certs: include both root CA and direct signing certificate. closes: #924545
Module loading needs the issuer certificate to validate the signature, and that certificate is not embedded in the signature itself. For now embed both the signing certificate and the root CA.
This commit is contained in:
parent
2f067b01ec
commit
af53d158a0
|
@ -20,3 +20,21 @@ UdeTk566CA1Zl/LiKaBETeru+D4CYMoVz06aJZGEP7dax+68a4Cj2f2ybXoeYxTr
|
|||
7/GwQCXV6A6B62v3y//lIQAiLC6aNWASS1tfOEaEDAacz3KTYhjuXJjWs30GJTmV
|
||||
305gdrAGewiwbuNknyFWrTkP
|
||||
-----END CERTIFICATE-----
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIC/DCCAeSgAwIBAgIFAKdGje8wDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UEAxMV
|
||||
RGViaWFuIFNlY3VyZSBCb290IENBMB4XDTE2MDgxNjE4MjI1MFoXDTI2MDgxNjE4
|
||||
MjI1MFowJDEiMCAGA1UEAxMZRGViaWFuIFNlY3VyZSBCb290IFNpZ25lcjCCASIw
|
||||
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANPRg5AP2mWiLwdaYJXr98eGfCCG
|
||||
2mWjphLrWzvOyPs/oXJLnt9QxQMzpAwrX9ZBBA22z5VI7YqyrdblATdOYM2ySjgE
|
||||
s0SAlK+fblTbqB88t0sw3iGBbwmjZrpqK5bWmmF3DNTtPNBxu62M8CJcPiXMbSIu
|
||||
YZeVr5suTVi2fngCww65+rJbJ959or4MFKxz7JewFV7t7eWldT944HHOL86D7VMx
|
||||
MJhO5vkBooiIpiMIfA23VDoWle1eeV6QTv7Nqt6C/PaWcU5JSbnT6bCrf9cqR7dT
|
||||
MCd83GaYCW/RfvV/PT7UomqIWQIvLz3IxijeQv7ZUj0kwvxAmBH2dr+Mu2UCAwEA
|
||||
AaM5MDcwEQYJYIZIAYb4QgEBBAQDAgQQMBUGA1UdJQQOMAwGCisGAQQBgjcKAwEw
|
||||
CwYDVR0PBAQDAgeAMA0GCSqGSIb3DQEBCwUAA4IBAQBXG6RgTCnp8n1rXJPbzGyf
|
||||
GD9pSJp13mTzg0oJqSYh7ulWXeE+2XXLzH+/TeToiT1+EUKHQMPV4HF53ABs4XFi
|
||||
x5jCyycLL5/M7PqLsvMLnvPyw8mf2yWTkKTNuwHljvTXVai0dUEx/U5dAxigwqzF
|
||||
3kbn3BzPEtWd6Eedk4wyzUTVdMcwmlelVtB+zwURtPTzKfnbm1PSvS+tanUmRWS6
|
||||
uiiWh4638HlX+noOPEo4krzylfLnKND32JgaXjmetWWAvfPaEj9Qdmcpn9ELCh6H
|
||||
l1xy2/MBdErdB7p26Wr83SLbRgLXrwrF7RW8Dyup242/f2+torfFTUpHs8FWkLYX
|
||||
-----END CERTIFICATE-----
|
|
@ -10,6 +10,10 @@ linux (4.19.28-2) UNRELEASED; urgency=medium
|
|||
* [arm64] Enable I2C_GPIO as a module.
|
||||
* [arm64] Enable MESON_EFUSE as a module.
|
||||
|
||||
[ Yves-Alexis Perez ]
|
||||
* certs: include both root CA and direct signing certificate.
|
||||
closes: #924545
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Tue, 12 Mar 2019 15:44:31 +0000
|
||||
|
||||
linux (4.19.28-1) unstable; urgency=medium
|
||||
|
|
|
@ -77,7 +77,7 @@ CONFIG_MODULE_SIG_KEY=""
|
|||
#. Actually a file containing X.509 certificates, not keys.
|
||||
#. Whenever the filename changes, this also needs to be updated in
|
||||
#. debian/featureset-*/config
|
||||
CONFIG_SYSTEM_TRUSTED_KEYS="debian/certs/debian-uefi-ca.pem"
|
||||
CONFIG_SYSTEM_TRUSTED_KEYS="debian/certs/debian-uefi-certs.pem"
|
||||
|
||||
##
|
||||
## file: crypto/Kconfig
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
## file: certs/Kconfig
|
||||
##
|
||||
#. Certificate paths are resolved relative to debian/build/source_rt
|
||||
CONFIG_SYSTEM_TRUSTED_KEYS="../../certs/debian-uefi-ca.pem"
|
||||
CONFIG_SYSTEM_TRUSTED_KEYS="../../certs/debian-uefi-certs.pem"
|
||||
|
||||
##
|
||||
## file: kernel/Kconfig.preempt
|
||||
|
|
Loading…
Reference in New Issue