From patchwork Tue Mar 15 18:26:15 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1605758 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=cB1BSzkQ; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4KJ21W40Qzz9s8s for ; Wed, 16 Mar 2022 05:26:54 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1nUBsY-0006kd-IO; Tue, 15 Mar 2022 18:26:42 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1nUBsW-0006kW-F1 for kernel-team@lists.ubuntu.com; Tue, 15 Mar 2022 18:26:40 +0000 Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 48A513F4BE for ; Tue, 15 Mar 2022 18:26:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1647368800; bh=gGaF+Z8HHwFydY1bbxcr1qgY3+pMP4qylolu6O9uNic=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=cB1BSzkQOIeyZ/kmQkQyHWGq1JpYE6In6CfFkv2gQrP2ow3pgzEcpyOGx63jolp5Y BGIemT3lsJOyOXIf+J07wqnll+nIP25Wo4ZTg5AiaxLdF6NeuKfUWNa1sd6sjvFV26 C+VXKO3KIYxJMrsiFwkXnS6FRV3F4wRbkFEafLUnPU82HZ4ReBAuWHlIGK6YuQyBRt GLrAwWaQ5bFQWn1aeY2HzfZwGTO/EHbeTztLJv51kpufvs8q0PEkynmVeOrDi6nghM 7Jgm7G1R58KJqpCLSGQ7T5B1fyqULr3tBcuhUx7DDz5lPZl15C46Y1gn3fE6e08Mqr KUe/XWmFHQNpQ== Received: by mail-wm1-f69.google.com with SMTP id p8-20020a1c5448000000b0038a12987e1eso2241069wmi.6 for ; Tue, 15 Mar 2022 11:26:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=gGaF+Z8HHwFydY1bbxcr1qgY3+pMP4qylolu6O9uNic=; b=HG6NpYfdIvgqL5lhieKjStfh2yLVJLe/v2H8+gcvKOOhPPplj4WJhyEx20CnQ1v9Oq e6v04d07833PPDsuviVddN0XZTl9ZXvh6JmAxDC9+WWTTif82emLlcPYr2vLh6lV9RO6 vug5PWE0QAYGs03Ul2Mi/UFh7QlZIQz6IY6R27RXBB2ILHMoud4OChNPFPxSOUqkmhFg oq870lMpiBIrFYsoMHNcaZmlSDqlCewbhVhPbVGHf/jHWBUzq2ORqu+911AjYt0KfMhQ 8TdXOZwQgmRGhq3m1IpPfVuixCTzL9Y0eYygnCaLBSAJOCt2btTxABI5l93g5rq2m9rs QNXQ== X-Gm-Message-State: AOAM530kPqUerzzLYCFNJIGWhYOy0RO918iwMbfJjF900Mi50shZxsPe HBVP9ZlsQXvgPdVqmaqiFg4zeJLmu8G4o8VTDFlHupruBFqApsyZzFTXF70JQRXBlpis83+nGkN PTPoICoS5O7cPyKxObKmDyWG9Rfeq7SSea7kOYgXKwg== X-Received: by 2002:a5d:59a3:0:b0:203:d9fa:6968 with SMTP id p3-20020a5d59a3000000b00203d9fa6968mr1833345wrr.585.1647368799438; Tue, 15 Mar 2022 11:26:39 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy1rUPPSLBiJEfgF7w1rP5d0K/yw/8Tf2D1eAlAyKeGsUVdgaF1Fz11GesykYJUKp8Z5q7E4g== X-Received: by 2002:a5d:59a3:0:b0:203:d9fa:6968 with SMTP id p3-20020a5d59a3000000b00203d9fa6968mr1833318wrr.585.1647368798860; Tue, 15 Mar 2022 11:26:38 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:f1bc:f27f:ea54:41bb]) by smtp.gmail.com with ESMTPSA id t184-20020a1c46c1000000b003814de297fcsm2860980wma.16.2022.03.15.11.26.