From patchwork Thu Feb 18 16:17:47 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Whitcroft X-Patchwork-Id: 1441747 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DhKcy4Kvjz9sRN; Fri, 19 Feb 2021 03:18:10 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1lCm0D-0000e2-Nl; Thu, 18 Feb 2021 16:18:05 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lCm07-0000ck-EM for kernel-team@lists.ubuntu.com; Thu, 18 Feb 2021 16:17:59 +0000 Received: from mail-wr1-f69.google.com ([209.85.221.69]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lCm07-0002Jv-6z for kernel-team@lists.ubuntu.com; Thu, 18 Feb 2021 16:17:59 +0000 Received: by mail-wr1-f69.google.com with SMTP id w11so1202354wrp.6 for ; Thu, 18 Feb 2021 08:17:59 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ShmHWiVvucA3z6SDChOYpFY5y0cEqBpA+DJdaXEbsQE=; b=WyhT9o+GB2dNMaoCnHyAVt5+ImLEeSNhAGgi975GHrxEdoJH2JBkT+pnjSM+3uIF94 AKFV/5kSM1lwkbjCd7lC4Ljnatj3mjkWrNhGxbnq90xsEoZPvossmVoJyu9akrWyzszX jeVGms0r2HuHZyoJAHyAQYIbIA92RERsdHcnE4qB9Ahj5AoOGQG06U9XZc231AjV81Bi etshmYuu8QlcF69U642o1c2ldIh/4Q5hFKLZoqbxdln7OjemDhwynsVKlrwTHrZlvhLc ReVMdSjFI7znrWFNemFyKOTHyAZKpuehXC+jh6l6WcAJ6FDmGf5m6UMiArxbQ+Hx3Si2 NDew== X-Gm-Message-State: AOAM530afpoWiZn6JmyhLiPiN6mVEImVbB+ocs/yS39fM6klcldBSB1Y WJDiu/AssB7Js4VVyDf65ijXm3IcrxBXSZc+7lOwOHSIK88rtL6mWIy/mkS80ZvAZvEY0GZPqDh tD3BvFHZ15DmY7eQlkM49IX1SThGGpISSlEd7oLaRmw== X-Received: by 2002:a05:600c:20f:: with SMTP id 15mr4351084wmi.148.1613665078426; Thu, 18 Feb 2021 08:17:58 -0800 (PST) X-Google-Smtp-Source: ABdhPJz4338qeLyaC65Lc5MDb4BrJOKVELO6NOVcsoN22kDNw/W7hfYmxfPzJZrQaEAXtpVj4xXZeQ== X-Received: by 2002:a05:600c:20f:: with SMTP id 15mr4351067wmi.148.1613665078135; Thu, 18 Feb 2021 08:17:58 -0800 (PST) Received: from localhost ([2001:470:6973:2:4191:5ae2:921e:d619]) by smtp.gmail.com with ESMTPSA id b2sm9456679wrv.73.2021.02.18.08.17.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Feb 2021 08:17:57 -0800 (PST) From: Andy Whitcroft To: kernel-team@lists.ubuntu.com Subject: [bionic:linux 1/4] UBUNTU: [Config] enable CONFIG_MODVERSIONS=y Date: Thu, 18 Feb 2021 16:17:47 +0000 Message-Id: <20210218161754.1840146-2-apw@canonical.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210218161754.1840146-1-apw@canonical.com> References: <20210218161754.1840146-1-apw@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Andy Whitcroft Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" In order to support the livepatch key we need to ensure we do not allow that key to load modules which are not for the specific kernel. From the documentation on kernel module signing: If you use the same private key to sign modules for multiple kernel configurations, you must ensure that the module version information is sufficient to prevent loading a module into a different kernel. Either set ``CONFIG_MODVERSIONS=y`` or ensure that each configuration has a different kernel release string by changing ``EXTRAVERSION`` or ``CONFIG_LOCALVERSION``. BugLink: https://bugs.launchpad.net/bugs/1898716 Signed-off-by: Andy Whitcroft --- debian.master/config/annotations | 4 +++- debian.master/config/config.common.ubuntu | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/debian.master/config/annotations b/debian.master/config/annotations index 52fa132d2063..4f2972daee7e 100644 --- a/debian.master/config/annotations +++ b/debian.master/config/annotations @@ -8612,9 +8612,11 @@ CONFIG_MODULES policy<{'amd64': 'y', 'arm64': ' CONFIG_MODULE_FORCE_LOAD policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> CONFIG_MODULE_UNLOAD policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_MODULE_FORCE_UNLOAD policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> -CONFIG_MODVERSIONS policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> +CONFIG_MODVERSIONS policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_MODULE_SRCVERSION_ALL policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_MODULE_COMPRESS policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> +# +CONFIG_MODVERSIONS mark note # Menu: Enable loadable module support >> Compression algorithm diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu index 3ef3d8d6a2d8..f2a8b2e49b53 100644 --- a/debian.master/config/config.common.ubuntu +++ b/debian.master/config/config.common.ubuntu @@ -5444,7 +5444,7 @@ CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SRCVERSION_ALL=y CONFIG_MODULE_UNLOAD=y -# CONFIG_MODVERSIONS is not set +CONFIG_MODVERSIONS=y CONFIG_MONREADER=m CONFIG_MONWRITER=m CONFIG_MOST=m From patchwork Thu Feb 18 16:17:48 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Whitcroft X-Patchwork-Id: 1441748 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DhKcz5SxKz9sCD; Fri, 19 Feb 2021 03:18:11 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1lCm0F-0000f4-W7; Thu, 18 Feb 2021 16:18:07 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lCm08-0000cq-UP for kernel-team@lists.ubuntu.com; Thu, 18 Feb 2021 16:18:00 +0000 Received: from mail-wm1-f72.google.com ([209.85.128.72]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lCm08-0002K7-M7 for kernel-team@lists.ubuntu.com; Thu, 18 Feb 2021 16:18:00 +0000 Received: by mail-wm1-f72.google.com with SMTP id y18so1388627wma.8 for ; Thu, 18 Feb 2021 08:18:00 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=2sv60XwLAPZ/AkK2a6Nb8mnioOD3IOIVQ1TbQiwAjo0=; b=Wkv8+pJRnfDJJ1FtGVn15d96ub8mzkLS2gIgiPA6Fq3lRut9xvhbGlVSNXWB2eHfVp yS5kq6Pv9I2+pm4IUh5UI3MNLufDQZuuPnrf+GSGnkW8x+JOXQkthv8ic0Pkob7UZJaq w4SAA9nUG0qV4ht51rAeB9eFSLrm9PpQPUvkUxnbOVH7bm5BuTZ93VO5SaChnkDpHdWu uzhm40ScpWWdZl5uGVhayp0R7zeFQPKkQByHUj4kvsgRzrhM5dNSVhrIUwxVSHBrV1V9 i7D+9KGRKTt8RvBzHnD7oWtDEsCN65w8j4g+ofjNji1DDuabSb7tMPN72xRRJdZgdEhU eZkw== X-Gm-Message-State: AOAM532SbDrlbQpiZw6YhB6JXN78TO91MKprwOjFK4ueJTxekBzPWFHn yhcZEI3q83mZYUm69kCFHDZj49zzNeiPNddZc3XnLBfiorQ2OvDH3MHi0CvHfM707DXvKWIM8fK 2TKaDI/Rg+u1fwOLEbbisNpiM7hFrSy5UzD44a8Qb3w== X-Received: by 2002:a7b:c04c:: with SMTP id u12mr3732917wmc.9.1613665079949; Thu, 18 Feb 2021 08:17:59 -0800 (PST) X-Google-Smtp-Source: ABdhPJzNP+1b8sWz/xIwpPMIjvxCP9VAZnf/mrflYbS5fOZ8arF52uKNeO5iWaJetWs5a0rMJtZkOw== X-Received: by 2002:a7b:c04c:: with SMTP id u12mr3732898wmc.9.1613665079709; Thu, 18 Feb 2021 08:17:59 -0800 (PST) Received: from localhost ([2001:470:6973:2:4191:5ae2:921e:d619]) by smtp.gmail.com with ESMTPSA id 16sm7938800wmi.43.2021.02.18.08.17.