From patchwork Thu Feb 18 15:08:49 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Whitcroft X-Patchwork-Id: 1441688 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DhJ5J6fqBz9sRf; Fri, 19 Feb 2021 02:09:08 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1lCkvN-00049Z-Ob; Thu, 18 Feb 2021 15:09:01 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lCkvM-00048t-O8 for kernel-team@lists.ubuntu.com; Thu, 18 Feb 2021 15:09:00 +0000 Received: from mail-wm1-f71.google.com ([209.85.128.71]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lCkvM-00052Y-FN for kernel-team@lists.ubuntu.com; Thu, 18 Feb 2021 15:09:00 +0000 Received: by mail-wm1-f71.google.com with SMTP id i4so3524828wmb.0 for ; Thu, 18 Feb 2021 07:09:00 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ShmHWiVvucA3z6SDChOYpFY5y0cEqBpA+DJdaXEbsQE=; b=KENJ+o3U8F8GYJYsLrq8KWfX3orUW74KBPFgBKrvAMzzaXHxBhKrr+GggRrcka3pNI YSYpjMFxKzGU9Drr0FzMMlO7YAz+IJ1yS4j9FkL34pwCQjvbj039J2QMZadClhGG+Otj ppRrnLhiOIYlrSiYcWEcAcJbwnJlK/nrTKf6ix+jjOhY50t4+Qbi8Un+X1nq8HWFSBJd mGw3dcmG+8qtOEQr4tleFIe4RzBA/U6ZRF9KkV0k65t8/Spd38ydZXJIUpZE9WzzXGTc F0BF0d0qT0XrxAci96VXcfO4pKyxVqtT7/t0OrIbW7vNLYOHZdABON04X4YhruSSsVEq HINg== X-Gm-Message-State: AOAM533sr0fjiqPhoLRCqVydvQNFh1t3JJLOToKbbihv4eOYtSrrqLSV uTr5rHgoG4xeaI91Buhs5+1n+Y2OuT2+ckYxbd+0Mwb3c/YlAP3PA3aWKCyf12k8TavSwV4BEi9 ITigS1dmH0Ncz+SNcpMC0aUTG1RBByRFWNVpCvTsg1Q== X-Received: by 2002:a05:600c:2248:: with SMTP id a8mr3936797wmm.167.1613660939619; Thu, 18 Feb 2021 07:08:59 -0800 (PST) X-Google-Smtp-Source: ABdhPJyIi/FltxtqJv1iy0dHBrWxVhzsnPnzG6q+rTxXNr23eAhk78/nl4hKYyQ1Z/JspTK6qRIOmQ== X-Received: by 2002:a05:600c:2248:: with SMTP id a8mr3936771wmm.167.1613660939247; Thu, 18 Feb 2021 07:08:59 -0800 (PST) Received: from localhost ([2001:470:6973:2:7265:4c61:1a73:4148]) by smtp.gmail.com with ESMTPSA id m23sm7851225wmc.31.2021.02.18.07.08.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Feb 2021 07:08:58 -0800 (PST) From: Andy Whitcroft To: kernel-team@lists.ubuntu.com Subject: [bionic:linux 1/4] UBUNTU: [Config] enable CONFIG_MODVERSIONS=y Date: Thu, 18 Feb 2021 15:08:49 +0000 Message-Id: <20210218150856.1807354-2-apw@canonical.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210218150856.1807354-1-apw@canonical.com> References: <20210218150856.1807354-1-apw@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Andy Whitcroft Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" In order to support the livepatch key we need to ensure we do not allow that key to load modules which are not for the specific kernel. From the documentation on kernel module signing: If you use the same private key to sign modules for multiple kernel configurations, you must ensure that the module version information is sufficient to prevent loading a module into a different kernel. Either set ``CONFIG_MODVERSIONS=y`` or ensure that each configuration has a different kernel release string by changing ``EXTRAVERSION`` or ``CONFIG_LOCALVERSION``. BugLink: https://bugs.launchpad.net/bugs/1898716 Signed-off-by: Andy Whitcroft --- debian.master/config/annotations | 4 +++- debian.master/config/config.common.ubuntu | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/debian.master/config/annotations b/debian.master/config/annotations index 52fa132d2063..4f2972daee7e 100644 --- a/debian.master/config/annotations +++ b/debian.master/config/annotations @@ -8612,9 +8612,11 @@ CONFIG_MODULES policy<{'amd64': 'y', 'arm64': ' CONFIG_MODULE_FORCE_LOAD policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> CONFIG_MODULE_UNLOAD policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_MODULE_FORCE_UNLOAD policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> -CONFIG_MODVERSIONS policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> +CONFIG_MODVERSIONS policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_MODULE_SRCVERSION_ALL policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_MODULE_COMPRESS policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> +# +CONFIG_MODVERSIONS mark note # Menu: Enable loadable module support >> Compression algorithm diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu index 3ef3d8d6a2d8..f2a8b2e49b53 100644 --- a/debian.master/config/config.common.ubuntu +++ b/debian.master/config/config.common.ubuntu @@ -5444,7 +5444,7 @@ CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SRCVERSION_ALL=y CONFIG_MODULE_UNLOAD=y -# CONFIG_MODVERSIONS is not set +CONFIG_MODVERSIONS=y CONFIG_MONREADER=m CONFIG_MONWRITER=m CONFIG_MOST=m From patchwork Thu Feb 18 15:08:50 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Whitcroft X-Patchwork-Id: 1441687 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DhJ5H5pRWz9sCD; Fri, 19 Feb 2021 02:09:07 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1lCkvQ-0004B6-4B; Thu, 18 Feb 2021 15:09:04 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1lCkvO-00049n-87 for kernel-team@lists.ubuntu.com; Thu, 18 Feb 2021 15:09:02 +0000 Received: from mail-wr1-f72.google.com ([209.85.221.72]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lCkvN-000537-Vi for kernel-team@lists.ubuntu.com; Thu, 18 Feb 2021 15:09:02 +0000 Received: by mail-wr1-f72.google.com with SMTP id e11so1064329wro.19 for ; Thu, 18 Feb 2021 07:09:01 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=tKxIEcw3QPfScyAJvzXWrVNqjEduye/VFhXbBjYxS4w=; b=shW0P7RHgYmX0CdG23+2Mr+6XlE+SUp43N6CYqqnxKQjRuvfiXU2QGTvXftH/VPaxy GKLxW/W3SkpMtOFqH+MT53E6V+C6o8CpyVhXng3XNDNxc5MYO/36Uld5pD6Cak5q1RRA vqooQw8O3BCi8Iw7zTA6Ja2zy+t9Dq6vADX5ZcY2b5jRScoxJJiIawYZQbsj3AAlCMES QHk8G5tQFKEOQgUynuUBHUC6YQJ/4XW7DBS3kwOR9UhZ+KHlKVyWO8xNUXHkg+Npq/Xn MOj6R8qbc/hAXiLIx0AOFAV7WSAPoZmHJ+RDtP2q9wTrzR1G5yT4aKCBpF7Vmkgo7ePs Gj/Q== X-Gm-Message-State: AOAM532jGagWCQE2/5bLMYfTIEM5BlupmmH9Jk6k8rORnv03DnGOcCU+ /QaJy1qOhUhxcF+fQjdl3b26aHYWxHNEw/paXxlWzV2z2o3cg5HjqdOTbLXC8wYgcNFJ//RYS+u ZjXlYechOPIVsrLVLWCMkhdZuapskGrcJJAJDCSMSgQ== X-Received: by 2002:adf:ee84:: with SMTP id b4mr4665723wro.339.1613660941354; Thu, 18 Feb 2021 07:09:01 -0800 (PST) X-Google-Smtp-Source: ABdhPJwiczwKt83VmnIbkZP2Q7+N7l0IvhJHJbDbHLaUIULgTcsbbF2SWvYU10O56BGTxDu+L/izSg== X-Received: by 2002:adf:ee84:: with SMTP id b4mr4665702wro.339.1613660941086; Thu, 18 Feb 2021 07:09:01 -0800 (PST) Received: from localhost ([2001:470:6973:2:7265:4c61:1a73:4148]) by smtp.gmail.com with ESMTPSA id l1sm7926396wmi.48.2021.02.18.07.09.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Feb 2021 07:09:00 -0800 (PST) From: Andy Whitcroft To: kernel-team@lists.ubuntu.com Subject: [bionic:linux 2/4] UBUNTU: [Packaging] build canonical-certs.pem from branch/arch certs Date: Thu, 18 Feb 2021 15:08:50 +0000 Message-Id: <20210218150856.1807354-3-apw@canonical.