Message ID | 20210218161754.1840146-8-apw@canonical.com |
---|---|
State | New |
Headers | show |
Series | [bionic:linux,1/4] UBUNTU: [Config] enable CONFIG_MODVERSIONS=y | expand |
The way that kernels are signed in the deep, dark recesses of the private kernel PPA has always been a bit of black magic to me. Given my ignorance, exposing keys like this in source code seems like a bad idea. Can you explain how they are being used ? Will they ever expire or change ? rtg On 2/18/21 9:17 AM, Andy Whitcroft wrote: > From: Dimitri John Ledkov <xnox@ubuntu.com> > > Add Canonical Livepatch Service key to SYSTEM_TRUSTED_KEYS, such that > livepatch modules signed by Canonical are trusted out of the box, on > locked-down secureboot systems. > > BugLink: https://bugs.launchpad.net/bugs/1898716 > Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> > [apw@canonical.com: move certification to cert framework.] > Signed-off-by: Andy Whitcroft <apw@canonical.com> > --- > debian/certs/canonical-livepatch-all.pem | 121 +++++++++++++++++++++++ > 1 file changed, 121 insertions(+) > create mode 100644 debian/certs/canonical-livepatch-all.pem > > diff --git a/debian/certs/canonical-livepatch-all.pem b/debian/certs/canonical-livepatch-all.pem > new file mode 100644 > index 000000000000..3f360f74344d > --- /dev/null > +++ b/debian/certs/canonical-livepatch-all.pem > @@ -0,0 +1,121 @@ > +Certificate: > + Data: > + Version: 3 (0x2) > + Serial Number: > + c7:7e:51:6a:1c:25:cd:40 > + Signature Algorithm: sha512WithRSAEncryption > + Issuer: CN = Canonical Ltd. Live Patch Signing > + Validity > + Not Before: Jul 18 23:41:27 2016 GMT > + Not After : Jul 16 23:41:27 2026 GMT > + Subject: CN = Canonical Ltd. Live Patch Signing > + Subject Public Key Info: > + Public Key Algorithm: rsaEncryption > + RSA Public-Key: (4096 bit) > + Modulus: > + 00:bd:74:ee:72:b3:4a:ab:e6:31:e8:29:24:c2:bd: > + 46:98:32:c0:39:ee:a3:fb:8a:ad:fe:ab:1a:5b:a3: > + 2e:a1:80:db:79:61:9e:47:79:2c:75:57:a2:21:f0: > + 93:f6:87:f2:9b:4b:9d:2f:b3:58:61:28:3c:41:70: > + 13:16:a1:72:90:c9:d5:16:71:7c:e0:30:f9:28:5e: > + 48:20:36:00:69:b7:59:9f:a3:ec:a8:eb:55:41:9f: > + 38:1e:22:4a:57:20:f4:83:59:49:c5:00:93:d3:33: > + 02:92:d1:fc:f0:84:3b:4a:5b:8f:b6:73:9a:89:fa: > + 30:1e:e6:2a:68:f2:91:ef:59:57:3d:dc:1c:52:6f: > + 5e:e6:9b:b5:b8:7c:98:c9:13:d1:39:68:01:67:91: > + e0:d3:67:72:16:0a:5e:16:83:45:31:4f:b5:2b:b3: > + f6:40:86:89:3a:84:6e:6f:16:61:bc:70:84:be:5a: > + 13:36:7b:82:ea:07:19:fc:18:c1:16:c6:32:0b:7d: > + 2c:6b:c4:21:b9:38:6b:31:dc:d9:0c:ad:56:40:68: > + 7c:e3:c6:64:8e:bf:1c:e0:72:3e:6c:db:d2:73:79: > + da:d7:c5:2f:5d:04:7d:b0:07:1e:95:dd:2a:47:5e: > + bf:3e:3a:c8:66:f6:67:0f:d4:2a:f1:e2:71:59:d2: > + 6c:7b:a0:37:ac:e6:97:80:30:13:97:48:d5:74:fc: > + 38:68:e4:57:cb:99:69:5a:84:27:ac:98:51:e4:64: > + bd:91:62:e8:58:27:06:2a:b9:0b:b8:08:e5:e5:b4: > + 51:a7:a2:10:df:4e:07:6c:a0:3b:96:f2:6e:df:75: > + 8c:97:1e:64:a0:9a:86:9b:98:26:f9:d8:b7:de:5b: > + 21:b7:af:89:01:a3:f7:98:6b:da:19:ba:86:ef:ef: > + f1:ce:bb:2f:89:ed:c0:b6:1b:e5:5b:f8:90:11:9a: > + 52:93:e9:be:f7:35:b9:08:cb:ba:c3:ed:2f:73:af: > + cc:96:07:55:b5:de:f6:03:f6:f1:89:f9:21:40:76: > + c1:69:f2:61:cc:9a:94:df:9c:ec:6a:65:38:be:d1: > + 4e:2a:87:c7:2f:3e:53:ae:8b:9f:54:a1:09:59:64: > + 25:aa:a9:d8:44:a9:a8:a0:71:e1:32:aa:4c:32:fd: > + 44:28:cc:9c:6f:8e:db:81:7e:6f:fa:00:56:c5:e5: > + 03:46:63:fb:8e:71:8d:e3:13:91:9f:ac:60:3e:64: > + f3:df:25:34:09:fa:2d:96:9f:16:05:ea:93:f5:e6: > + 00:08:27:32:7b:3c:bd:ee:70:24:6c:3b:55:e9:db: > + f4:10:2d:20:06:b4:ca:e9:29:65:55:ad:f6:52:54: > + 5f:e5:a3 > + Exponent: 65537 (0x10001) > + X509v3 extensions: > + X509v3 Basic Constraints: critical > + CA:FALSE > + X509v3 Key Usage: > + Digital Signature > + X509v3 Subject Key Identifier: > + 14:DF:34:D1:A8:7C:F3:76:25:AB:EC:03:9E:F2:BF:52:12:49:B9:69 > + X509v3 Authority Key Identifier: > + keyid:14:DF:34:D1:A8:7C:F3:76:25:AB:EC:03:9E:F2:BF:52:12:49:B9:69 > + > + Signature Algorithm: sha512WithRSAEncryption > + 30:e7:48:02:37:e9:28:cf:04:a2:4d:5c:fa:d8:4e:c9:76:c7: > + 14:3f:bd:2c:51:3d:33:f0:1a:bc:49:f1:47:95:8f:69:d8:a9: > + 54:14:44:6c:4d:9f:55:82:08:1e:c6:5b:d5:91:d9:bc:2e:b0: > + af:d6:25:65:74:96:aa:36:de:ae:31:a8:11:f2:a4:2c:5a:e1: > + 4f:73:f8:4a:c3:35:b0:76:96:71:f2:b5:7d:4b:75:ee:5d:bf: > + 