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Feb 2021 08:17:59 -0800 (PST) From: Andy Whitcroft To: kernel-team@lists.ubuntu.com Subject: [bionic:linux 2/4] UBUNTU: [Packaging] build canonical-certs.pem from branch/arch certs Date: Thu, 18 Feb 2021 16:17:48 +0000 Message-Id: <20210218161754.1840146-3-apw@canonical.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210218161754.1840146-1-apw@canonical.com> References: <20210218161754.1840146-1-apw@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Andy Whitcroft Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" Merge common, branch-specific, and arch-specific certs and form a certs database for inclusion in the kernel keyring. BugLink: https://bugs.launchpad.net/bugs/1898716 Signed-off-by: Andy Whitcroft --- debian.master/config/annotations | 2 +- debian.master/config/config.common.ubuntu | 2 +- debian/rules | 14 +++++++++++++- 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/debian.master/config/annotations b/debian.master/config/annotations index 4f2972daee7e..3315e1e9abe5 100644 --- a/debian.master/config/annotations +++ b/debian.master/config/annotations @@ -493,7 +493,7 @@ CONFIG_SYSTEM_BLACKLIST_KEYRING mark # Menu: Cryptographic API >> Certificates for signature checking >> Provide system-wide ring of trusted keys CONFIG_SYSTEM_TRUSTED_KEYRING policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> -CONFIG_SYSTEM_TRUSTED_KEYS policy<{'amd64': '""', 'arm64': '""', 'armhf': '""', 'i386': '""', 'ppc64el': '""', 's390x': '""'}> +CONFIG_SYSTEM_TRUSTED_KEYS policy<{'amd64': '"debian/canonical-certs.pem"', 'arm64': '"debian/canonical-certs.pem"', 'armhf': '"debian/canonical-certs.pem"', 'i386': '"debian/canonical-certs"', 'ppc64el': '"debian/canonical-certs.pem"', 's390x': '"debian/canonical-certs.pem"'}> CONFIG_SYSTEM_EXTRA_CERTIFICATE policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE policy<{'amd64': '4096', 'arm64': '4096', 'armhf': '4096', 'i386': '4096', 'ppc64el': '4096', 's390x': '4096'}> CONFIG_SECONDARY_TRUSTED_KEYRING policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu index f2a8b2e49b53..f58c2b343ceb 100644 --- a/debian.master/config/config.common.ubuntu +++ b/debian.master/config/config.common.ubuntu @@ -9018,7 +9018,7 @@ CONFIG_SYSTEM_DATA_VERIFICATION=y CONFIG_SYSTEM_EXTRA_CERTIFICATE=y CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096 CONFIG_SYSTEM_TRUSTED_KEYRING=y -CONFIG_SYSTEM_TRUSTED_KEYS="" +CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem" CONFIG_SYSVIPC=y CONFIG_SYSVIPC_COMPAT=y CONFIG_SYSVIPC_SYSCTL=y diff --git a/debian/rules b/debian/rules index 00a5348f1c7a..73c0ee19a109 100755 --- a/debian/rules +++ b/debian/rules @@ -126,7 +126,7 @@ binary: binary-indep binary-arch build: build-arch build-indep -clean: debian/control +clean: debian/control debian/canonical-certs.pem dh_testdir