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210218150856.1807354-1-apw@canonical.com> References: <20210218150856.1807354-1-apw@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Andy Whitcroft Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" Merge common, branch-specific, and arch-specific certs and form a certs database for inclusion in the kernel keyring. BugLink: https://bugs.launchpad.net/bugs/1898716 Signed-off-by: Andy Whitcroft --- debian.master/config/annotations | 2 +- debian.master/config/config.common.ubuntu | 2 +- debian/rules | 14 +++++++++++++- 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/debian.master/config/annotations b/debian.master/config/annotations index 4f2972daee7e..3315e1e9abe5 100644 --- a/debian.master/config/annotations +++ b/debian.master/config/annotations @@ -493,7 +493,7 @@ CONFIG_SYSTEM_BLACKLIST_KEYRING mark # Menu: Cryptographic API >> Certificates for signature checking >> Provide system-wide ring of trusted keys CONFIG_SYSTEM_TRUSTED_KEYRING policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> -CONFIG_SYSTEM_TRUSTED_KEYS policy<{'amd64': '""', 'arm64': '""', 'armhf': '""', 'i386': '""', 'ppc64el': '""', 's390x': '""'}> +CONFIG_SYSTEM_TRUSTED_KEYS policy<{'amd64': '"debian/canonical-certs.pem"', 'arm64': '"debian/canonical-certs.pem"', 'armhf': '"debian/canonical-certs.pem"', 'i386': '"debian/canonical-certs"', 'ppc64el': '"debian/canonical-certs.pem"', 's390x': '"debian/canonical-certs.pem"'}> CONFIG_SYSTEM_EXTRA_CERTIFICATE policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE policy<{'amd64': '4096', 'arm64': '4096', 'armhf': '4096', 'i386': '4096', 'ppc64el': '4096', 's390x': '4096'}> CONFIG_SECONDARY_TRUSTED_KEYRING policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu index f2a8b2e49b53..f58c2b343ceb 100644 --- a/debian.master/config/config.common.ubuntu +++ b/debian.master/config/config.common.ubuntu @@ -9018,7 +9018,7 @@ CONFIG_SYSTEM_DATA_VERIFICATION=y CONFIG_SYSTEM_EXTRA_CERTIFICATE=y CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096 CONFIG_SYSTEM_TRUSTED_KEYRING=y -CONFIG_SYSTEM_TRUSTED_KEYS="" +CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem" CONFIG_SYSVIPC=y CONFIG_SYSVIPC_COMPAT=y CONFIG_SYSVIPC_SYSCTL=y diff --git a/debian/rules b/debian/rules index 00a5348f1c7a..bb8b4e81360b 100755 --- a/debian/rules +++ b/debian/rules @@ -126,7 +126,7 @@ binary: binary-indep binary-arch build: build-arch build-indep -clean: debian/control +clean: debian/control debian/canonical-certs.pem dh_testdir dh_testroot dh_clean @@ -210,3 +210,15 @@ debian/control: $(DEBIAN)/control.stub LANG=C kernel-wedge gen-control $(release)-$(abinum) | \ perl -f $(DROOT)/scripts/misc/kernel-wedge-arch.pl $(arch) \ >>$(CURDIR)/debian/control + +debian/canonical-certs.pem: $(wildcard $(DROOT)/certs/*-all.pem) $(wildcard $(DROOT)/certs/*-$(arch).pem) $(wildcard $(DEBIAN)/cert/*-all.pem) $(wildcard $(DEBIAN)/cert/*-$(arch).pem) + for cert in $(sort $(notdir $^)); \ + do \ + for dir in $(DEBIAN) $(DROOT); \ + do \ + if [ -f "$$dir/certs/$$cert" ]; then \ + cat "$$dir/certs/$$cert"; \ + break; \ + fi; \ + done; \ + done >"$@" From patchwork Thu Feb 18 15:08:55 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Whitcroft X-Patchwork-Id: 1441693 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DhJ5V50JSz9sVF; Fri, 19 Feb 2021 02:09:18 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1lCkva-0004JN-IR; Thu, 18 Feb 2021 15:09:14 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lCkvW-0004GH-W2 for kernel-team@lists.ubuntu.com; Thu, 18 Feb 2021 15:09:11 +0000 Received: from mail-wr1-f72.google.com ([209.85.221.72]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lCkvW-00054S-Iv for kernel-team@lists.ubuntu.com; Thu, 18 Feb 2021 15:09:10 +0000 Received: by mail-wr1-f72.google.com with SMTP id o10so1099717wru.11 for ; Thu, 18 Feb 2021 