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Mar 2022 11:26:38 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [JAMMY][FOCAL][BIONIC][linux][PATCH] UBUNTU: [Packaging] Rotate to 2021v1 signing key Date: Tue, 15 Mar 2022 18:26:15 +0000 Message-Id: <20220315182615.160949-1-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.32.0 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: apw@canonical.com, steve.langasek@canonical.com Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/1964990 Revoke 2017, 2018, 2019 signing certificates for kexec/kdump purposes. 2012 signing certificate was already revoked for kexec/kdump purposes. After this patch is applied, certificates corresponding to CRL serials 01, 02, 03, 04 will not be usable by this kernel for kexec/kdump purposes. This patch prevents this kernel to kexec/kdump using kernels signed by those certifictes when lockdown is in place. 05 Ubuntu Core 2019 signing certificate is not included as revoked, as that certificate signs kernel.efi apps only which linux doesn't know not know how to use with kexec/kdump. Kernels that include this patch should be routed via 2021v1 signing, to preserve kexec/kdump functionality under lockdown. Signed-off-by: Dimitri John Ledkov Acked-by: Stefan Bader Acked-by: Kleber Sacilotto de Souza --- .../revoked-certs/canonical-uefi-2017-all.pem | 86 +++++++++++++++++++ .../revoked-certs/canonical-uefi-2018-all.pem | 86 +++++++++++++++++++ .../revoked-certs/canonical-uefi-2019-all.pem | 86 +++++++++++++++++++ 3 files changed, 258 insertions(+) create mode 100644 debian/revoked-certs/canonical-uefi-2017-all.pem create mode 100644 debian/revoked-certs/canonical-uefi-2018-all.pem create mode 100644 debian/revoked-certs/canonical-uefi-2019-all.pem diff --git a/debian/revoked-certs/canonical-uefi-2017-all.pem b/debian/revoked-certs/canonical-uefi-2017-all.pem new file mode 100644 index 0000000000..d26474ec3d --- /dev/null +++ b/debian/revoked-certs/canonical-uefi-2017-all.pem @@ -0,0 +1,86 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority + Validity + Not Before: Sep 26 21:52:11 2017 GMT + Not After : Sep 25 21:52:11 2047 GMT + Subject: C=GB, ST=Isle