86:a5:ba:0b:a9:52:cb:ec:ab:e5:23:4b:f2:74:55:28:17:1e: > + b3:ac:27:ad:45:13:6e:69:b3:5a:be:42:36:29:48:db:e7:5c: > + 22:58:a0:90:82:2c:2a:21:2b:db:f4:64:b7:91:5d:1f:2c:48: > + a4:1a:85:e3:86:a5:aa:19:cd:19:e8:a5:fb:a3:7b:94:77:48: > + 25:a4:cf:a0:cf:71:82:5c:6f:71:22:7c:d6:97:a0:53:bb:ec: > + 30:f6:cb:16:fb:7b:fd:16:94:7a:53:6e:bd:04:64:a2:01:10: > + 9f:f0:5b:b5:a6:73:41:9d:5f:6f:45:73:0d:05:f7:30:6d:39: > + 90:b6:7d:55:7d:4c:2f:ae:5f:38:56:2f:8b:df:f4:bf:12:06: > + 93:6e:0d:02:23:bf:71:91:57:88:e8:bd:62:72:99:00:40:29: > + 1e:c9:13:11:da:7e:8e:e1:d2:a5:0d:bf:f7:d6:ec:01:0d:89: > + 41:cd:d5:dc:d2:f7:5f:33:0d:4c:2f:85:b7:85:b7:81:e4:17: > + 29:f0:74:cf:0e:15:8c:1a:50:0b:08:63:1a:91:4f:e7:76:97: > + f1:d4:3b:7e:72:d4:c5:45:58:0c:6a:e9:0d:f2:85:d8:91:1e: > + 37:bd:78:e3:39:4d:2e:fd:85:31:c1:a6:3b:6a:cc:2c:53:72: > + 1d:8e:7b:f0:e6:76:86:09:6f:1a:f3:e4:a1:e2:dd:76:5f:b0: > + 8c:e2:2a:54:5d:c1:88:49:90:10:15:42:7d:05:24:53:8c:54: > + ff:48:18:1a:36:e3:31:d3:54:32:78:0d:fe:f2:3d:aa:0d:37: > + 15:84:b4:36:47:31:e8:85:6e:0b:58:38:ff:21:91:09:c9:a8: > + 43:a3:ea:60:cb:7e:ed:f7:41:6f:4e:91:c1:fd:77:46:e7:d4: > + e7:86:c0:1b:fd:50:6c:aa:be:00:b3:63:02:ff:4e:c7:a5:57: > + 6e:29:64:e9:54:d5:30:63:38:5f:2d:5a:db:49:5f:14:14:22: > + d2:81:1f:61:9e:ee:ee:16:66:d6:bc:bd:ac:1b:5c:fb:38:31: > + 95:33:2e:84:6e:7a:de:ee:b9:fc:97:17:06:13:bf:70:1c:6e: > + 76:ed:66:38:e2:70:08:00 > +-----BEGIN CERTIFICATE----- > +MIIFODCCAyCgAwIBAgIJAMd+UWocJc1AMA0GCSqGSIb3DQEBDQUAMCwxKjAoBgNV > +BAMMIUNhbm9uaWNhbCBMdGQuIExpdmUgUGF0Y2ggU2lnbmluZzAeFw0xNjA3MTgy > +MzQxMjdaFw0yNjA3MTYyMzQxMjdaMCwxKjAoBgNVBAMMIUNhbm9uaWNhbCBMdGQu > +IExpdmUgUGF0Y2ggU2lnbmluZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC > +ggIBAL107nKzSqvmMegpJMK9RpgywDnuo/uKrf6rGlujLqGA23lhnkd5LHVXoiHw > +k/aH8ptLnS+zWGEoPEFwExahcpDJ1RZxfOAw+SheSCA2AGm3WZ+j7KjrVUGfOB4i > +Slcg9INZScUAk9MzApLR/PCEO0pbj7Zzmon6MB7mKmjyke9ZVz3cHFJvXuabtbh8 > +mMkT0TloAWeR4NNnchYKXhaDRTFPtSuz9kCGiTqEbm8WYbxwhL5aEzZ7guoHGfwY > +wRbGMgt9LGvEIbk4azHc2QytVkBofOPGZI6/HOByPmzb0nN52tfFL10EfbAHHpXd > +Kkdevz46yGb2Zw/UKvHicVnSbHugN6zml4AwE5dI1XT8OGjkV8uZaVqEJ6yYUeRk > +vZFi6FgnBiq5C7gI5eW0UaeiEN9OB2ygO5bybt91jJceZKCahpuYJvnYt95bIbev > +iQGj95hr2hm6hu/v8c67L4ntwLYb5Vv4kBGaUpPpvvc1uQjLusPtL3OvzJYHVbXe > +9gP28Yn5IUB2wWnyYcyalN+c7GplOL7RTiqHxy8+U66Ln1ShCVlkJaqp2ESpqKBx > +4TKqTDL9RCjMnG+O24F+b/oAVsXlA0Zj+45xjeMTkZ+sYD5k898lNAn6LZafFgXq > +k/XmAAgnMns8ve5wJGw7Venb9BAtIAa0yukpZVWt9lJUX+WjAgMBAAGjXTBbMAwG > +A1UdEwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBQU3zTRqHzzdiWr7AOe > +8r9SEkm5aTAfBgNVHSMEGDAWgBQU3zTRqHzzdiWr7AOe8r9SEkm5aTANBgkqhkiG > +9w0BAQ0FAAOCAgEAMOdIAjfpKM8Eok1c+thOyXbHFD+9LFE9M/AavEnxR5WPadip > +VBREbE2fVYIIHsZb1ZHZvC6wr9YlZXSWqjberjGoEfKkLFrhT3P4SsM1sHaWcfK1 > +fUt17l2/hqW6C6lSy+yr5SNL8nRVKBces6wnrUUTbmmzWr5CNilI2+dcIligkIIs > +KiEr2/Rkt5FdHyxIpBqF44alqhnNGeil+6N7lHdIJaTPoM9xglxvcSJ81pegU7vs > +MPbLFvt7/RaUelNuvQRkogEQn/BbtaZzQZ1fb0VzDQX3MG05kLZ9VX1ML65fOFYv > +i9/0vxIGk24NAiO/cZFXiOi9YnKZAEApHskTEdp+juHSpQ2/99bsAQ2JQc3V3NL3 > +XzMNTC+Ft4W3geQXKfB0zw4VjBpQCwhjGpFP53aX8dQ7fnLUxUVYDGrpDfKF2JEe > +N7144zlNLv2FMcGmO2rMLFNyHY578OZ2hglvGvPkoeLddl+wjOIqVF3BiEmQEBVC > +fQUkU4xU/0gYGjbjMdNUMngN/vI9qg03FYS0Nkcx6IVuC1g4/yGRCcmoQ6PqYMt+ > +7fdBb06Rwf13RufU54bAG/1QbKq+ALNjAv9Ox6VXbilk6VTVMGM4Xy1a20lfFBQi > +0oEfYZ7u7hZm1ry9rBtc+zgxlTMuhG563u65/JcXBhO/cBxudu1mOOJwCAA= > +-----END CERTIFICATE----- >
On Thu, Feb 18, 2021 at 12:12:46PM -0700, Tim Gardner wrote: > The way that kernels are signed in the deep, dark recesses of the private > kernel PPA has always been a bit of black magic to me. Given my ignorance, > exposing keys like this in source code seems like a bad idea. Can you > explain how they are being used ? Will they ever expire or change ? Effectively both are module signing keys. The keys are not "exposed." The public key will be baked into the kernel while the private key remains secret. The ephemeral build-time module signing key also has the public key statically built into the kernel keyring; only the private key is discarded. When these need to be rotated it's just a matter of putting the new keys in the next upload, at least on the kernel side. There probably is a small security cost to using these keys. At minimum a compromise of one of the keys affects more