07:09:10 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=943nHkg7XFzxlGC9g8p2xnXo7nK1BJbO7U9YwDuP9RI=; b=aUfZYQMzDhKpUaageoUXGCtXxma3ApFfMelimHxHLorMrNTNAPVVJRN2Pmn7PT8a/g N2QLwmNvRkvSj1L6SzEWwa23CgMsLe1WxFlICVo3Lg9mgqs2v/Hl0ddiTcvpdQTnt7SA /BWKZ1+z7zrJSLtawju1MxrAsjFDrXCaFDq1dhEeqaarQqmKz7u59Q9hdzEzr6KxjJnm DiwAvu+8mQS/rAeYMa2MQIRxPL1vFXUxOszZw/SQllgnz32H18KRooMyeqEt/HZa8k/E oCcwdNy1ajR2pp8ARKh3FLPqtfDXRuPRe6BjYv1ibUZejKinMbPro4q/enlv2iENNP0H tKAA== X-Gm-Message-State: AOAM531oeYrbthxALBsx8w98JssOXEeTytBayatGBHPbyRa5zMlIUY4W psgzMiGQdCkMdFg4/kCIFRyWwstnDuvoUrhroK3ukM4aTBKKFfRh9LKPfZZK79IESAsEBm7NRlK Riso0l1VrdYsT/caHTZ6E9rhpHh9MXIQmEMTFkgae6g== X-Received: by 2002:a05:6000:18ac:: with SMTP id b12mr4815431wri.77.1613660949692; Thu, 18 Feb 2021 07:09:09 -0800 (PST) X-Google-Smtp-Source: ABdhPJxq1sQUSF/aD/p8Lxu6Cwfn2/ghmGOZ9Y1T6xNOLz4ddZc+OciIjIzLiXqAkSwGoEOpTnEJxA== X-Received: by 2002:a05:6000:18ac:: with SMTP id b12mr4815404wri.77.1613660949341; Thu, 18 Feb 2021 07:09:09 -0800 (PST) Received: from localhost ([2001:470:6973:2:7265:4c61:1a73:4148]) by smtp.gmail.com with ESMTPSA id c128sm7743636wma.37.2021.02.18.07.09.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Feb 2021 07:09:08 -0800 (PST) From: Andy Whitcroft To: kernel-team@lists.ubuntu.com Subject: [{bionic, focal, groovy}:linux 3/4] UBUNTU: [Config] add Canonical Livepatch Service key to SYSTEM_TRUSTED_KEYS Date: Thu, 18 Feb 2021 15:08:55 +0000 Message-Id: <20210218150856.1807354-8-apw@canonical.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210218150856.1807354-1-apw@canonical.com> References: <20210218150856.1807354-1-apw@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Andy Whitcroft Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Dimitri John Ledkov Add Canonical Livepatch Service key to SYSTEM_TRUSTED_KEYS, such that livepatch modules signed by Canonical are trusted out of the box, on locked-down secureboot systems. BugLink: https://bugs.launchpad.net/bugs/1898716 Signed-off-by: Dimitri John Ledkov [apw@canonical.com: move certification to cert framework.] Signed-off-by: Andy Whitcroft --- debian/certs/canonical-livepatch-all.pem | 121 +++++++++++++++++++++++ 1 file changed, 121 insertions(+) create mode 100644 debian/certs/canonical-livepatch-all.pem diff --git a/debian/certs/canonical-livepatch-all.pem b/debian/certs/canonical-livepatch-all.pem new file mode 100644 index 000000000000..3f360f74344d --- /dev/null +++ b/debian/certs/canonical-livepatch-all.pem @@ -0,0 +1,121 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + c7:7e:51:6a:1c:25:cd:40 + Signature Algorithm: sha512WithRSAEncryption + Issuer: CN = Canonical Ltd. Live Patch Signing + Validity + Not Before: Jul 18 23:41:27 2016 GMT + Not After : Jul 16 23:41:27 2026 GMT + Subject: CN = Canonical Ltd. Live Patch Signing + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (4096 bit) + Modulus: + 00:bd:74:ee:72:b3:4a:ab:e6:31:e8:29:24:c2:bd: + 46:98:32:c0:39:ee:a3:fb:8a:ad:fe:ab:1a:5b:a3: + 2e:a1:80:db:79:61:9e:47:79:2c:75:57:a2:21:f0: + 93:f6:87:f2:9b:4b:9d:2f:b3:58:61:28:3c:41:70: + 13:16:a1:72:90:c9:d5:16:71:7c:e0:30:f9:28:5e: + 48:20:36:00:69:b7:59:9f:a3:ec:a8:eb:55:41:9f: + 38:1e:22:4a:57:20:f4:83:59:49:c5:00:93:d3:33: + 02:92:d1:fc:f0:84:3b:4a:5b:8f:b6:73:9a:89:fa: + 30:1e:e6:2a:68:f2:91:ef:59:57:3d:dc:1c:52:6f: + 5e:e6:9b:b5:b8:7c:98:c9:13:d1:39:68:01:67:91: + e0:d3:67:72:16:0a:5e:16:83:45:31:4f:b5:2b:b3: + f6:40:86:89:3a:84:6e:6f:16:61:bc:70:84:be:5a: + 13:36:7b:82:ea:07:19:fc:18:c1:16:c6:32:0b:7d: + 