dh_testroot dh_clean @@ -210,3 +210,15 @@ debian/control: $(DEBIAN)/control.stub LANG=C kernel-wedge gen-control $(release)-$(abinum) | \ perl -f $(DROOT)/scripts/misc/kernel-wedge-arch.pl $(arch) \ >>$(CURDIR)/debian/control + +debian/canonical-certs.pem: $(wildcard $(DROOT)/certs/*-all.pem) $(wildcard $(DROOT)/certs/*-$(arch).pem) $(wildcard $(DEBIAN)/certs/*-all.pem) $(wildcard $(DEBIAN)/certs/*-$(arch).pem) + for cert in $(sort $(notdir $^)); \ + do \ + for dir in $(DEBIAN) $(DROOT); \ + do \ + if [ -f "$$dir/certs/$$cert" ]; then \ + cat "$$dir/certs/$$cert"; \ + break; \ + fi; \ + done; \ + done >"$@" From patchwork Thu Feb 18 16:17:53 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Whitcroft X-Patchwork-Id: 1441753 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DhKdB236Kz9sCD; Fri, 19 Feb 2021 03:18:22 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1lCm0N-0000lU-NH; Thu, 18 Feb 2021 16:18:15 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lCm0I-0000hR-P8 for kernel-team@lists.ubuntu.com; Thu, 18 Feb 2021 16:18:10 +0000 Received: from mail-wm1-f70.google.com ([209.85.128.70]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lCm0I-0002Lg-Gh for kernel-team@lists.ubuntu.com; Thu, 18 Feb 2021 16:18:10 +0000 Received: by mail-wm1-f70.google.com with SMTP id b62so1394862wmc.5 for ; Thu, 18 Feb 2021 08:18:10 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=943nHkg7XFzxlGC9g8p2xnXo7nK1BJbO7U9YwDuP9RI=; b=tkJmljL/EAsBRMf7Wpq+V9UhCnOy+H2YJTM5B1XaOkPjTogX20h6C+R8EUsocNy2CQ KqX35K6Db8cSTbbUcijGRs68knjULj6Lxf4xyxL7Q0qNq7HWj9Dip06wCYOPnHPI9PFx suQmqEse8+PmUxVJiGnMYaaFhqdkKuv8v+gg2Hme8/fN9wAxDRQmdVVAXLPxiXxd+1pO SD16wC7V2TNk1pGRvLkehGep7FeTXZ8WbODYposdX3JGXu+NjAhnr1+x87dlPyHweajK D9X13cB5A66DEeW30bfAhQ6m8Kcco9eh6zzTNWD4tdbLQ354+6MAZ/kiQO/YIdMRABEq ZIwQ== X-Gm-Message-State: AOAM532UnwbM0Z12MI2t/3TOZncTXFPrdyhRxDwRCzeanhLa56fZNRBz tjfF7bDif6jH4pnD7nuB7987AbF9W76BsTCn6+n8GyGXO0OQaQj+Ed533Bua/xJIcVM5XGMGYIs UFDtUELxR99KUuRTbbbXkYo5YiXM2YmDYcbW562zMAw== X-Received: by 2002:a1c:a90e:: with SMTP id s14mr4323662wme.36.1613665089615; Thu, 18 Feb 2021 08:18:09 -0800 (PST) X-Google-Smtp-Source: ABdhPJxJUJttgYk1vAdsf5eQGXOpdLoZNYRim1kJYHRHLzakl8K8UnBUfLssyg0Ut/qGH886BkJcfg== X-Received: by 2002:a1c:a90e:: with SMTP id s14mr4323635wme.36.1613665089244; Thu, 18 Feb 2021 08:18:09 -0800 (PST) Received: from localhost ([2001:470:6973:2:4191:5ae2:921e:d619]) by smtp.gmail.com with ESMTPSA id w16sm9816289wrk.38.2021.02.18.08.18.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Feb 2021 08:18:08 -0800 (PST) From: Andy Whitcroft To: kernel-team@lists.ubuntu.com Subject: [{bionic, focal, groovy}:linux 3/4] UBUNTU: [Config] add Canonical Livepatch Service key to SYSTEM_TRUSTED_KEYS Date: Thu, 18 Feb 2021 16:17:53 +0000 Message-Id: <20210218161754.1840146-8-apw@canonical.