kernels. But this is also the case for the secure boot signing keys, so imo the impact is pretty marginal. Seth > > rtg > > On 2/18/21 9:17 AM, Andy Whitcroft wrote: > > From: Dimitri John Ledkov <xnox@ubuntu.com> > > > > Add Canonical Livepatch Service key to SYSTEM_TRUSTED_KEYS, such that > > livepatch modules signed by Canonical are trusted out of the box, on > > locked-down secureboot systems. > > > > BugLink: https://bugs.launchpad.net/bugs/1898716 > > Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> > > [apw@canonical.com: move certification to cert framework.] > > Signed-off-by: Andy Whitcroft <apw@canonical.com> > > --- > > debian/certs/canonical-livepatch-all.pem | 121 +++++++++++++++++++++++ > > 1 file changed, 121 insertions(+) > > create mode 100644 debian/certs/canonical-livepatch-all.pem > > > > diff --git a/debian/certs/canonical-livepatch-all.pem b/debian/certs/canonical-livepatch-all.pem > > new file mode 100644 > > index 000000000000..3f360f74344d > > --- /dev/null > > +++ b/debian/certs/canonical-livepatch-all.pem > > @@ -0,0 +1,121 @@ > > +Certificate: > > + Data: > > + Version: 3 (0x2) > > + Serial Number: > > + c7:7e:51:6a:1c:25:cd:40 > > + Signature Algorithm: sha512WithRSAEncryption > > + Issuer: CN = Canonical Ltd. Live Patch Signing > > + Validity > > + Not Before: Jul 18 23:41:27 2016 GMT > > + Not After : Jul 16 23:41:27 2026 GMT > > + Subject: CN = Canonical Ltd. Live Patch Signing > > + Subject Public Key Info: > > + Public Key Algorithm: rsaEncryption > > + RSA Public-Key: (4096 bit) > > + Modulus: > > + 00:bd:74:ee:72:b3:4a:ab:e6:31:e8:29:24:c2:bd: > > + 46:98:32:c0:39:ee:a3:fb:8a:ad:fe:ab:1a:5b:a3: > > + 2e:a1:80:db:79:61:9e:47:79:2c:75:57:a2:21:f0: > > + 93:f6:87:f2:9b:4b:9d:2f:b3:58:61:28:3c:41:70: > > + 13:16:a1:72:90:c9:d5:16:71:7c:e0:30:f9:28:5e: > > + 48:20:36:00:69:b7:59:9f:a3:ec:a8:eb:55:41:9f: > > + 38:1e:22:4a:57:20:f4:83:59:49:c5:00:93:d3:33: > > + 02:92:d1:fc:f0:84:3b:4a:5b:8f:b6:73:9a:89:fa: > > + 30:1e:e6:2a:68:f2:91:ef:59:57:3d:dc:1c:52:6f: > > + 5e:e6:9b:b5:b8:7c:98:c9:13:d1:39:68:01:67:91: > > + e0:d3:67:72:16:0a:5e:16:83:45:31:4f:b5:2b:b3: > > + f6:40:86:89:3a:84:6e:6f:16:61:bc:70:84:be:5a: > > + 13:36:7b:82:ea:07:19:fc:18:c1:16:c6:32:0b:7d: > > + 2c:6b:c4:21:b9:38:6b:31:dc:d9:0c:ad:56:40:68: > > + 7c:e3:c6:64:8e:bf:1c:e0:72:3e:6c:db:d2:73:79: > > + da:d7:c5:2f:5d:04:7d:b0:07:1e:95:dd:2a:47:5e: > > + bf:3e:3a:c8:66:f6:67:0f:d4:2a:f1:e2:71:59:d2: > > + 6c:7b:a0:37:ac:e6:97:80:30:13:97:48:d5:74:fc: > > + 38:68:e4:57:cb:99:69:5a:84:27:ac:98:51:e4:64: > > + bd:91:62:e8:58:27:06:2a:b9:0b:b8:08:e5:e5:b4: > > + 51:a7:a2:10:df:4e:07:6c:a0:3b:96:f2:6e:df:75: > > + 8c:97:1e:64:a0:9a:86:9b:98:26:f9:d8:b7:de:5b: > > + 21:b7:af:89:01:a3:f7:98:6b:da:19:ba:86:ef:ef: > > + f1:ce:bb:2f:89:ed:c0:b6:1b:e5:5b:f8:90:11:9a: > > + 52:93:e9:be:f7:35:b9:08:cb:ba:c3:ed:2f:73:af: > > + cc:96:07:55:b5:de:f6:03:f6:f1:89:f9:21:40:76: > > + c1:69:f2:61:cc:9a:94:df:9c:ec:6a:65:38:be:d1: > > + 4e:2a:87:c7:2f:3e:53:ae:8b:9f:54:a1:09:59:64: > > + 25:aa:a9:d8:44:a9:a8:a0:71:e1:32:aa:4c:32:fd: > > + 44:28:cc:9c:6f:8e:db:81:7e:6f:fa:00:56:c5:e5: > > + 03:46:63:fb:8e:71:8d:e3:13:91:9f:ac:60:3e:64: > > + f3:df:25:34:09:fa:2d:96:9f:16:05:ea:93:f5:e6: > > + 00:08:27:32:7b:3c:bd:ee:70:24:6c:3b:55:e9:db: > > + f4:10:2d:20:06:b4:ca:e9:29:65:55:ad:f6:52:54: > > + 5f:e5:a3 > > + Exponent: 65537 (0x10001) > > + X509v3 extensions: > > + X509v3 Basic Constraints: critical > > + CA:FALSE > > + X509v3 Key Usage: > > + Digital Signature > > + X509v3 Subject Key Identifier: > > + 14:DF:34:D1:A8:7C:F3:76:25:AB:EC:03:9E:F2:BF:52:12:49:B9:69 > > + X509v3 Authority Key Identifier: > > + keyid:14:DF:34:D1:A8:7C:F3:76:25:AB:EC:03:9E:F2:BF:52:12:49:B9:69 > > + > > + Signature Algorithm: sha512WithRSAEncryption > > + 30:e7:48:02:37:e9:28:cf:04:a2:4d:5c:fa:d8:4e:c9:76:c7: > > + 14:3f:bd:2c:51:3d:33:f0:1a:bc:49:f1:47:95:8f:69:d8:a9: > > + 54:14:44:6c:4d:9f:55:82:08:1e:c6:5b:d5:91:d9:bc:2e:b0: > > + af:d6:25:65:74:96:aa:36:de:ae:31:a8:11:f2:a4:2c:5a:e1: > > + 4f:73:f8:4a:c3:35:b0:76:96:71:f2:b5:7d:4b:75:ee:5d:bf: > > + 86:a5:ba:0b:a9:52:cb:ec:ab:e5:23:4b:f2:74:55:28:17:1e: > > + b3:ac:27:ad:45:13:6e:69:b3:5a:be:42:36:29:48:db:e7:5c: > > + 22:58:a0:90:82:2c:2a:21:2b:db:f4:64:b7:91:5d:1f:2c:48: > > + a4:1a:85:e3:86:a5:aa:19:cd:19:e8:a5:fb:a3:7b:94:77:48: > > + 25:a4:cf:a0:cf:71:82:5c:6f:71:22:7c:d6:97:a0:53:bb:ec: > > + 30:f6:cb:16:fb:7b:fd:16:94:7a:53:6e:bd:04:64:a2:01:10: > > + 9f:f0:5b:b5:a6:73:41:9d:5f:6f:45:73:0d:05:f7:30:6d:39: > > + 90:b6:7d:55:7d:4c:2f:ae:5f:38:56:2f:8b:df:f4:bf:12:06: > > + 93:6e:0d:02:23:bf:71:91:57:88:e8:bd:62:72:99:00:40:29: > > + 1e:c9:13:11:da:7e:8e:e1:d2:a5:0d:bf:f7:d6:ec:01:0d:89: > > + 41:cd:d5:dc:d2:f7:5f:33:0d:4c:2f:85:b7:85:b7:81:e4:17: > > + 29:f0:74:cf:0e:15:8c:1a:50:0b:08:63:1a:91:4f:e7:76:97: > > + f1:d4:3b:7e:72:d4:c5:45:58:0c:6a:e9:0d:f2:85:d8:91:1e: > > + 37:bd:78:e3:39:4d:2e:fd:85:31:c1:a6:3b:6a:cc:2c:53:72: > > + 1d:8e:7b:f0:e6:76:86:09:6f:1a:f3:e4:a1:e2:dd:76:5f:b0: > > + 8c:e2:2a:54:5d:c1:88:49:90:10:15:42:7d:05:24:53:8c:54: > > + ff:48:18:1a:36:e3:31:d3:54:32:78:0d:fe:f2:3d:aa:0d:37: > > + 15:84:b4:36:47:31:e8:85:6e:0b:58:38:ff:21:91:09:c9:a8: > > + 43:a3:ea:60:cb:7e:ed:f7:41:6f:4e:91:c1:fd:77:46:e7:d4: > > + e7:86:c0:1b:fd:50:6c:aa:be:00:b3:63:02:ff:4e:c7:a5:57: > > + 6e:29:64:e9:54:d5:30:63:38:5f:2d:5a:db:49:5f:14:14:22: > > + d2:81:1f:61:9e:ee:ee:16:66:d6:bc:bd:ac:1b:5c:fb:38:31: > > + 95:33:2e:84:6e:7a:de:ee:b9:fc:97:17:06:13:bf:70:1c:6e: > > + 76:ed:66:38:e2:70:08:00 > > +-----BEGIN CERTIFICATE----- > > +MIIFODCCAyCgAwIBAgIJAMd+UWocJc1AMA0GCSqGSIb3DQEBDQUAMCwxKjAoBgNV > > +BAMMIUNhbm9uaWNhbCBMdGQuIExpdmUgUGF0Y2ggU2lnbmluZzAeFw0xNjA3MTgy > > +MzQxMjdaFw0yNjA3MTYyMzQxMjdaMCwxKjAoBgNVBAMMIUNhbm9uaWNhbCBMdGQu > > +IExpdmUgUGF0Y2ggU2lnbmluZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC > > +ggIBAL107nKzSqvmMegpJMK9RpgywDnuo/uKrf6rGlujLqGA23lhnkd5LHVXoiHw > > +k/aH8ptLnS+zWGEoPEFwExahcpDJ1RZxfOAw+SheSCA2AGm3WZ+j7KjrVUGfOB4i > > +Slcg9INZScUAk9MzApLR/PCEO0pbj7Zzmon6MB7mKmjyke9ZVz3cHFJvXuabtbh8 > > +mMkT0TloAWeR4NNnchYKXhaDRTFPtSuz9kCGiTqEbm8WYbxwhL5aEzZ7guoHGfwY > > +wRbGMgt9LGvEIbk4azHc2QytVkBofOPGZI6/HOByPmzb0nN52tfFL10EfbAHHpXd > > +Kkdevz46yGb2Zw/UKvHicVnSbHugN6zml4AwE5dI1XT8OGjkV8uZaVqEJ6yYUeRk > > +vZFi6FgnBiq5C7gI5eW0UaeiEN9OB2ygO5bybt91jJceZKCahpuYJvnYt95bIbev > > +iQGj95hr2hm6hu/v8c67L4ntwLYb5Vv4kBGaUpPpvvc1uQjLusPtL3OvzJYHVbXe > > +9gP28Yn5IUB2wWnyYcyalN+c7GplOL7RTiqHxy8+U66Ln1ShCVlkJaqp2ESpqKBx > > +4TKqTDL9RCjMnG+O24F+b/oAVsXlA0Zj+45xjeMTkZ+sYD5k898lNAn6LZafFgXq > > +k/XmAAgnMns8ve5wJGw7Venb9BAtIAa0yukpZVWt9lJUX+WjAgMBAAGjXTBbMAwG > > +A1UdEwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBQU3zTRqHzzdiWr7AOe > > +8r9SEkm5aTAfBgNVHSMEGDAWgBQU3zTRqHzzdiWr7AOe8r9SEkm5aTANBgkqhkiG > > +9w0BAQ0FAAOCAgEAMOdIAjfpKM8Eok1c+thOyXbHFD+9LFE9M/AavEnxR5WPadip > > +VBREbE2fVYIIHsZb1ZHZvC6wr9YlZXSWqjberjGoEfKkLFrhT3P4SsM1sHaWcfK1 > > +fUt17l2/hqW6C6lSy+yr5SNL8nRVKBces6wnrUUTbmmzWr5CNilI2+dcIligkIIs > > +KiEr2/Rkt5FdHyxIpBqF44alqhnNGeil+6N7lHdIJaTPoM9xglxvcSJ81pegU7vs > > +MPbLFvt7/RaUelNuvQRkogEQn/BbtaZzQZ1fb0VzDQX3MG05kLZ9VX1ML65fOFYv > > +i9/0vxIGk24NAiO/cZFXiOi9YnKZAEApHskTEdp+juHSpQ2/99bsAQ2JQc3V3NL3 > > +XzMNTC+Ft4W3geQXKfB0zw4VjBpQCwhjGpFP53aX8dQ7fnLUxUVYDGrpDfKF2JEe > > +N7144zlNLv2FMcGmO2rMLFNyHY578OZ2hglvGvPkoeLddl+wjOIqVF3BiEmQEBVC > > +fQUkU4xU/0gYGjbjMdNUMngN/vI9qg03FYS0Nkcx6IVuC1g4/yGRCcmoQ6PqYMt+ > > +7fdBb06Rwf13RufU54bAG/1QbKq+ALNjAv9Ox6VXbilk6VTVMGM4Xy1a20lfFBQi > > +0oEfYZ7u7hZm1ry9rBtc+zgxlTMuhG563u65/JcXBhO/cBxudu1mOOJwCAA= > > +-----END CERTIFICATE----- > > > > -- > ----------- > Tim Gardner > Canonical, Inc > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On 2/19/21 7:38 AM, Seth Forshee wrote: > On Thu, Feb 18, 2021 at 12:12:46PM -0700, Tim Gardner wrote: >> The way that kernels are signed in the deep, dark recesses of the private >> kernel PPA has always been a bit of black magic to me. Given my ignorance, >> exposing keys like this in source code seems like a bad idea. Can you >> explain how they are being used ? Will they ever expire or change ? > > Effectively both are module signing keys. The keys are not "exposed." > The public key will be baked into the kernel while the private key > remains secret. The ephemeral build-time module signing key also has the > public key statically built into the kernel keyring; only the private > key is discarded. > > When these need to be rotated it's just a matter of putting the new keys > in the next upload, at least on the kernel side. > > There