2c:6b:c4:21:b9:38:6b:31:dc:d9:0c:ad:56:40:68: + 7c:e3:c6:64:8e:bf:1c:e0:72:3e:6c:db:d2:73:79: + da:d7:c5:2f:5d:04:7d:b0:07:1e:95:dd:2a:47:5e: + bf:3e:3a:c8:66:f6:67:0f:d4:2a:f1:e2:71:59:d2: + 6c:7b:a0:37:ac:e6:97:80:30:13:97:48:d5:74:fc: + 38:68:e4:57:cb:99:69:5a:84:27:ac:98:51:e4:64: + bd:91:62:e8:58:27:06:2a:b9:0b:b8:08:e5:e5:b4: + 51:a7:a2:10:df:4e:07:6c:a0:3b:96:f2:6e:df:75: + 8c:97:1e:64:a0:9a:86:9b:98:26:f9:d8:b7:de:5b: + 21:b7:af:89:01:a3:f7:98:6b:da:19:ba:86:ef:ef: + f1:ce:bb:2f:89:ed:c0:b6:1b:e5:5b:f8:90:11:9a: + 52:93:e9:be:f7:35:b9:08:cb:ba:c3:ed:2f:73:af: + cc:96:07:55:b5:de:f6:03:f6:f1:89:f9:21:40:76: + c1:69:f2:61:cc:9a:94:df:9c:ec:6a:65:38:be:d1: + 4e:2a:87:c7:2f:3e:53:ae:8b:9f:54:a1:09:59:64: + 25:aa:a9:d8:44:a9:a8:a0:71:e1:32:aa:4c:32:fd: + 44:28:cc:9c:6f:8e:db:81:7e:6f:fa:00:56:c5:e5: + 03:46:63:fb:8e:71:8d:e3:13:91:9f:ac:60:3e:64: + f3:df:25:34:09:fa:2d:96:9f:16:05:ea:93:f5:e6: + 00:08:27:32:7b:3c:bd:ee:70:24:6c:3b:55:e9:db: + f4:10:2d:20:06:b4:ca:e9:29:65:55:ad:f6:52:54: + 5f:e5:a3 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Key Usage: + Digital Signature + X509v3 Subject Key Identifier: + 14:DF:34:D1:A8:7C:F3:76:25:AB:EC:03:9E:F2:BF:52:12:49:B9:69 + X509v3 Authority Key Identifier: + keyid:14:DF:34:D1:A8:7C:F3:76:25:AB:EC:03:9E:F2:BF:52:12:49:B9:69 + + Signature Algorithm: sha512WithRSAEncryption + 30:e7:48:02:37:e9:28:cf:04:a2:4d:5c:fa:d8:4e:c9:76:c7: + 14:3f:bd:2c:51:3d:33:f0:1a:bc:49:f1:47:95:8f:69:d8:a9: + 54:14:44:6c:4d:9f:55:82:08:1e:c6:5b:d5:91:d9:bc:2e:b0: + af:d6:25:65:74:96:aa:36:de:ae:31:a8:11:f2:a4:2c:5a:e1: + 4f:73:f8:4a:c3:35:b0:76:96:71:f2:b5:7d:4b:75:ee:5d:bf: + 86:a5:ba:0b:a9:52:cb:ec:ab:e5:23:4b:f2:74:55:28:17:1e: + b3:ac:27:ad:45:13:6e:69:b3:5a:be:42:36:29:48:db:e7:5c: + 22:58:a0:90:82:2c:2a:21:2b:db:f4:64:b7:91:5d:1f:2c:48: + a4:1a:85:e3:86:a5:aa:19:cd:19:e8:a5:fb:a3:7b:94:77:48: + 25:a4:cf:a0:cf:71:82:5c:6f:71:22:7c:d6:97:a0:53:bb:ec: + 30:f6:cb:16:fb:7b:fd:16:94:7a:53:6e:bd:04:64:a2:01:10: + 9f:f0:5b:b5:a6:73:41:9d:5f:6f:45:73:0d:05:f7:30:6d:39: + 90:b6:7d:55:7d:4c:2f:ae:5f:38:56:2f:8b:df:f4:bf:12:06: + 93:6e:0d:02:23:bf:71:91:57:88:e8:bd:62:72:99:00:40:29: + 1e:c9:13:11:da:7e:8e:e1:d2:a5:0d:bf:f7:d6:ec:01:0d:89: + 41:cd:d5:dc:d2:f7:5f:33:0d:4c:2f:85:b7:85:b7:81:e4:17: + 29:f0:74:cf:0e:15:8c:1a:50:0b:08:63:1a:91:4f:e7:76:97: + f1:d4:3b:7e:72:d4:c5:45:58:0c:6a:e9:0d:f2:85:d8:91:1e: + 37:bd:78:e3:39:4d:2e:fd:85:31:c1:a6:3b:6a:cc:2c:53:72: + 1d:8e:7b:f0:e6:76:86:09:6f:1a:f3:e4:a1:e2:dd:76:5f:b0: + 8c:e2:2a:54:5d:c1:88:49:90:10:15:42:7d:05:24:53:8c:54: + ff:48:18:1a:36:e3:31:d3:54:32:78:0d:fe:f2:3d:aa:0d:37: + 15:84:b4:36:47:31:e8:85:6e:0b:58:38:ff:21:91:09:c9:a8: + 43:a3:ea:60:cb:7e:ed:f7:41:6f:4e:91:c1:fd:77:46:e7:d4: + e7:86:c0:1b:fd:50:6c:aa:be:00:b3:63:02:ff:4e:c7:a5:57: + 6e:29:64:e9:54:d5:30:63:38:5f:2d:5a:db:49:5f:14:14:22: + d2:81:1f:61:9e:ee:ee:16:66:d6:bc:bd:ac:1b:5c:fb:38:31: + 95:33:2e:84:6e:7a:de:ee:b9:fc:97:17:06:13:bf:70:1c:6e: + 76:ed:66:38:e2:70:08:00 +-----BEGIN CERTIFICATE----- +MIIFODCCAyCgAwIBAgIJAMd+UWocJc1AMA0GCSqGSIb3DQEBDQUAMCwxKjAoBgNV +BAMMIUNhbm9uaWNhbCBMdGQuIExpdmUgUGF0Y2ggU2lnbmluZzAeFw0xNjA3MTgy +MzQxMjdaFw0yNjA3MTYyMzQxMjdaMCwxKjAoBgNVBAMMIUNhbm9uaWNhbCBMdGQu +IExpdmUgUGF0Y2ggU2lnbmluZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC +ggIBAL107nKzSqvmMegpJMK9RpgywDnuo/uKrf6rGlujLqGA23lhnkd5LHVXoiHw +k/aH8ptLnS+zWGEoPEFwExahcpDJ1RZxfOAw+SheSCA2AGm3WZ+j7KjrVUGfOB4i +Slcg9INZScUAk9MzApLR/PCEO0pbj7Zzmon6MB7mKmjyke9ZVz3cHFJvXuabtbh8 +mMkT0TloAWeR4NNnchYKXhaDRTFPtSuz9kCGiTqEbm8WYbxwhL5aEzZ7guoHGfwY +wRbGMgt9LGvEIbk4azHc2QytVkBofOPGZI6/HOByPmzb0nN52tfFL10EfbAHHpXd +Kkdevz46yGb2Zw/UKvHicVnSbHugN6zml4AwE5dI1XT8OGjkV8uZaVqEJ6yYUeRk +vZFi6FgnBiq5C7gI5eW0UaeiEN9OB2ygO5bybt91jJceZKCahpuYJvnYt95bIbev +iQGj95hr2hm6hu/v8c67L4ntwLYb5Vv4kBGaUpPpvvc1uQjLusPtL3OvzJYHVbXe +9gP28Yn5IUB2wWnyYcyalN+c7GplOL7RTiqHxy8+U66Ln1ShCVlkJaqp2ESpqKBx +4TKqTDL9RCjMnG+O24F+b/oAVsXlA0Zj+45xjeMTkZ+sYD5k898lNAn6LZafFgXq +k/XmAAgnMns8ve5wJGw7Venb9BAtIAa0yukpZVWt9lJUX+WjAgMBAAGjXTBbMAwG +A1UdEwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBQU3zTRqHzzdiWr7AOe +8r9SEkm5aTAfBgNVHSMEGDAWgBQU3zTRqHzzdiWr7AOe8r9SEkm5aTANBgkqhkiG +9w0BAQ0FAAOCAgEAMOdIAjfpKM8Eok1c+thOyXbHFD+9LFE9M/AavEnxR5WPadip +VBREbE2fVYIIHsZb1ZHZvC6wr9YlZXSWqjberjGoEfKkLFrhT3P4SsM1sHaWcfK1 +fUt17l2/hqW6C6lSy+yr5SNL8nRVKBces6wnrUUTbmmzWr5CNilI2+dcIligkIIs +KiEr2/Rkt5FdHyxIpBqF44alqhnNGeil+6N7lHdIJaTPoM9xglxvcSJ81pegU7vs +MPbLFvt7/RaUelNuvQRkogEQn/BbtaZzQZ1fb0VzDQX3MG05kLZ9VX1ML65fOFYv +i9/0vxIGk24NAiO/cZFXiOi9YnKZAEApHskTEdp+juHSpQ2/99bsAQ2JQc3V3NL3 +XzMNTC+Ft4W3geQXKfB0zw4VjBpQCwhjGpFP53aX8dQ7fnLUxUVYDGrpDfKF2JEe +N7144zlNLv2FMcGmO2rMLFNyHY578OZ2hglvGvPkoeLddl+wjOIqVF3BiEmQEBVC +fQUkU4xU/0gYGjbjMdNUMngN/vI9qg03FYS0Nkcx6IVuC1g4/yGRCcmoQ6PqYMt+ +7fdBb06Rwf13RufU54bAG/1QbKq+ALNjAv9Ox6VXbilk6VTVMGM4Xy1a20lfFBQi +0oEfYZ7u7hZm1ry9rBtc+zgxlTMuhG563u65/JcXBhO/cBxudu1mOOJwCAA= +-----END CERTIFICATE----- From patchwork Thu Feb 18 15:08:56 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Whitcroft X-Patchwork-Id: 1441694 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DhJ5Z6lnqz9sVF; Fri, 19 Feb 2021 02:09:22 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1lCkvf-0004Nr-JP; Thu, 18 Feb 2021 15:09:19 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lCkvZ-0004Hh-6w for kernel-team@lists.ubuntu.com; Thu, 18 Feb 2021 15:09:13 +0000 Received: from mail-wr1-f72.google.com ([209.85.221.72]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lCkvX-00054e-UG for kernel-team@lists.ubuntu.com; Thu, 18 Feb 2021 15:09:11 +0000 Received: by mail-wr1-f72.google.com with SMTP id s18so1130877wrf.0 for ; Thu, 18 Feb 2021 07:09:11 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=2dWDz2XbRCCihVCncH1LsqH/6cbyIvfvQCtFCEU85AQ=; b=h8+udjFUMcn84WRo99buwEfFyEbmfXaQqJPOj7b09+AGFyg6zKGlkl2KvjpQVwwLE6 OZ1HLWEVEyDWte9dadrXXKeCx6w0ooURnt6+h9akmsrRskizT6KEiyPtf3xYjzv4gxT0 jxiuHm5wIN2gniWmQ8BE9IqJlY0mPT5Si29mwYpHNDDIteYYRc2gymOq22oOLDIs6Lkf HSD0OSE6ZY12VwxwBsRJB8pzpvurapZER5LxHBpj2N6rWmGpQUajyLVTpx4RGM7p+q4D cDGCh0YbHH9MRCIJ8EZoDX9Y4eXmgolW/vXbeeEPeu3lXTIo9L8+DiCOYNJVNT66bhTg OAyw== X-Gm-Message-State: AOAM531XOAM0dE8uRHnQIiUJmAOHEpiPd6TBVKll/+ensbPdRlWG0ozO qzUkv76EIHNOJqYu0KONxWVIGbrdn6cqwNszoZu9ALDHnTa9L5317KaVLpsFkw9axf/vXTvHbUk AeFhd8taQGxAbm9RT1lk4k27jeEfLji4YhVBSLcrHgQ== X-Received: by 2002:adf:d218:: with SMTP id j24mr4690213wrh.120.1613660951106; Thu, 18 Feb 2021 07:09:11 -0800 (PST) X-Google-Smtp-Source: ABdhPJzAkUzlJijZrB290Cz5xNERVnKnGbLVBTvahDiqSFkKlArH+BuFX51nay4V741PuDJQ++TEDg== X-Received: by 2002:adf:d218:: with SMTP id j24mr4690185wrh.120.1613660950760; Thu, 18 Feb 2021 07:09:10 -0800 (PST) Received: from localhost ([2001:470:6973:2:7265:4c61:1a73:4148]) by smtp.gmail.com with ESMTPSA id 13sm8028145wmj.11.2021.02.18.07.09.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Feb 2021 07:09:10 -0800 (PST) From: Andy Whitcroft To: kernel-team@lists.ubuntu.com Subject: [{bionic, focal, groovy}:linux 4/4] UBUNTU: [Config] add ubuntu-drivers key to SYSTEM_TRUSTED_KEYS Date: Thu, 18 Feb 2021 15:08:56 +0000 Message-Id: <20210218150856.1807354-9-apw@canonical.