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210218161754.1840146-1-apw@canonical.com> References: <20210218161754.1840146-1-apw@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Andy Whitcroft Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Dimitri John Ledkov Add Canonical Livepatch Service key to SYSTEM_TRUSTED_KEYS, such that livepatch modules signed by Canonical are trusted out of the box, on locked-down secureboot systems. BugLink: https://bugs.launchpad.net/bugs/1898716 Signed-off-by: Dimitri John Ledkov [apw@canonical.com: move certification to cert framework.] Signed-off-by: Andy Whitcroft --- debian/certs/canonical-livepatch-all.pem | 121 +++++++++++++++++++++++ 1 file changed, 121 insertions(+) create mode 100644 debian/certs/canonical-livepatch-all.pem diff --git a/debian/certs/canonical-livepatch-all.pem b/debian/certs/canonical-livepatch-all.pem new file mode 100644 index 000000000000..3f360f74344d --- /dev/null +++ b/debian/certs/canonical-livepatch-all.pem @@ -0,0 +1,121 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + c7:7e:51:6a:1c:25:cd:40 + Signature Algorithm: sha512WithRSAEncryption + Issuer: CN = Canonical Ltd. Live Patch Signing + Validity + Not Before: Jul 18 23:41:27 2016 GMT + Not After : Jul 16 23:41:27 2026 GMT + Subject: CN = Canonical Ltd. Live Patch Signing + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (4096 bit) + Modulus: + 00:bd:74:ee:72:b3:4a:ab:e6:31:e8:29:24:c2:bd: + 46:98:32:c0:39:ee:a3:fb:8a:ad:fe:ab:1a:5b:a3: + 2e:a1:80:db:79:61:9e:47:79:2c:75:57:a2:21:f0: + 93:f6:87:f2:9b:4b:9d:2f:b3:58:61:28:3c:41:70: + 13:16:a1:72:90:c9:d5:16:71:7c:e0:30:f9:28:5e: + 48:20:36:00:69:b7:59:9f:a3:ec:a8:eb:55:41:9f: + 38:1e:22:4a:57:20:f4:83:59:49:c5:00:93:d3:33: + 02:92:d1:fc:f0:84:3b:4a:5b:8f:b6:73:9a:89:fa: + 30:1e:e6:2a:68:f2:91:ef:59:57:3d:dc:1c:52:6f: + 5e:e6:9b:b5:b8:7c:98:c9:13:d1:39:68:01:67:91: + e0:d3:67:72:16:0a:5e:16:83:45:31:4f:b5:2b:b3: + f6:40:86:89:3a:84:6e:6f:16:61:bc:70:84:be:5a: + 13:36:7b:82:ea:07:19:fc:18:c1:16:c6:32:0b:7d: + 2c:6b:c4:21:b9:38:6b:31:dc:d9:0c:ad:56:40:68: + 7c:e3:c6:64:8e:bf:1c:e0:72:3e:6c:db:d2:73:79: + da:d7:c5:2f:5d:04:7d:b0:07:1e:95:dd:2a:47:5e: + bf:3e:3a:c8:66:f6:67:0f:d4:2a:f1:e2:71:59:d2: + 6c:7b:a0:37:ac:e6:97:80:30:13:97:48:d5:74:fc: + 38:68:e4:57:cb:99:69:5a:84:27:ac:98:51:e4:64: + bd:91:62:e8:58:27:06:2a:b9:0b:b8:08:e5:e5:b4: + 51:a7:a2:10:df:4e:07:6c:a0:3b:96:f2:6e:df:75: + 8c:97:1e:64:a0:9a:86:9b:98:26:f9:d8:b7:de:5b: + 21:b7:af:89:01:a3:f7:98:6b:da:19:ba:86:ef:ef: + f1:ce:bb:2f:89:ed:c0:b6:1b:e5:5b:f8:90:11:9a: + 52:93:e9:be:f7:35:b9:08:cb:ba:c3:ed:2f:73:af: + cc:96:07:55:b5:de:f6:03:f6:f1:89:f9:21:40:76: + c1:69:f2:61:cc:9a:94:df:9c:ec:6a:65:38:be:d1: + 4e:2a:87:c7:2f:3e:53:ae:8b:9f:54:a1:09:59:64: + 25:aa:a9:d8:44:a9:a8:a0:71:e1:32:aa:4c:32:fd: + 44:28:cc:9c:6f:8e:db:81:7e:6f:fa:00:56:c5:e5: + 03:46:63:fb:8e:71:8d:e3:13:91:9f:ac:60:3e:64: + f3:df:25:34:09:fa:2d:96:9f:16:05:ea:93:f5:e6: + 00:08:27:32:7b:3c:bd:ee:70:24:6c:3b:55:e9:db: + f4:10:2d:20:06:b4:ca:e9:29:65:55:ad:f6:52:54: + 5f:e5:a3 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Key Usage: + Digital Signature + X509v3 Subject Key Identifier: + 14:DF:34:D1:A8:7C:F3:76:25:AB:EC:03:9E:F2:BF:52:12:49:B9:69 + X509v3 Authority Key Identifier: + keyid:14:DF:34:D1:A8:7C:F3:76:25:AB:EC:03:9E:F2:BF:52:12:49:B9:69 + + Signature