probably is a small security cost to using these keys. At minimum > a compromise of one of the keys affects more kernels. But this is also > the case for the secure boot signing keys, so imo the impact is pretty > marginal. > > Seth > I think I understand. I had not considered that the signing process is now using a static key pair instead of the kernel build time ephemeral key. We could dispense with the ephemeral key altogether and achieve the same result. For instance, it might be useful for signing DKMS modules as well. Wouldn't that reduce some of the current build and packaging complexity for out of tree modules supported by Ubuntu ? rtg >> >> rtg >> >> On 2/18/21 9:17 AM, Andy Whitcroft wrote: >>> From: Dimitri John Ledkov <xnox@ubuntu.com> >>> >>> Add Canonical Livepatch Service key to SYSTEM_TRUSTED_KEYS, such that >>> livepatch modules signed by Canonical are trusted out of the box, on >>> locked-down secureboot systems. >>> >>> BugLink: https://bugs.launchpad.net/bugs/1898716 >>> Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> >>> [apw@canonical.com: move certification to cert framework.] >>> Signed-off-by: Andy Whitcroft <apw@canonical.com> >>> --- >>> debian/certs/canonical-livepatch-all.pem | 121 +++++++++++++++++++++++ >>> 1 file changed, 121 insertions(+) >>> create mode 100644 debian/certs/canonical-livepatch-all.pem >>> >>> diff --git a/debian/certs/canonical-livepatch-all.pem b/debian/certs/canonical-livepatch-all.pem >>> new file mode 100644 >>> index 000000000000..3f360f74344d >>> --- /dev/null >>> +++ b/debian/certs/canonical-livepatch-all.pem >>> @@ -0,0 +1,121 @@ >>> +Certificate: >>> + Data: >>> + Version: 3 (0x2) >>> + Serial Number: >>> + c7:7e:51:6a:1c:25:cd:40 >>> + Signature Algorithm: sha512WithRSAEncryption >>> + Issuer: CN = Canonical Ltd. Live Patch Signing >>> + Validity >>> + Not Before: Jul 18 23:41:27 2016 GMT >>> + Not After : Jul 16 23:41:27 2026 GMT >>> + Subject: CN = Canonical Ltd. Live Patch Signing >>> + Subject Public Key Info: >>> + Public Key Algorithm: rsaEncryption >>> + RSA Public-Key: (4096 bit) >>> + Modulus: >>> + 00:bd:74:ee:72:b3:4a:ab:e6:31:e8:29:24:c2:bd: >>> + 46:98:32:c0:39:ee:a3:fb:8a:ad:fe:ab:1a:5b:a3: >>> + 2e:a1:80:db:79:61:9e:47:79:2c:75:57:a2:21:f0: >>> + 93:f6:87:f2:9b:4b:9d:2f:b3:58:61:28:3c:41:70: >>> + 13:16:a1:72:90:c9:d5:16:71:7c:e0:30:f9:28:5e: >>> + 48:20:36:00:69:b7:59:9f:a3:ec:a8:eb:55:41:9f: >>> + 38:1e:22:4a:57:20:f4:83:59:49:c5:00:93:d3:33: >>> + 02:92:d1:fc:f0:84:3b:4a:5b:8f:b6:73:9a:89:fa: >>> + 30:1e:e6:2a:68:f2:91:ef:59:57:3d:dc:1c:52:6f: >>> + 5e:e6:9b:b5:b8:7c:98:c9:13:d1:39:68:01:67:91: >>> + e0:d3:67:72:16:0a:5e:16:83:45:31:4f:b5:2b:b3: >>> + f6:40:86:89:3a:84:6e:6f:16:61:bc:70:84:be:5a: >>> + 13:36:7b:82:ea:07:19:fc:18:c1:16:c6:32:0b:7d: >>> + 2c:6b:c4:21:b9:38:6b:31:dc:d9:0c:ad:56:40:68: >>> + 7c:e3:c6:64:8e:bf:1c:e0:72:3e:6c:db:d2:73:79: >>> + da:d7:c5:2f:5d:04:7d:b0:07:1e:95:dd:2a:47:5e: >>> + bf:3e:3a:c8:66:f6:67:0f:d4:2a:f1:e2:71:59:d2: >>> + 6c:7b:a0:37:ac:e6:97:80:30:13:97:48:d5:74:fc: >>> + 38:68:e4:57:cb:99:69:5a:84:27:ac:98:51:e4:64: >>> + bd:91:62:e8:58:27:06:2a:b9:0b:b8:08:e5:e5:b4: >>> + 51:a7:a2:10:df:4e:07:6c:a0:3b:96:f2:6e:df:75: >>> + 8c:97:1e:64:a0:9a:86:9b:98:26:f9:d8:b7:de:5b: >>> + 21:b7:af:89:01:a3:f7:98:6b:da:19:ba:86:ef:ef: >>> + f1:ce:bb:2f:89:ed:c0:b6:1b:e5:5b:f8:90:11:9a: >>> + 52:93:e9:be:f7:35:b9:08:cb:ba:c3:ed:2f:73:af: >>> + cc:96:07:55:b5:de:f6:03:f6:f1:89:f9:21:40:76: >>> + c1:69:f2:61:cc:9a:94:df:9c:ec:6a:65:38:be:d1: >>> + 4e:2a:87:c7:2f:3e:53:ae:8b:9f:54:a1:09:59:64: >>> + 25:aa:a9:d8:44:a9:a8:a0:71:e1:32:aa:4c:32:fd: >>> + 44:28:cc:9c:6f:8e:db:81:7e:6f:fa:00:56:c5:e5: >>> + 03:46:63:fb:8e:71:8d:e3:13:91:9f:ac:60:3e:64: >>> + f3:df:25:34:09:fa:2d:96:9f:16:05:ea:93:f5:e6: >>> + 00:08:27:32:7b:3c:bd:ee:70:24:6c:3b:55:e9:db: >>> + f4:10:2d:20:06:b4:ca:e9:29:65:55:ad:f6:52:54: >>> + 5f:e5:a3 >>> + Exponent: 65537 (0x10001) >>> + X509v3 extensions: >>> + X509v3 Basic Constraints: critical >>> + CA:FALSE >>> + X509v3 Key Usage: >>> + Digital Signature >>> + X509v3 Subject Key Identifier: >>> + 14:DF:34:D1:A8:7C:F3:76:25:AB:EC:03:9E:F2:BF:52:12:49:B9:69 >>> + X509v3 Authority Key Identifier: >>> + keyid:14:DF:34:D1:A8:7C:F3:76:25:AB:EC:03:9E:F2:BF:52:12:49:B9:69 >>> + >>> + Signature Algorithm: sha512WithRSAEncryption >>> + 30:e7:48:02:37:e9:28:cf:04:a2:4d:5c:fa:d8:4e:c9:76:c7: >>> + 14:3f:bd:2c:51:3d:33:f0:1a:bc:49:f1:47:95:8f:69:d8:a9: >>> + 54:14:44:6c:4d:9f:55:82:08:1e:c6:5b:d5:91:d9:bc:2e:b0: >>> + af:d6:25:65:74:96:aa:36:de:ae:31:a8:11:f2:a4:2c:5a:e1: >>> + 4f:73:f8:4a:c3:35:b0:76:96:71:f2:b5:7d:4b:75:ee:5d:bf: >>> + 86:a5:ba:0b:a9:52:cb:ec:ab:e5:23:4b:f2:74:55:28:17:1e: >>> + b3:ac:27:ad:45:13:6e:69:b3:5a:be:42:36:29:48:db:e7:5c: >>> + 22:58:a0:90:82:2c:2a:21:2b:db:f4:64:b7:91:5d:1f:2c:48: >>> + a4:1a:85:e3:86:a5:aa:19:cd:19:e8:a5:fb:a3:7b:94:77:48: >>> + 25:a4:cf:a0:cf:71:82:5c:6f:71:22:7c:d6:97:a0:53:bb:ec: >>> + 30:f6:cb:16:fb:7b:fd:16:94:7a:53:6e:bd:04:64:a2:01:10: >>> + 9f:f0:5b:b5:a6:73:41:9d:5f:6f:45:73:0d:05:f7:30:6d:39: >>> + 90:b6:7d:55:7d:4c:2f:ae:5f:38:56:2f:8b:df:f4:bf:12:06: >>> + 93:6e:0d:02:23:bf:71:91:57:88:e8:bd:62:72:99:00:40:29: >>> + 1e:c9:13:11:da:7e:8e:e1:d2:a5:0d:bf:f7:d6:ec:01:0d:89: >>> + 41:cd:d5:dc:d2:f7:5f:33:0d:4c:2f:85:b7:85:b7:81:e4:17: >>> + 29:f0:74:cf:0e:15:8c:1a:50:0b:08:63:1a:91:4f:e7:76:97: >>> + f1:d4:3b:7e:72:d4:c5:45:58:0c:6a:e9:0d:f2:85:d8:91:1e: >>> + 37:bd:78:e3:39:4d:2e:fd:85:31:c1:a6:3b:6a:cc:2c:53:72: >>> + 1d:8e:7b:f0:e6:76:86:09:6f:1a:f3:e4:a1:e2:dd:76:5f:b0: >>> + 8c:e2:2a:54:5d:c1:88:49:90:10:15:42:7d:05:24:53:8c:54: >>> + ff:48:18:1a:36:e3:31:d3:54:32:78:0d:fe:f2:3d:aa:0d:37: >>> + 15:84:b4:36:47:31:e8:85:6e:0b:58:38:ff:21:91:09:c9:a8: >>> + 43:a3:ea:60:cb:7e:ed:f7:41:6f:4e:91:c1:fd:77:46:e7:d4: >>> + e7:86:c0:1b:fd:50:6c:aa:be:00:b3:63:02:ff:4e:c7:a5:57: >>> + 6e:29:64:e9:54:d5:30:63:38:5f:2d:5a:db:49:5f:14:14:22: >>> + d2:81:1f:61:9e:ee:ee:16:66:d6:bc:bd:ac:1b:5c:fb:38:31: >>> + 95:33:2e:84:6e:7a:de:ee:b9:fc:97:17:06:13:bf:70:1c:6e: >>> + 76:ed:66:38:e2:70:08:00 >>> +-----BEGIN CERTIFICATE----- >>> +MIIFODCCAyCgAwIBAgIJAMd+UWocJc1AMA0GCSqGSIb3DQEBDQUAMCwxKjAoBgNV >>> +BAMMIUNhbm9uaWNhbCBMdGQuIExpdmUgUGF0Y2ggU2lnbmluZzAeFw0xNjA3MTgy >>> +MzQxMjdaFw0yNjA3MTYyMzQxMjdaMCwxKjAoBgNVBAMMIUNhbm9uaWNhbCBMdGQu >>> +IExpdmUgUGF0Y2ggU2lnbmluZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC >>> +ggIBAL107nKzSqvmMegpJMK9RpgywDnuo/uKrf6rGlujLqGA23lhnkd5LHVXoiHw >>> +k/aH8ptLnS+zWGEoPEFwExahcpDJ1RZxfOAw+SheSCA2AGm3WZ+j7KjrVUGfOB4i >>> +Slcg9INZScUAk9MzApLR/PCEO0pbj7Zzmon6MB7mKmjyke9ZVz3cHFJvXuabtbh8 >>> +mMkT0TloAWeR4NNnchYKXhaDRTFPtSuz9kCGiTqEbm8WYbxwhL5aEzZ7guoHGfwY >>> +wRbGMgt9LGvEIbk4azHc2QytVkBofOPGZI6/HOByPmzb0nN52tfFL10EfbAHHpXd >>> +Kkdevz46yGb2Zw/UKvHicVnSbHugN6zml4AwE5dI1XT8OGjkV8uZaVqEJ6yYUeRk >>> +vZFi6FgnBiq5C7gI5eW0UaeiEN9OB2ygO5bybt91jJceZKCahpuYJvnYt95bIbev >>> +iQGj95hr2hm6hu/v8c67L4ntwLYb5Vv4kBGaUpPpvvc1uQjLusPtL3OvzJYHVbXe >>> +9gP28Yn5IUB2wWnyYcyalN+c7GplOL7RTiqHxy8+U66Ln1ShCVlkJaqp2ESpqKBx >>> +4TKqTDL9RCjMnG+O24F+b/oAVsXlA0Zj+45xjeMTkZ+sYD5k898lNAn6LZafFgXq >>> +k/XmAAgnMns8ve5wJGw7Venb9BAtIAa0yukpZVWt9lJUX+WjAgMBAAGjXTBbMAwG >>> +A1UdEwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBQU3zTRqHzzdiWr7AOe >>> +8r9SEkm5aTAfBgNVHSMEGDAWgBQU3zTRqHzzdiWr7AOe8r9SEkm5aTANBgkqhkiG >>> +9w0BAQ0FAAOCAgEAMOdIAjfpKM8Eok1c+thOyXbHFD+9LFE9M/AavEnxR5WPadip >>> +VBREbE2fVYIIHsZb1ZHZvC6wr9YlZXSWqjberjGoEfKkLFrhT3P4SsM1sHaWcfK1 >>> +fUt17l2/hqW6C6lSy+yr5SNL8nRVKBces6wnrUUTbmmzWr5CNilI2+dcIligkIIs >>> +KiEr2/Rkt5FdHyxIpBqF44alqhnNGeil+6N7lHdIJaTPoM9xglxvcSJ81pegU7vs >>> +MPbLFvt7/RaUelNuvQRkogEQn/BbtaZzQZ1fb0VzDQX3MG05kLZ9VX1ML65fOFYv >>> +i9/0vxIGk24NAiO/cZFXiOi9YnKZAEApHskTEdp+juHSpQ2/99bsAQ2JQc3V3NL3 >>> +XzMNTC+Ft4W3geQXKfB0zw4VjBpQCwhjGpFP53aX8dQ7fnLUxUVYDGrpDfKF2JEe >>> +N7144zlNLv2FMcGmO2rMLFNyHY578OZ2hglvGvPkoeLddl+wjOIqVF3BiEmQEBVC >>> +fQUkU4xU/0gYGjbjMdNUMngN/vI9qg03FYS0Nkcx6IVuC1g4/yGRCcmoQ6PqYMt+ >>> +7fdBb06Rwf13RufU54bAG/1QbKq+ALNjAv9Ox6VXbilk6VTVMGM4Xy1a20lfFBQi >>> +0oEfYZ7u7hZm1ry9rBtc+zgxlTMuhG563u65/JcXBhO/cBxudu1mOOJwCAA= >>> +-----END CERTIFICATE----- >>> >> >> -- >> ----------- >> Tim Gardner >> Canonical, Inc >> >> -- >> kernel-team mailing list >> kernel-team@lists.ubuntu.com >> https://lists.ubuntu.com/mailman/listinfo/kernel-team