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210218150856.1807354-1-apw@canonical.com> References: <20210218150856.1807354-1-apw@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Andy Whitcroft Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" Add the Canonical Ltd. Kernel Module Signing certificate to allow external signing of kernel modules. BugLink: https://bugs.launchpad.net/bugs/1898716 Signed-off-by: Andy Whitcroft --- debian/certs/ubuntu-drivers-all.pem | 125 ++++++++++++++++++++++++++++ 1 file changed, 125 insertions(+) create mode 100644 debian/certs/ubuntu-drivers-all.pem diff --git a/debian/certs/ubuntu-drivers-all.pem b/debian/certs/ubuntu-drivers-all.pem new file mode 100644 index 000000000000..9966174f1f6b --- /dev/null +++ b/debian/certs/ubuntu-drivers-all.pem @@ -0,0 +1,125 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + e9:df:13:0f:92:92:a9:b7 + Signature Algorithm: sha512WithRSAEncryption + Issuer: C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., CN = Canonical Ltd. Kernel Module Signing + Validity + Not Before: May 31 16:06:09 2016 GMT + Not After : May 29 16:06:09 2026 GMT + Subject: C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., CN = Canonical Ltd. Kernel Module Signing + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (4096 bit) + Modulus: + 00:b3:b0:4f:c6:0a:77:8b:f9:d1:53:33:34:d2:80: + b5:63:6f:e1:f6:a2:83:99:d5:b6:b1:e4:99:91:fa: + 6c:19:c6:d0:91:2a:b9:7d:b5:98:a6:0d:28:01:b8: + 7c:8e:aa:38:ec:51:37:33:96:f0:b0:9b:8d:86:5f: + 67:23:69:2f:d7:c2:f3:fb:c5:d7:f9:04:ff:f2:e5: + 61:68:b7:29:b9:c6:8e:4b:4d:2d:8f:92:0c:00:b3: + a3:d2:5a:08:64:cd:f2:09:0b:a5:0e:e6:64:75:d5: + 41:f4:4d:49:3a:0d:dc:b9:27:8e:c4:d6:b1:df:8f: + 6c:f0:e4:f7:31:cb:a9:04:a1:f9:a7:aa:15:da:59: + 03:4d:46:14:d0:dd:bf:e0:f5:9e:f0:71:0c:70:78: + 2b:08:fb:e0:b6:68:a4:74:12:9d:f7:f2:64:88:17: + 2a:8a:ed:1a:91:b5:6c:13:bd:4c:10:0a:0b:72:0b: + 90:db:7d:f3:78:44:4c:d2:a5:41:f7:1c:77:7d:5a: + 8a:54:bc:8f:fe:b7:ee:e1:bc:59:37:c4:d4:e8:14: + d0:5b:42:9b:04:00:8e:6d:83:8a:25:21:5b:08:c4: + 7b:b2:d9:99:52:c9:5e:59:6d:c4:aa:52:59:e2:e4: + 2f:7e:7e:ac:05:01:99:bf:13:72:b7:45:c5:17:da: + 8a:d5:3e:71:73:2e:d8:aa:e6:eb:5a:d0:9a:c4:93: + f3:be:eb:d2:47:25:34:16:29:fa:dd:9a:2f:b1:20: + e5:41:4e:ed:ea:51:7c:23:80:ba:3d:b5:3a:0b:8c: + 9c:85:48:6c:3c:8b:29:2f:2f:12:c7:52:34:02:ea: + 0f:ac:53:23:3c:f8:3e:40:1b:30:63:e9:2d:e6:f6: + 58:cc:51:f9:eb:08:4a:b4:c7:16:80:d1:8b:c2:64: + 6a:71:a9:70:31:a4:a7:3a:c0:93:99:1b:0e:42:c1: + 00:6d:43:27:99:6c:e5:fd:23:16:c1:8e:b5:66:17: + 2b:4c:53:5a:6d:1e:96:16:13:6a:c6:d4:85:5b:74: + 2e:ce:7c:45:2f:ad:cb:75:9e:5e:91:bd:9a:6a:86: + 1a:06:bd:39:be:a3:50:56:ea:e1:f6:e3:95:69:d7: + 31:e4:66:f7:36:b5:51:c2:22:b4:9c:74:9c:44:0b: + 0e:16:5f:53:f0:23:c6:b9:40:bd:d6:b8:7d:1b:f6: + 73:f6:27:e7:c0:e3:65:a0:58:ab:5c:59:b7:80:8c: + 8c:04:b4:a9:ae:a0:51:40:10:3b:63:59:49:87:d1: + 9b:df:a3:8c:c4:2e:eb:70:c1:0a:18:1f:cb:22:c2: + f2:4a:65:0d:e5:81:74:d8:ce:72:c6:35:be:ba:63: + 72:c4:f9 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Key Usage: + Digital Signature + X509v3 Subject Key Identifier: + 88:F7:52:E5:60:A1:E0:73:7E:31:16:3A:46:6A:D7:B7:0A:85:0C:19 + X509v3 Authority Key Identifier: + keyid:88:F7:52:E5:60:A1:E0:73:7E:31:16:3A:46:6A:D7:B7:0A:85:0C:19 + + Signature Algorithm: sha512WithRSAEncryption + 04:85:16:27:58:ba:71:28:57:86:7b:c2:83:db:e5:72:6f:1e: + b2:1c:63:b0:db:ad:c0:42:96:c0:4f:65:f6:35:4d:c0:07:0d: + 46:be:d3:1e:ec:f1:22:18:2a:18:5d:bb:69:a6:a6:d4:0d:c3: + 57:03:b9:e7:45:49:28:ca:6d:98:17:68:97:cb:7b:36:81:0a: + 37:9e:34:79:f3:e1:0e:5b:77:43:bb:5a:a5:45:b7:16:50:86: + fd:12:a4:96:0f:15:19:09:1c:e1:fa:80:a5:80:09:be:bb:c8: + 26:0b:3e:de:03:d2:c2:18:a4:8d:0d:de:c5:32:82:0b:fb:75: + 55:66:1a:2a:bb:e4:bd:25:91:20:15:d4:be:b8:3f:53:e3:fb: + a8:c3:55:e3:d5:e7:82:18:95:df:39:09:a7:fc:89:6e:b4:1c: + aa:2d:e8:67:c2:0d:34:34:3e:f9:fa:0b:ce:81:92:11:ae:12: + 0a:fe:35:63:ce:46:29:c4:2b:4f:cb:4e:05:0a:a1:11:e2:35: + f6:5a:5d:b5:e8:d2:6f:4c:fc:3d:24:a6:03:4b:dd:98:6b:f2: + 71:58:16:1d:a5:25:ef:d9:06:7c:e8:db:7b:88:6a:89:5c:59: + 01:92:64:db:44:08:63:6c:7c:32:d6:55:98:63:09:26:61:67: + 0a:fe:5d:ee:fd:23:59:b3:4d:91:c1:4d:41:8b:cd:20:58:fa: + 2d:45:e5:bd:1d:69:5c:03:a0:49:a6:97:54:13:b6:c9:e0:f8: + 56:83:a1:2a:c3:f4:6c:fd:ab:20:ca:3d:9c:95:c0:cf:04:bb: + 46:39:cf:34:81:65:45:27:64:01:7d:62:b3:b8:72:ea:10:d5: + 0f:53:7d:39:88:25:09:6f:8c:bc:e0:49:bb:39:e2:0e:8d:cf: + 56:4d:c1:82:6d:87:d2:e7:fc:c0:9f:a7:65:60:d2:6c:65:18: + 59:38:6e:d0:9c:d7:c3:81:9a:9a:29:8f:83:84:c3:b5:44:ff: + 28:ac:13:17:64:f2:26:13:d9:55:06:b7:69:68:7c:bf:ec:d1: + 8c:ef:b7:da:76:e1:07:73:c6:31:62:31:cb:b6:e1:e7:7f:0c: + c3:f7:4c:52:be:25:36:8e:a1:bb:60:02:c3:cb:3e:6f:29:fc: + 7f:6a:fa:f8:ec:0a:df:49:e2:57:0e:bc:bd:93:c3:1b:d5:36: + 8a:ff:d8:1b:17:c7:1f:cb:69:00:d2:54:9e:ad:61:89:92:95: + 11:f8:ea:17:83:9f:9b:09:7d:b8:94:a4:ea:f5:ae:ea:dc:dd: + 62:b9:9e:68:9c:18:ec:19:c4:13:08:c8:b1:62:ab:8e:84:69: + 11:3c:da:ea:0d:b7:22:bd +-----BEGIN CERTIFICATE----- +MIIF2jCCA8KgAwIBAgIJAOnfEw+Skqm3MA0GCSqGSIb3DQEBDQUAMH0xCzAJBgNV +BAYTAkdCMRQwEgYDVQQIDAtJc2xlIG9mIE1hbjEQMA4GA1UEBwwHRG91Z2xhczEX +MBUGA1UECgwOQ2Fub25pY2FsIEx0ZC4xLTArBgNVBAMMJENhbm9uaWNhbCBMdGQu +IEtlcm5lbCBNb2R1bGUgU2lnbmluZzAeFw0xNjA1MzExNjA2MDlaFw0yNjA1Mjkx +NjA2MDlaMH0xCzAJBgNVBAYTAkdCMRQwEgYDVQQIDAtJc2xlIG9mIE1hbjEQMA4G +A1UEBwwHRG91Z2xhczEXMBUGA1UECgwOQ2Fub25pY2FsIEx0ZC4xLTArBgNVBAMM +JENhbm9uaWNhbCBMdGQuIEtlcm5lbCBNb2R1bGUgU2lnbmluZzCCAiIwDQYJKoZI +hvcNAQEBBQADggIPADCCAgoCggIBALOwT8YKd4v50VMzNNKAtWNv4faig5nVtrHk +mZH6bBnG0JEquX21mKYNKAG4fI6qOOxRNzOW8LCbjYZfZyNpL9fC8/vF1/kE//Ll +YWi3KbnGjktNLY+SDACzo9JaCGTN8gkLpQ7mZHXVQfRNSToN3LknjsTWsd+PbPDk +9zHLqQSh+aeqFdpZA01GFNDdv+D1nvBxDHB4Kwj74LZopHQSnffyZIgXKortGpG1 +bBO9TBAKC3ILkNt983hETNKlQfccd31ailS8j/637uG8WTfE1OgU0FtCmwQAjm2D +iiUhWwjEe7LZmVLJXlltxKpSWeLkL35+rAUBmb8TcrdFxRfaitU+cXMu2Krm61rQ +msST877r0kclNBYp+t2aL7Eg5UFO7epRfCOAuj21OguMnIVIbDyLKS8vEsdSNALq +D6xTIzz4PkAbMGPpLeb2WMxR+esISrTHFoDRi8JkanGpcDGkpzrAk5kbDkLBAG1D +J5ls5f0jFsGOtWYXK0xTWm0elhYTasbUhVt0Ls58RS+ty3WeXpG9mmqGGga9Ob6j +UFbq4fbjlWnXMeRm9za1UcIitJx0nEQLDhZfU/AjxrlAvda4fRv2c/Yn58DjZaBY +q1xZt4CMjAS0qa6gUUAQO2NZSYfRm9+jjMQu63DBChgfyyLC8kplDeWBdNjOcsY1 +vrpjcsT5AgMBAAGjXTBbMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1Ud +DgQWBBSI91LlYKHgc34xFjpGate3CoUMGTAfBgNVHSMEGDAWgBSI91LlYKHgc34x +FjpGate3CoUMGTANBgkqhkiG9w0BAQ0FAAOCAgEABIUWJ1i6cShXhnvCg9vlcm8e +shxjsNutwEKWwE9l9jVNwAcNRr7THuzxIhgqGF27aaam1A3DVwO550VJKMptmBdo +l8t7NoEKN540efPhDlt3Q7tapUW3FlCG/RKklg8VGQkc4fqApYAJvrvIJgs+3gPS +whikjQ3exTKCC/t1VWYaKrvkvSWRIBXUvrg/U+P7qMNV49XnghiV3zkJp/yJbrQc +qi3oZ8INNDQ++foLzoGSEa4SCv41Y85GKcQrT8tOBQqhEeI19lpdtejSb0z8PSSm +A0vdmGvycVgWHaUl79kGfOjbe4hqiVxZAZJk20QIY2x8MtZVmGMJJmFnCv5d7v0j +WbNNkcFNQYvNIFj6LUXlvR1pXAOgSaaXVBO2yeD4VoOhKsP0bP2rIMo9nJXAzwS7 +RjnPNIFlRSdkAX1is7hy6hDVD1N9OYglCW+MvOBJuzniDo3PVk3Bgm2H0uf8wJ+n +ZWDSbGUYWThu0JzXw4GamimPg4TDtUT/KKwTF2TyJhPZVQa3aWh8v+zRjO+32nbh +B3PGMWIxy7bh538Mw/dMUr4lNo6hu2ACw8s+byn8f2r6+OwK30niVw68vZPDG9U2 +iv/YGxfHH8tpANJUnq1hiZKVEfjqF4Ofmwl9uJSk6vWu6tzdYrmeaJwY7BnEEwjI +sWKrjoRpETza6g23Ir0= +-----END CERTIFICATE-----