Algorithm: sha512WithRSAEncryption + 30:e7:48:02:37:e9:28:cf:04:a2:4d:5c:fa:d8:4e:c9:76:c7: + 14:3f:bd:2c:51:3d:33:f0:1a:bc:49:f1:47:95:8f:69:d8:a9: + 54:14:44:6c:4d:9f:55:82:08:1e:c6:5b:d5:91:d9:bc:2e:b0: + af:d6:25:65:74:96:aa:36:de:ae:31:a8:11:f2:a4:2c:5a:e1: + 4f:73:f8:4a:c3:35:b0:76:96:71:f2:b5:7d:4b:75:ee:5d:bf: + 86:a5:ba:0b:a9:52:cb:ec:ab:e5:23:4b:f2:74:55:28:17:1e: + b3:ac:27:ad:45:13:6e:69:b3:5a:be:42:36:29:48:db:e7:5c: + 22:58:a0:90:82:2c:2a:21:2b:db:f4:64:b7:91:5d:1f:2c:48: + a4:1a:85:e3:86:a5:aa:19:cd:19:e8:a5:fb:a3:7b:94:77:48: + 25:a4:cf:a0:cf:71:82:5c:6f:71:22:7c:d6:97:a0:53:bb:ec: + 30:f6:cb:16:fb:7b:fd:16:94:7a:53:6e:bd:04:64:a2:01:10: + 9f:f0:5b:b5:a6:73:41:9d:5f:6f:45:73:0d:05:f7:30:6d:39: + 90:b6:7d:55:7d:4c:2f:ae:5f:38:56:2f:8b:df:f4:bf:12:06: + 93:6e:0d:02:23:bf:71:91:57:88:e8:bd:62:72:99:00:40:29: + 1e:c9:13:11:da:7e:8e:e1:d2:a5:0d:bf:f7:d6:ec:01:0d:89: + 41:cd:d5:dc:d2:f7:5f:33:0d:4c:2f:85:b7:85:b7:81:e4:17: + 29:f0:74:cf:0e:15:8c:1a:50:0b:08:63:1a:91:4f:e7:76:97: + f1:d4:3b:7e:72:d4:c5:45:58:0c:6a:e9:0d:f2:85:d8:91:1e: + 37:bd:78:e3:39:4d:2e:fd:85:31:c1:a6:3b:6a:cc:2c:53:72: + 1d:8e:7b:f0:e6:76:86:09:6f:1a:f3:e4:a1:e2:dd:76:5f:b0: + 8c:e2:2a:54:5d:c1:88:49:90:10:15:42:7d:05:24:53:8c:54: + ff:48:18:1a:36:e3:31:d3:54:32:78:0d:fe:f2:3d:aa:0d:37: + 15:84:b4:36:47:31:e8:85:6e:0b:58:38:ff:21:91:09:c9:a8: + 43:a3:ea:60:cb:7e:ed:f7:41:6f:4e:91:c1:fd:77:46:e7:d4: + e7:86:c0:1b:fd:50:6c:aa:be:00:b3:63:02:ff:4e:c7:a5:57: + 6e:29:64:e9:54:d5:30:63:38:5f:2d:5a:db:49:5f:14:14:22: + d2:81:1f:61:9e:ee:ee:16:66:d6:bc:bd:ac:1b:5c:fb:38:31: + 95:33:2e:84:6e:7a:de:ee:b9:fc:97:17:06:13:bf:70:1c:6e: + 76:ed:66:38:e2:70:08:00 +-----BEGIN CERTIFICATE----- +MIIFODCCAyCgAwIBAgIJAMd+UWocJc1AMA0GCSqGSIb3DQEBDQUAMCwxKjAoBgNV +BAMMIUNhbm9uaWNhbCBMdGQuIExpdmUgUGF0Y2ggU2lnbmluZzAeFw0xNjA3MTgy +MzQxMjdaFw0yNjA3MTYyMzQxMjdaMCwxKjAoBgNVBAMMIUNhbm9uaWNhbCBMdGQu +IExpdmUgUGF0Y2ggU2lnbmluZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC +ggIBAL107nKzSqvmMegpJMK9RpgywDnuo/uKrf6rGlujLqGA23lhnkd5LHVXoiHw +k/aH8ptLnS+zWGEoPEFwExahcpDJ1RZxfOAw+SheSCA2AGm3WZ+j7KjrVUGfOB4i +Slcg9INZScUAk9MzApLR/PCEO0pbj7Zzmon6MB7mKmjyke9ZVz3cHFJvXuabtbh8 +mMkT0TloAWeR4NNnchYKXhaDRTFPtSuz9kCGiTqEbm8WYbxwhL5aEzZ7guoHGfwY +wRbGMgt9LGvEIbk4azHc2QytVkBofOPGZI6/HOByPmzb0nN52tfFL10EfbAHHpXd +Kkdevz46yGb2Zw/UKvHicVnSbHugN6zml4AwE5dI1XT8OGjkV8uZaVqEJ6yYUeRk +vZFi6FgnBiq5C7gI5eW0UaeiEN9OB2ygO5bybt91jJceZKCahpuYJvnYt95bIbev +iQGj95hr2hm6hu/v8c67L4ntwLYb5Vv4kBGaUpPpvvc1uQjLusPtL3OvzJYHVbXe +9gP28Yn5IUB2wWnyYcyalN+c7GplOL7RTiqHxy8+U66Ln1ShCVlkJaqp2ESpqKBx +4TKqTDL9RCjMnG+O24F+b/oAVsXlA0Zj+45xjeMTkZ+sYD5k898lNAn6LZafFgXq +k/XmAAgnMns8ve5wJGw7Venb9BAtIAa0yukpZVWt9lJUX+WjAgMBAAGjXTBbMAwG +A1UdEwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBQU3zTRqHzzdiWr7AOe +8r9SEkm5aTAfBgNVHSMEGDAWgBQU3zTRqHzzdiWr7AOe8r9SEkm5aTANBgkqhkiG +9w0BAQ0FAAOCAgEAMOdIAjfpKM8Eok1c+thOyXbHFD+9LFE9M/AavEnxR5WPadip +VBREbE2fVYIIHsZb1ZHZvC6wr9YlZXSWqjberjGoEfKkLFrhT3P4SsM1sHaWcfK1 +fUt17l2/hqW6C6lSy+yr5SNL8nRVKBces6wnrUUTbmmzWr5CNilI2+dcIligkIIs +KiEr2/Rkt5FdHyxIpBqF44alqhnNGeil+6N7lHdIJaTPoM9xglxvcSJ81pegU7vs +MPbLFvt7/RaUelNuvQRkogEQn/BbtaZzQZ1fb0VzDQX3MG05kLZ9VX1ML65fOFYv +i9/0vxIGk24NAiO/cZFXiOi9YnKZAEApHskTEdp+juHSpQ2/99bsAQ2JQc3V3NL3 +XzMNTC+Ft4W3geQXKfB0zw4VjBpQCwhjGpFP53aX8dQ7fnLUxUVYDGrpDfKF2JEe +N7144zlNLv2FMcGmO2rMLFNyHY578OZ2hglvGvPkoeLddl+wjOIqVF3BiEmQEBVC +fQUkU4xU/0gYGjbjMdNUMngN/vI9qg03FYS0Nkcx6IVuC1g4/yGRCcmoQ6PqYMt+ +7fdBb06Rwf13RufU54bAG/1QbKq+ALNjAv9Ox6VXbilk6VTVMGM4Xy1a20lfFBQi +0oEfYZ7u7hZm1ry9rBtc+zgxlTMuhG563u65/JcXBhO/cBxudu1mOOJwCAA= +-----END CERTIFICATE----- From patchwork Thu Feb 18 16:17:54 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Whitcroft X-Patchwork-Id: 1441754 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DhKdD560tz9sCD; Fri, 19 Feb 2021 03:18:24 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1lCm0S-0000pG-9Q; Thu, 18 Feb 2021 16:18:20 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lCm0L-0000iW-81 for kernel-team@lists.ubuntu.com; Thu, 18 Feb 2021 16:18:13 +0000 Received: from mail-wr1-f70.google.com ([209.85.221.70]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lCm0K-0002Lq-BO for kernel-team@lists.ubuntu.com; Thu, 18 Feb 2021 16:18:12 +0000 Received: by mail-wr1-f70.google.com with SMTP id e13so1200276wrg.4 for ; Thu, 18 Feb 2021 08:18:12 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=2dWDz2XbRCCihVCncH1LsqH/6cbyIvfvQCtFCEU85AQ=; b=N8yQO61kJsClRWqynmgjjqya+6iBEO4UXz5YMhTUjROwZAYyk3Bz/6133uQHz5RoBB vg4ZNLffp7BYCDU4Q3O0VKfycXY9GHhNSrLiGIiOuVgV1aSgD60YvX0/pfoxfWpSfTij qwdaHysiE4xm0K4SEuS1VzfxO2h2Dt+YeEXTjzjJ/10M7niXbIHJ+mYsggvTOcIztGw4 g4AbZFWyNqCHR1m1gp8tTJVFv4mJA51vB/LbNAAxrdIIrqrbvnB8K1a4JFVIPJy6yOdg bsgJwNEiuzc9amrlNJnTTIabovPTz9K7qLGahS6VhzSvPYZpX6p7QBXhdyInofhZ0iRJ hmOQ== X-Gm-Message-State: AOAM53055K/qDGgRVMltdpaHLACqQ912fkVly3x6Id2WiXt9Lu+9zsfg H+9YxdOpQQLdAkpIaK4Z+UH489Xesw+j6EODyb+BDNRPwOZwQxCUq6XwDZUomUdJpEkxwCjEkQw 2nZIMnKUoL4/DQKefCphk8a8Jr2zeU2j5G+wh3cEP3g== X-Received: by 2002:a1c:ba05:: with SMTP id k5mr4160810wmf.111.1613665091505; Thu, 18 Feb 2021 08:18:11 -0800 (PST) X-Google-Smtp-Source: ABdhPJxswv4TFoay2MEBYopjnXtT23PCGEJs5a0ljojaMb1S0IBR/NutLN0JxYY8AyD3deHk4MhbFQ== X-Received: by 2002:a1c:ba05:: with SMTP id k5mr4160792wmf.111.1613665091132; Thu, 18 Feb 2021 08:18:11 -0800 (PST) Received: from localhost ([2001:470:6973:2:4191:5ae2:921e:d619]) by smtp.gmail.com with ESMTPSA id z8sm9298211wrr.55.2021.02.18.08.18.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Feb 2021 08:18:10 -0800 (PST) From: Andy Whitcroft To: kernel-team@lists.ubuntu.com Subject: [{bionic, focal, groovy}:linux 4/4] UBUNTU: [Config] add ubuntu-drivers key to SYSTEM_TRUSTED_KEYS Date: Thu, 18 Feb 2021 16:17:54 +0000 Message-Id: <20210218161754.1840146-9-apw@canonical.