYxTr -7/GwQCXV6A6B62v3y//lIQAiLC6aNWASS1tfOEaEDAacz3KTYhjuXJjWs30GJTmV -305gdrAGewiwbuNknyFWrTkP ------END CERTIFICATE----- diff --git a/debian/certs/test-signing-certs.pem b/debian/certs/test-signing-certs.pem new file mode 100644 index 000000000..bab513093 --- /dev/null +++ b/debian/certs/test-signing-certs.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDJjCCAg6gAwIBAgIJAOmHdbieZFH0MA0GCSqGSIb3DQEBCwUAMCgxJjAkBgNV +BAMMHXNlY3VyZS1ib290LXRlc3Qta2V5LWxmYXJhb25lMB4XDTE4MDQwODA5NDYz +OFoXDTE4MDUwODA5NDYzOFowKDEmMCQGA1UEAwwdc2VjdXJlLWJvb3QtdGVzdC1r +ZXktbGZhcmFvbmUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDP2ZKT +CXiUNldWounP5xoLtG6uavjCARJSXhWskBOOKoHsPSekv2db5l8iBLDlkIkuox0B +ozN+tuw/9wv3BVUYyRCLkLhvgHq+EpLUxnmRViO4YuxtkmXkJ8QFy/4RozjKTpPt +ViToFpaFdgJrWwSaIjJVSyeRWX3nm/ir4TCrQB32QG2Fm7rN+k28nigeiSsvDscu +A8zQsdvk3tI1p8Kxez9lFwUvfHPraL0wgA47GE71Lu+8aqrIsjBA+6ZVCwD6OGSN +brqFkYnE43+Yo3HDabu67It7tU+e1+c+Pw2lVij2lWMX9jj0qSShnIby/iqC7nb1 +NgIrjs4WqntGRsD/AgMBAAGjUzBRMB0GA1UdDgQWBBSXwbJc3fmHPKeKWPPXO/cn +0s94/zAfBgNVHSMEGDAWgBSXwbJc3fmHPKeKWPPXO/cn0s94/zAPBgNVHRMBAf8E +BTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAjbSD3myNwzu32tHIJhbiIXX/qtSPt +TNDiWNdMU/GN7NljirWbKG2GJERkmLyuQw1odcEGWcErvyznLzFTHJefCm0PkwwE +zLH3eKwwloR3a/zY+CQsvrC+FIduq3XvRsOKilVR/JSx4PHY75zvntYh0/lvYmFN +4mCTZzHeig9E5ybVOdab4V3WIzWW6f840uTHDoAQ9u194OtAEBabThO/q0uslovj +n0cDwTzuVFIR/GtVlI9ig+jWX/JKuXi3TjLMQckt2s4yog6H6NqiBpje/IYXO8P+ +lsPViykeO1tGalEB2OvB78OBHWWx5IQUqPYvsZnjJA6D3sPmjEBVQz+S +-----END CERTIFICATE----- diff --git a/debian/changelog b/debian/changelog index d62055208..50b17ba86 100644 --- a/debian/changelog +++ b/debian/changelog @@ -11,9 +11,7 @@ linux (4.18-1~exp1) UNRELEASED; urgency=medium * spi: Enable CONFIG_SPI_SPIDEV (Closes: #904043) [ Ben Hutchings ] - * certs: Remove certificates for test key used in Debian signing service and - for my personal signing key - * certs: Add certificate for production key used in Debian signing service + * certs: Remove certificate for my personal signing key * Update policy version to 4.2.0: - linux-kbuild: Change "#!/usr/bin/env perl" to "#!/usr/bin/perl" - Build with KBUILD_VERBOSE=1 by default diff --git a/debian/config/config b/debian/config/config index ea8cb5224..f7e90ae9f 100644 --- a/debian/config/config +++ b/debian/config/config @@ -71,7 +71,7 @@ CONFIG_EFI_PARTITION=y #. Signatures are added in linux-signed CONFIG_MODULE_SIG_KEY="" #. Actually a file containing X.509 certificates, not keys -CONFIG_SYSTEM_TRUSTED_KEYS="debian/certs/debian-uefi-ca.pem" +CONFIG_SYSTEM_TRUSTED_KEYS="debian/certs/test-signing-certs.pem" ## ## file: crypto/Kconfig diff --git a/debian/config/featureset-rt/config b/debian/config/featureset-rt/config index 7c7989648..7c5dc9f2a 100644 --- a/debian/config/featureset-rt/config +++ b/debian/config/featureset-rt/config @@ -2,7 +2,7 @@ ## file: certs/Kconfig ## #. Certificate paths are resolved relative to debian/build/source_rt -CONFIG_SYSTEM_TRUSTED_KEYS="../../certs/debian-uefi-ca.pem" +CONFIG_SYSTEM_TRUSTED_KEYS="../../certs/test-signing-certs.pem" ## ## file: kernel/Kconfig.preempt