On Fri, Feb 19, 2021 at 07:54:05AM -0700, Tim Gardner wrote: > > > On 2/19/21 7:38 AM, Seth Forshee wrote: > > On Thu, Feb 18, 2021 at 12:12:46PM -0700, Tim Gardner wrote: > > > The way that kernels are signed in the deep, dark recesses of the private > > > kernel PPA has always been a bit of black magic to me. Given my ignorance, > > > exposing keys like this in source code seems like a bad idea. Can you > > > explain how they are being used ? Will they ever expire or change ? > > > > Effectively both are module signing keys. The keys are not "exposed." > > The public key will be baked into the kernel while the private key > > remains secret. The ephemeral build-time module signing key also has the > > public key statically built into the kernel keyring; only the private > > key is discarded. > > > > When these need to be rotated it's just a matter of putting the new keys > > in the next upload, at least on the kernel side. > > > > There probably is a small security cost to using these keys. At minimum > > a compromise of one of the keys affects more kernels. But this is also > > the case for the secure boot signing keys, so imo the impact is pretty > > marginal. > > > > Seth > > > > I think I understand. I had not considered that the signing process is now > using a static key pair instead of the kernel build time ephemeral key. We do still use the build-time ephemeral key for the modules in the linux-modules packages, that will not change. I'm assuming we currently use a static key for livepatch, I don't actually know for sure. The signing of the kernel images themselves does not use an ephemeral key though. > We > could dispense with the ephemeral key altogether and achieve the same > result. For instance, it might be useful for signing DKMS modules as well. > Wouldn't that reduce some of the current build and packaging complexity for > out of tree modules supported by Ubuntu ? Remember that we'd have to build new dkms modules for each new kernel version we upload, across all the kernels we support. We certainly wouldn't want to do that for a bunch of individial dkms packages. We could build them alongside the kernel like we do with zfs, but that comes with its own pain points (which is at least part of the impetus behind the module signing key). So another l-r-m style package would be the least bad option for prebuilt dkms modules. It wouldn't reduce packaging complexity as we'd likely build the modules from the dkms packages like we do for l-r-m. The real benefit would be for users who wouldn't have to build the modules locally and enrol a MOK. Seth
diff --git a/debian/certs/canonical-livepatch-all.pem b/debian/certs/canonical-livepatch-all.pem new file mode 100644 index 000000000000..3f360f74344d --- /dev/null +++ b/debian/certs/canonical-livepatch-all.pem @@ -0,0 +1,121 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + c7:7e:51:6a:1c:25:cd:40 + Signature Algorithm: sha512WithRSAEncryption + Issuer: CN = Canonical Ltd. Live Patch Signing + Validity + Not Before: Jul 18 23:41:27 2016 GMT + Not After : Jul 16 23:41:27 2026 GMT + Subject: CN = Canonical Ltd. Live Patch Signing + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (4096 bit) + Modulus: + 00:bd:74:ee:72:b3:4a:ab:e6:31:e8:29:24:c2:bd: + 46:98:32:c0:39:ee:a3:fb:8a:ad:fe:ab:1a:5b:a3: + 2e:a1:80:db:79:61:9e:47:79:2c:75:57:a2:21:f0: + 93:f6:87:f2:9b:4b:9d:2f:b3:58:61:28:3c:41:70: + 13:16:a1:72:90:c9:d5:16:71:7c:e0:30:f9:28:5e: + 48:20:36:00:69:b7:59:9f:a3:ec:a8:eb:55:41:9f: + 38:1e:22:4a:57:20:f4:83:59:49:c5:00:93:d3:33: + 02:92:d1:fc:f0:84:3b:4a:5b:8f:b6:73:9a:89:fa: + 30:1e:e6:2a:68:f2:91:ef:59:57:3d:dc:1c:52:6f: + 5e:e6:9b:b5:b8:7c:98:c9:13:d1:39:68:01:67:91: + e0:d3:67:72:16:0a:5e:16:83:45:31:4f:b5:2b:b3: + f6:40:86:89:3a:84:6e:6f:16:61:bc:70:84:be:5a: + 13:36:7b:82:ea:07:19:fc:18:c1:16:c6:32:0b:7d: + 2c:6b:c4:21:b9:38:6b:31:dc:d9:0c:ad:56:40:68: + 7c:e3:c6:64:8e:bf:1c:e0:72:3e:6c:db:d2:73:79: + da:d7:c5:2f:5d:04:7d:b0:07:1e:95:dd:2a:47:5e: + bf:3e:3a:c8:66:f6:67:0f:d4:2a:f1:e2:71:59:d2: + 6c:7b:a0:37:ac:e6:97:80:30:13:97:48:d5:74:fc: + 38:68:e4:57:cb:99:69:5a:84:27:ac:98:51:e4:64: + bd:91:62:e8:58:27:06:2a:b9:0b:b8:08:e5:e5:b4: + 51:a7:a2:10:df:4e:07:6c:a0:3b:96:f2:6e:df:75: + 8c:97:1e:64:a0:9a:86:9b:98:26:f9:d8:b7:de:5b: + 21:b7:af:89:01:a3:f7:98:6b:da:19:ba:86:ef:ef: + f1:ce:bb:2f:89:ed:c0:b6:1b:e5:5b:f8:90:11:9a: + 52:93:e9:be:f7:35:b9:08:cb:ba:c3:ed:2f:73:af: + cc:96:07:55:b5:de:f6:03:f6:f1:89:f9:21:40:76: + c1:69:f2:61:cc:9a:94:df:9c:ec:6a:65:38:be:d1: + 4e:2a:87:c7:2f:3e:53:ae:8b:9f:54:a1:09:59:64: + 25:aa:a9:d8:44:a9:a8:a0:71:e1:32:aa:4c:32:fd: + 44:28:cc:9c:6f:8e:db:81:7e:6f:fa:00:56:c5:e5: + 03:46:63:fb:8e:71:8d:e3:13:91:9f:ac:60:3e:64: + f3:df:25:34:09:fa:2d:96:9f:16:05:ea:93:f5:e6: + 00:08:27:32:7b:3c:bd:ee:70:24:6c:3b:55:e9:db: + f4:10:2d:20:06:b4:ca:e9:29:65:55:ad:f6:52:54: + 5f:e5:a3 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Key Usage: + Digital Signature + X509v3 Subject Key Identifier: + 14:DF:34:D1:A8:7C:F3:76:25:AB:EC:03:9E:F2:BF:52:12:49:B9:69 + X509v3 Authority Key Identifier: + keyid:14:DF:34:D1:A8:7C:F3:76:25:AB:EC:03:9E:F2:BF:52:12:49:B9:69 + + Signature Algorithm: sha512WithRSAEncryption + 30:e7:48:02:37:e9:28:cf:04:a2:4d:5c:fa:d8:4e:c9:76:c7: + 14:3f:bd:2c:51:3d:33:f0:1a:bc:49:f1:47:95:8f:69:d8:a9: + 54:14:44:6c:4d:9f:55:82:08:1e:c6:5b:d5:91:d9:bc:2e:b0: + af:d6:25:65:74:96:aa:36:de:ae:31:a8:11:f2:a4:2c:5a:e1: + 4f:73:f8:4a:c3:35:b0:76:96:71:f2:b5:7d:4b:75:ee:5d:bf: + 86:a5:ba:0b:a9:52:cb:ec:ab:e5:23:4b:f2:74:55:28:17:1e: + b3:ac:27:ad:45:13:6e:69:b3:5a:be:42:36:29:48:db:e7:5c: + 22:58:a0:90:82:2c:2a:21:2b:db:f4:64:b7:91:5d:1f:2c:48: + a4:1a:85:e3:86:a5:aa:19:cd:19:e8:a5:fb:a3:7b:94:77:48: + 25:a4:cf:a0:cf:71:82:5c:6f:71:22:7c:d6:97:a0:53:bb:ec: + 30:f6:cb:16:fb:7b:fd:16:94:7a:53:6e:bd:04:64:a2:01:10: + 9f:f0:5b:b5:a6:73:41:9d:5f:6f:45:73:0d:05:f7:30:6d:39: + 90:b6:7d:55:7d:4c:2f:ae:5f:38:56:2f:8b:df:f4:bf:12:06: + 93:6e:0d:02:23:bf:71:91:57:88:e8:bd:62:72:99:00:40:29: + 1e:c9:13:11:da:7e:8e:e1:d2:a5:0d:bf:f7:d6:ec:01:0d:89: + 41:cd:d5:dc:d2:f7:5f:33:0d:4c:2f:85:b7:85:b7:81:e4:17: + 29:f0:74:cf:0e:15:8c:1a:50:0b:08:63:1a:91:4f:e7:76:97: + f1:d4:3b:7e:72:d4:c5:45:58:0c:6a:e9:0d:f2:85:d8:91:1e: + 37:bd:78:e3:39:4d:2e:fd:85:31:c1:a6:3b:6a:cc:2c:53:72: + 1d:8e:7b:f0:e6:76:86:09:6f:1a:f3:e4:a1:e2:dd:76:5f:b0: + 8c:e2:2a:54:5d:c1:88:49:90:10:15:42:7d:05:24:53:8c:54: + ff:48:18:1a:36:e3:31:d3:54:32:78:0d:fe:f2:3d:aa:0d:37: + 15:84:b4:36:47:31:e8:85:6e:0b:58:38:ff:21:91:09:c9:a8: + 43:a3:ea:60:cb:7e:ed:f7:41:6f:4e:91:c1:fd:77:46:e7:d4: + e7:86:c0:1b:fd:50:6c:aa:be:00:b3:63:02:ff:4e:c7:a5:57: + 6e:29:64:e9:54:d5:30:63:38:5f:2d:5a:db:49:5f:14:14:22: + d2:81:1f:61:9e:ee:ee:16:66:d6:bc:bd:ac:1b:5c:fb:38:31: + 95:33:2e:84:6e:7a:de:ee:b9:fc:97:17:06:13:bf:70:1c:6e: + 76:ed:66:38:e2:70:08:00 +-----BEGIN CERTIFICATE----- +MIIFODCCAyCgAwIBAgIJAMd+UWocJc1AMA0GCSqGSIb3DQEBDQUAMCwxKjAoBgNV +BAMMIUNhbm9uaWNhbCBMdGQuIExpdmUgUGF0Y2ggU2lnbmluZzAeFw0xNjA3MTgy +MzQxMjdaFw0yNjA3MTYyMzQxMjdaMCwxKjAoBgNVBAMMIUNhbm9uaWNhbCBMdGQu +IExpdmUgUGF0Y2ggU2lnbmluZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC +ggIBAL107nKzSqvmMegpJMK9RpgywDnuo/uKrf6rGlujLqGA23lhnkd5LHVXoiHw +k/aH8ptLnS+zWGEoPEFwExahcpDJ1RZxfOAw+SheSCA2AGm3WZ+j7KjrVUGfOB4i +Slcg9INZScUAk9MzApLR/PCEO0pbj7Zzmon6MB7mKmjyke9ZVz3cHFJvXuabtbh8 +mMkT0TloAWeR4NNnchYKXhaDRTFPtSuz9kCGiTqEbm8WYbxwhL5aEzZ7guoHGfwY +wRbGMgt9LGvEIbk4azHc2QytVkBofOPGZI6/HOByPmzb0nN52tfFL10EfbAHHpXd +Kkdevz46yGb2Zw/UKvHicVnSbHugN6zml4AwE5dI1XT8OGjkV8uZaVqEJ6yYUeRk +vZFi6FgnBiq5C7gI5eW0UaeiEN9OB2ygO5bybt91jJceZKCahpuYJvnYt95bIbev +iQGj95hr2hm6hu/v8c67L4ntwLYb5Vv4kBGaUpPpvvc1uQjLusPtL3OvzJYHVbXe +9gP28Yn5IUB2wWnyYcyalN+c7GplOL7RTiqHxy8+U66Ln1ShCVlkJaqp2ESpqKBx +4TKqTDL9RCjMnG+O24F+b/oAVsXlA0Zj+45xjeMTkZ+sYD5k898lNAn6LZafFgXq +k/XmAAgnMns8ve5wJGw7Venb9BAtIAa0yukpZVWt9lJUX+WjAgMBAAGjXTBbMAwG +A1UdEwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBQU3zTRqHzzdiWr7AOe +8r9SEkm5aTAfBgNVHSMEGDAWgBQU3zTRqHzzdiWr7AOe8r9SEkm5aTANBgkqhkiG +9w0BAQ0FAAOCAgEAMOdIAjfpKM8Eok1c+thOyXbHFD+9LFE9M/AavEnxR5WPadip +VBREbE2fVYIIHsZb1ZHZvC6wr9YlZXSWqjberjGoEfKkLFrhT3P4SsM1sHaWcfK1 +fUt17l2/hqW6C6lSy+yr5SNL8nRVKBces6wnrUUTbmmzWr5CNilI2+dcIligkIIs +KiEr2/Rkt5FdHyxIpBqF44alqhnNGeil+6N7lHdIJaTPoM9xglxvcSJ81pegU7vs +MPbLFvt7/RaUelNuvQRkogEQn/BbtaZzQZ1fb0VzDQX3MG05kLZ9VX1ML65fOFYv +i9/0vxIGk24NAiO/cZFXiOi9YnKZAEApHskTEdp+juHSpQ2/99bsAQ2JQc3V3NL3 +XzMNTC+Ft4W3geQXKfB0zw4VjBpQCwhjGpFP53aX8dQ7fnLUxUVYDGrpDfKF2JEe +N7144zlNLv2FMcGmO2rMLFNyHY578OZ2hglvGvPkoeLddl+wjOIqVF3BiEmQEBVC +fQUkU4xU/0gYGjbjMdNUMngN/vI9qg03FYS0Nkcx6IVuC1g4/yGRCcmoQ6PqYMt+ +7fdBb06Rwf13RufU54bAG/1QbKq+ALNjAv9Ox6VXbilk6VTVMGM4Xy1a20lfFBQi +0oEfYZ7u7hZm1ry9rBtc+zgxlTMuhG563u65/JcXBhO/cBxudu1mOOJwCAA= +-----END CERTIFICATE-----