of Man, O=Canonical Ltd., OU=Secure Boot, CN=Canonical Ltd. Secure Boot Signing (2017) + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:ef:9f:fa:9f:19:3a:9d:38:23:91:cc:c4:f9:42: + e0:f8:54:12:82:dc:97:2c:d6:5b:c1:35:eb:ff:4a: + 74:06:b5:9d:32:aa:7b:f3:fc:31:5a:34:3e:a1:a4: + 44:db:7b:6d:16:af:35:76:e0:9b:99:ad:21:11:c6: + 12:4b:ae:24:8f:bb:d3:b2:00:fe:c5:1d:9b:3a:1a: + 4a:6c:ca:fa:16:37:85:22:f9:ff:22:fc:40:e0:58: + 35:c1:39:27:b4:c6:42:1a:96:d8:a5:c5:95:2e:f7: + c5:1e:21:6e:36:84:f7:a9:a1:e1:f1:03:08:96:65: + 71:f8:eb:83:cf:82:f7:9a:44:58:72:00:14:39:29: + 4b:e9:78:2f:65:20:b3:80:76:3b:ba:0d:2d:46:f6: + 37:05:e7:05:fe:bd:6c:c7:a2:65:b5:06:6e:07:24: + 99:a1:c1:cf:e1:0e:5e:49:41:71:17:a8:50:e7:38: + 99:e5:6e:b6:db:9f:63:db:56:f4:9c:7d:89:f6:d2: + 03:6c:99:83:e0:99:23:39:36:bd:cb:b5:26:7c:7d: + b0:c6:fe:82:7c:52:ed:f9:2c:8f:79:71:3d:a9:2f: + b5:aa:7e:77:a0:fd:69:f9:97:10:a8:b2:c6:7d:88: + 9e:a2:19:bd:31:b8:02:2d:34:4d:9d:98:60:82:ad: + 04:ff + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Extended Key Usage: + Code Signing, 1.3.6.1.4.1.311.10.3.6 + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + 24:2A:DE:75:AC:4A:15:E5:0D:50:C8:4B:0D:45:FF:3E:AE:70:7A:03 + X509v3 Authority Key Identifier: + keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63 + + Signature Algorithm: sha256WithRSAEncryption + 00:b2:b7:57:b5:2b:5d:16:d3:04:88:6a:d7:77:d5:0d:89:f1: + d2:6e:11:d1:8e:f5:62:05:c4:6a:57:df:eb:d2:86:68:f2:fd: + a7:37:11:3c:f4:ce:5d:fe:32:5f:31:a2:6b:3a:da:28:c2:88: + fa:7f:70:b5:25:99:ea:27:9a:56:6a:9d:b2:0f:14:99:e2:b7: + c6:39:1e:8e:a7:76:31:d9:ed:c5:05:8d:48:ae:1b:68:18:14: + 51:a1:7d:f6:c7:df:cb:9d:eb:a4:3b:0b:ff:c2:07:c5:42:bc: + 0d:b2:11:fa:37:17:2b:1c:b5:84:48:2d:f9:31:4a:57:49:8e: + 61:a6:82:11:06:4c:34:ea:9c:2a:47:4d:eb:e0:26:af:da:d2: + c2:08:a0:37:35:7b:73:71:de:0b:c4:ba:c8:34:de:20:04:03: + 6f:46:26:0d:b9:91:02:5b:71:76:cc:45:e4:08:d0:a6:dd:a4: + 50:d3:d9:04:91:2b:d9:5c:34:88:fc:c2:37:fd:c6:d4:3e:57: + f7:6b:ba:7b:d7:02:7a:84:0c:c8:c1:19:cc:bc:fa:52:d5:7f: + b3:35:c4:53:5d:70:0a:f6:44:60:8d:a9:11:7a:1b:7d:ae:7b: + 20:5a:4c:8d:44:f6:c1:a9:61:cb:dc:cb:90:37:d5:28:24:73: + 87:d0:e0:d8 +-----BEGIN CERTIFICATE----- +MIIEKDCCAxCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy +IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNzA5MjYyMTUyMTFaFw00NzA5MjUy +MTUyMTFaMIGGMQswCQYDVQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xFzAV +BgNVBAoMDkNhbm9uaWNhbCBMdGQuMRQwEgYDVQQLDAtTZWN1cmUgQm9vdDEyMDAG +A1UEAwwpQ2Fub25pY2FsIEx0ZC4gU2VjdXJlIEJvb3QgU2lnbmluZyAoMjAxNykw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvn/qfGTqdOCORzMT5QuD4 +VBKC3Jcs1lvBNev/SnQGtZ0yqnvz/DFaND6hpETbe20WrzV24JuZrSERxhJLriSP +u9OyAP7FHZs6GkpsyvoWN4Ui+f8i/EDgWDXBOSe0xkIaltilxZUu98UeIW42hPep +oeHxAwiWZXH464PPgveaRFhyABQ5KUvpeC9lILOAdju6DS1G9jcF5wX+vWzHomW1 +Bm4HJJmhwc/hDl5JQXEXqFDnOJnlbrbbn2PbVvScfYn20gNsmYPgmSM5Nr3LtSZ8 +fbDG/oJ8Uu35LI95cT2pL7Wqfneg/Wn5lxCossZ9iJ6iGb0xuAItNE2dmGCCrQT/ +AgMBAAGjgaAwgZ0wDAYDVR0TAQH/BAIwADAfBgNVHSUEGDAWBggrBgEFBQcDAwYK +KwYBBAGCNwoDBjAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2Vy +dGlmaWNhdGUwHQYDVR0OBBYEFCQq3nWsShXlDVDISw1F/z6ucHoDMB8GA1UdIwQY +MBaAFK2RmQvCKrH1FwSMI7ZlWiaONFpjMA0GCSqGSIb3DQEBCwUAA4IBAQAAsrdX +tStdFtMEiGrXd9UNifHSbhHRjvViBcRqV9/r0oZo8v2nNxE89M5d/jJfMaJrOtoo +woj6f3C1JZnqJ5pWap2yDxSZ4rfGOR6Op3Yx2e3FBY1IrhtoGBRRoX32x9/Lneuk +Owv/wgfFQrwNshH6NxcrHLWESC35MUpXSY5hpoIRBkw06pwqR03r4Cav2tLCCKA3 +NXtzcd4LxLrINN4gBANvRiYNuZECW3F2zEXkCNCm3aRQ09kEkSvZXDSI/MI3/cbU +Plf3a7p71wJ6hAzIwRnMvPpS1X+zNcRTXXAK9kRgjakReht9rnsgWkyNRPbBqWHL +3MuQN9UoJHOH0ODY +-----END CERTIFICATE----- diff --git a/debian/revoked-certs/canonical-uefi-2018-all.pem b/debian/revoked-certs/canonical-uefi-2018-all.pem new file mode 100644 index 0000000000..76e6bf31e4 --- /dev/null +++ b/debian/revoked-certs/canonical-uefi-2018-all.pem @@ -0,0 +1,86 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority + Validity + Not Before: Oct 26 18:31:14 2018 GMT + Not After : Oct 24 18:31:14 2048 GMT + Subject: C=GB, ST=Isle of Man, O=Canonical Ltd., OU=Secure Boot, CN=Canonical Ltd. Secure Boot Signing (ESM 2018) + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:bf:6a:e5:6d:55:7a:ec:7a:11:37:45:9c:4c:8f: + 6b:2d:56:d3:74:2b:32:ac:84:2d:ba:cb:cc:ec:8d: + 92:22:69:48:a5:d4:f6:75:11:66:2f:cb:b2:fd:9e: + 56:ab:e6:f1:52:8e:75:3e:50:bd:25:b3:50:fc:ef: + 3d:76:f3:3f:7f:03:f6:e2:a1:25:69:5c:14:98:54: + bd:11:bf:e9:a5:ac:46:91:4b:1d:de:b7:18:2b:c8: + 22:83:15:a7:4a:00:8d:9d:e4:c0:da:f7:41:02:fd: + 9f:5f:79:93:56:cc:86:e1:b5:e0:39:0e:3c:a2:5b: + fe:c0:56:f0:92:50:5a:2b:67:67:93:56:d7:7a:75: + 99:6a:25:b4:63:a8:5f:69:7e:3a:49:58:2a:a7:80: + f6:5a:b4:be:b2:be:a8:8c:45:41:c9:f2:fc:76:a8: + 65:ef:99:29:0d:c9:9c:54:6b:0a:f0:4a:0e:61:0d: + ed:99:32:af:12:e2:12:7b:9f:7b:ec:05:c4:e0:b6: + d5:c3:71:28:ae:dd:0b:ba:97:ad:68:0b:76:e9:bf: + e7:01:7e:64:54:39:23:85:36:c8:9d:dd:27:a1:ff: + df:46:36:14:7e:cb:cc:a1:cd:49:0b:6d:c2:0c:45: + 99:56:58:7c:87:0d:59:9a:dc:4a:39:3b:1d:d9:15: + 2e:b5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Extended Key Usage: + Code Signing, 1.3.6.1.4.1.311.10.3.6 + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + 36:51:88:C1:D3:74:D6:B0:7C:3C:8F:24:0F:8E:F7:22:43:3D:6A:8B + X509v3 Authority Key Identifier: + keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63 + + Signature Algorithm: sha256WithRSAEncryption + 4c:0f:cd:77:60:b4:6f:53:87:f3:3c:4f:e6:81:5f:a7:1c:cc: + 60:29:b6:34:6c:4d:08:9b:e2:d2:bd:f6:17:1a:62:79:b8:17: + bc:a2:60:59:fd:03:51:c3:b7:6b:de:73:b3:48:95:f5:0b:aa: + b6:3c:b4:34:dc:1d:0b:c4:97:62:87:e7:48:d5:8f:c9:ea:e8: + 91:8f:2a:40:cd:b7:b3:ee:b2:98:9e:fb:37:31:29:e6:8e:2f: + 0a:39:99:1e:c6:aa:b8:05:62:85:d3:a8:3e:60:38:98:0f:f0: + fe:c7:ab:01:a5:6a:a5:7f:70:a6:26:94:76:23:2f:08:89:74: + 97:c2:2a:ca:22:3e:7a:ea:22:22:08:07:f4:bb:f6:bc:69:9c: + 4e:44:33:e2:8e:70:17:b0:9b:cb:33:94:66:6d:ff:9a:7d:e9: + 50:b2:e8:90:14:e4:2b:91:cb:a0:c5:2e:0e:cf:19:ef:44:ef: + 84:f0:bd:57:9e:26:c2:63:3d:df:fc:a1:84:de:5c:d7:5f:3b: + fb:94:61:f0:93:89:1f:cf:c3:b2:d1:90:97:35:7d:b9:8a:ad: + e6:05:f0:e8:3b:a1:7c:af:2b:c4:af:18:33:2e:5e:87:db:9d: + 80:b5:04:fd:00:d0:60:ab:ff:85:77:0f:cb:47:22:c9:b2:85: + a8:48:16:e2 +-----BEGIN CERTIFICATE----- +MIIELDCCAxSgAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy +IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xODEwMjYxODMxMTRaFw00ODEwMjQx +ODMxMTRaMIGKMQswCQYDVQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xFzAV +BgNVBAoMDkNhbm9uaWNhbCBMdGQuMRQwEgYDVQQLDAtTZWN1cmUgQm9vdDE2MDQG +A1UEAwwtQ2Fub25pY2FsIEx0ZC4gU2VjdXJlIEJvb3QgU2lnbmluZyAoRVNNIDIw +MTgpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv2rlbVV67HoRN0Wc +TI9rLVbTdCsyrIQtusvM7I2SImlIpdT2dRFmL8uy/Z5Wq+bxUo51PlC9JbNQ/O89 +dvM/fwP24qElaVwUmFS9Eb/ppaxGkUsd3rcYK8gigxWnSgCNneTA2vdBAv2fX3mT +VsyG4bXgOQ48olv+wFbwklBaK2dnk1bXenWZaiW0Y6hfaX46SVgqp4D2WrS+sr6o +jEVByfL8dqhl75kpDcmcVGsK8EoOYQ3tmTKvEuISe5977AXE4LbVw3Eort0Lupet +aAt26b/nAX5kVDkjhTbInd0nof/fRjYUfsvMoc1JC23CDEWZVlh8hw1ZmtxKOTsd +2RUutQIDAQABo4GgMIGdMAwGA1UdEwEB/wQCMAAwHwYDVR0lBBgwFgYIKwYBBQUH +AwMGCisGAQQBgjcKAwYwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk +IENlcnRpZmljYXRlMB0GA1UdDgQWBBQ2UYjB03TWsHw8jyQPjvciQz1qizAfBgNV +HSMEGDAWgBStkZkLwiqx9RcEjCO2ZVomjjRaYzANBgkqhkiG9w0BAQsFAAOCAQEA +TA/Nd2C0b1OH8zxP5oFfpxzMYCm2NGxNCJvi0r32FxpiebgXvKJgWf0DUcO3a95z +s0iV9Quqtjy0NNwdC8SXYofnSNWPyerokY8qQM23s+6ymJ77NzEp5o4vCjmZHsaq +uAVihdOoPmA4mA/w/serAaVqpX9wpiaUdiMvCIl0l8IqyiI+euoiIggH9Lv2vGmc +TkQz4o5wF7CbyzOUZm3/mn3pULLokBTkK5HLoMUuDs8Z70TvhPC9V54mwmM93/yh +hN5c1187+5Rh8JOJH8/DstGQlzV9uYqt5gXw6DuhfK8rxK8YMy5eh9udgLUE/QDQ +YKv/hXcPy0ciybKFqEgW4g== +-----END CERTIFICATE----- diff --git a/debian/revoked-certs/canonical-uefi-2019-all.pem b/debian/revoked-certs/canonical-uefi-2019-all.pem new file mode 100644 index 0000000000..dc6e4b9695 --- /dev/null +++ b/debian/revoked-certs/canonical-uefi-2019-all.pem @@ -0,0 +1,86 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4 (0x4) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority + Validity + Not Before: Sep 18 16:10:17 2019 GMT + Not After : Sep 16 16:10:17 2049 GMT + Subject: C=GB, ST=Isle of Man, O=Canonical Ltd., OU=Secure Boot, CN=Canonical Ltd. Secure Boot Signing (2019) + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:e6:47:d8:75:e5:87:59:26:87:83:7d:5b:7a:b8: + 58:3d:7c:ef:36:f8:a0:7a:b7:14:56:58:7d:01:f1: + 1c:3b:8c:e6:5b:03:77:7d:a0:ed:47:0a:45:e6:75: + 5c:de:95:38:0d:38:fa:41:79:89:56:31:87:e7:a3: + 9a:36:70:b6:cf:24:2f:99:26:89:08:39:0e:14:c3: + 35:be:02:8b:52:e1:8e:7b:0c:a6:9d:78:ff:01:60: + d7:f5:c3:d5:f0:5e:dc:e4:23:09:59:72:93:d3:b5: + 22:af:7c:cd:e0:84:0f:af:11:2d:bc:c6:72:42:af: + ea:67:63:c4:10:41:78:02:80:62:0d:43:74:b4:1c: + ed:50:d7:94:f1:b0:bb:f9:57:80:e4:69:0f:83:4b: + a2:e6:2c:4a:9a:e1:7d:7c:62:19:29:27:97:1f:4c: + f1:85:f0:39:f5:31:9f:3a:39:0e:d4:4d:07:3a:40: + 55:4b:a6:6c:9d:04:89:51:2d:7c:b0:ef:40:b5:42: + 29:16:cc:65:73:38:62:21:f6:e3:2c:17:50:9d:74: + 34:4e:df:7c:4a:33:a4:bb:40:cf:d5:e5:ed:05:07: + cd:4c:f9:af:7f:a6:5c:b9:f7:c5:16:45:4e:44:40: + d7:85:32:de:ac:e5:75:ad:9b:d7:c0:26:33:1f:77: + a5:37 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Extended Key Usage: + Code Signing, 1.3.6.1.4.1.311.10.3.6 + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + C0:74:6F:D6:C5:DA:3A:E8:27:86:46:51:AD:66:AE:47:FE:24:B3:E8 + X509v3 Authority Key Identifier: + keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63 + + Signature Algorithm: sha256WithRSAEncryption + aa:12:6c:d1:9d:6a:da:f0:ec:7c:17:46:3b:57:b8:d6:76:5f: + 24:e6:06:a2:0a:55:1f:2f:d3:5e:8f:de:cf:02:f2:ff:e0:dd: + d3:c7:bd:75:59:aa:cd:34:f3:28:80:73:cc:28:69:e7:a2:70: + 88:a2:c7:dc:66:f0:92:0e:ff:64:bf:30:04:54:01:1b:96:ad: + 15:c5:61:fd:32:61:d7:5e:b5:ba:91:fd:31:fc:6b:15:df:ee: + 22:d9:e4:1f:f3:cc:8b:0c:9f:f5:e8:f7:e2:62:3f:40:52:c9: + f0:f1:1c:63:fc:6c:90:e1:5b:74:03:b9:df:d1:3e:a8:ec:db: + 2b:6e:83:6f:9f:7f:ba:b4:79:fc:3d:e7:12:2f:4a:e7:17:8c: + 2b:77:a5:90:74:3c:bd:cf:75:83:0d:1a:95:d5:56:ef:07:9b: + a6:b3:31:e3:8c:97:ce:68:11:b5:7b:25:03:72:1c:ea:67:e9: + 7c:3e:73:c7:7c:3e:fc:f5:ae:8a:b2:07:0d:15:6a:66:09:d7: + 23:b9:5d:80:7a:26:d6:b6:22:30:aa:84:af:c0:42:e9:75:c3: + 59:ab:a3:84:87:6b:0c:b7:ab:4e:92:69:ae:2c:82:6f:ab:01: + 24:ab:ff:78:6d:59:85:c2:3b:23:c0:bd:0d:d8:6e:3a:29:82: + e1:c4:5f:db +-----BEGIN CERTIFICATE----- +MIIEKDCCAxCgAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy +IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xOTA5MTgxNjEwMTdaFw00OTA5MTYx +NjEwMTdaMIGGMQswCQYDVQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xFzAV +BgNVBAoMDkNhbm9uaWNhbCBMdGQuMRQwEgYDVQQLDAtTZWN1cmUgQm9vdDEyMDAG +A1UEAwwpQ2Fub25pY2FsIEx0ZC4gU2VjdXJlIEJvb3QgU2lnbmluZyAoMjAxOSkw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDmR9h15YdZJoeDfVt6uFg9 +fO82+KB6txRWWH0B8Rw7jOZbA3d9oO1HCkXmdVzelTgNOPpBeYlWMYfno5o2cLbP +JC+ZJokIOQ4UwzW+AotS4Y57DKadeP8BYNf1w9XwXtzkIwlZcpPTtSKvfM3ghA+v +ES28xnJCr+pnY8QQQXgCgGINQ3S0HO1Q15TxsLv5V4DkaQ+DS6LmLEqa4X18Yhkp +J5cfTPGF8Dn1MZ86OQ7UTQc6QFVLpmydBIlRLXyw70C1QikWzGVzOGIh9uMsF1Cd +dDRO33xKM6S7QM/V5e0FB81M+a9/ply598UWRU5EQNeFMt6s5XWtm9fAJjMfd6U3 +AgMBAAGjgaAwgZ0wDAYDVR0TAQH/BAIwADAfBgNVHSUEGDAWBggrBgEFBQcDAwYK +KwYBBAGCNwoDBjAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2Vy +dGlmaWNhdGUwHQYDVR0OBBYEFMB0b9bF2jroJ4ZGUa1mrkf+JLPoMB8GA1UdIwQY +MBaAFK2RmQvCKrH1FwSMI7ZlWiaONFpjMA0GCSqGSIb3DQEBCwUAA4IBAQCqEmzR +nWra8Ox8F0Y7V7jWdl8k5gaiClUfL9Nej97PAvL/4N3Tx711WarNNPMogHPMKGnn +onCIosfcZvCSDv9kvzAEVAEblq0VxWH9MmHXXrW6kf0x/GsV3+4i2eQf88yLDJ/1 +6PfiYj9AUsnw8Rxj/GyQ4Vt0A7nf0T6o7NsrboNvn3+6tHn8PecSL0rnF4wrd6WQ +dDy9z3WDDRqV1VbvB5umszHjjJfOaBG1eyUDchzqZ+l8PnPHfD789a6KsgcNFWpm +CdcjuV2AeibWtiIwqoSvwELpdcNZq6OEh2sMt6tOkmmuLIJvqwEkq/94bVmFwjsj +wL0N2G46KYLhxF/b +-----END CERTIFICATE-----