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210218161754.1840146-1-apw@canonical.com> References: <20210218161754.1840146-1-apw@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Andy Whitcroft Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" Add the Canonical Ltd. Kernel Module Signing certificate to allow external signing of kernel modules. BugLink: https://bugs.launchpad.net/bugs/1898716 Signed-off-by: Andy Whitcroft --- debian/certs/ubuntu-drivers-all.pem | 125 ++++++++++++++++++++++++++++ 1 file changed, 125 insertions(+) create mode 100644 debian/certs/ubuntu-drivers-all.pem diff --git a/debian/certs/ubuntu-drivers-all.pem b/debian/certs/ubuntu-drivers-all.pem new file mode 100644 index 000000000000..9966174f1f6b --- /dev/null +++ b/debian/certs/ubuntu-drivers-all.pem @@ -0,0 +1,125 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + e9:df:13:0f:92:92:a9:b7 + Signature Algorithm: sha512WithRSAEncryption + Issuer: C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., CN = Canonical Ltd. Kernel Module Signing + Validity + Not Before: May 31 16:06:09 2016 GMT + Not After : May 29 16:06:09 2026 GMT + Subject: C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., CN = Canonical Ltd. Kernel Module Signing + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (4096 bit) + Modulus: + 00:b3:b0:4f:c6:0a:77:8b:f9:d1:53:33:34:d2:80: + b5:63:6f:e1:f6:a2:83:99:d5:b6:b1:e4:99:91:fa: + 6c:19:c6:d0:91:2a:b9:7d:b5:98:a6:0d:28:01:b8: + 7c:8e:aa:38:ec:51:37:33:96:f0:b0:9b:8d:86:5f: + 67:23:69:2f:d7:c2:f3:fb:c5:d7:f9:04:ff:f2:e5: + 61:68:b7:29:b9:c6:8e:4b:4d:2d:8f:92:0c:00:b3: + a3:d2:5a:08:64:cd:f2:09:0b:a5:0e:e6:64:75:d5: + 41:f4:4d:49:3a:0d:dc:b9:27:8e:c4:d6:b1:df:8f: + 6c:f0:e4:f7:31:cb:a9:04:a1:f9:a7:aa:15:da:59: + 03:4d:46:14:d0:dd:bf:e0:f5:9e:f0:71:0c:70:78: + 2b:08:fb:e0:b6:68:a4:74:12:9d:f7:f2:64:88:17: + 2a:8a:ed:1a:91:b5:6c:13:bd:4c:10:0a:0b:72:0b: + 90:db:7d:f3:78:44:4c:d2:a5:41:f7:1c:77:7d:5a: + 8a:54:bc:8f:fe:b7:ee:e1:bc:59:37:c4:d4:e8:14: + d0:5b:42:9b:04:00:8e:6d:83:8a:25:21:5b:08:c4: + 7b:b2:d9:99:52:c9:5e:59:6d:c4:aa:52:59:e2:e4: + 2f:7e:7e:ac:05:01:99:bf:13:72:b7:45:c5:17:da: + 8a:d5:3e:71:73:2e:d8:aa:e6:eb:5a:d0:9a:c4:93: + f3:be:eb:d2:47:25:34:16:29:fa:dd:9a:2f:b1:20: + e5:41:4e:ed:ea:51:7c:23:80:ba:3d:b5:3a:0b:8c: + 9c:85:48:6c:3c:8b:29:2f:2f:12:c7:52:34:02:ea: + 0f:ac:53:23:3c:f8:3e:40:1b:30:63:e9:2d:e6:f6: + 58:cc:51:f9:eb:08:4a:b4:c7:16:80:d1:8b:c2:64: + 6a:71:a9:70:31:a4:a7:3a:c0:93:99:1b:0e:42:c1: + 00:6d:43:27:99:6c:e5:fd:23:16:c1:8e:b5:66:17: + 2b:4c:53:5a:6d:1e:96:16:13:6a:c6:d4:85:5b:74: + 2e:ce:7c:45:2f:ad:cb:75:9e:5e:91:bd:9a:6a:86: + 1a:06:bd:39:be:a3:50:56:ea:e1:f6:e3:95:69:d7: + 31:e4:66:f7:36:b5:51:c2:22:b4:9c:74:9c:44:0b: + 0e:16:5f:53:f0:23:c6:b9:40:bd:d6:b8:7d:1b:f6: + 73:f6:27:e7:c0:e3:65:a0:58:ab:5c:59:b7:80:8c: + 8c:04:b4:a9:ae:a0:51:40:10:3b:63:59:49:87:d1: + 9b:df:a3:8c:c4:2e:eb:70:c1:0a:18:1f:cb:22:c2: + f2:4a:65:0d:e5:81:74:d8:ce:72:c6:35:be:ba:63: + 72:c4:f9 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Key Usage: + Digital Signature + X509v3 Subject Key Identifier: + 88:F7:52:E5:60:A1:E0:73:7E:31:16:3A:46:6A:D7:B7:0A:85:0C:19 + X509v3 Authority Key Identifier: + keyid:88:F7:52:E5:60:A1:E0:73:7E:31:16:3A:46:6A:D7:B7:0A:85:0C:19 + + Signature Algorithm: sha512WithRSAEncryption + 04:85:16:27:58:ba:71:28:57:86:7b:c2:83:db:e5:72:6f:1e: + b2:1c:63:b0:db:ad:c0:42:96:c0:4f:65:f6:35:4d:c0:07:0d: + 46:be:d3:1e:ec:f1:22:18:2a:18:5d:bb:69:a6:a6:d4:0d:c3: + 57:03:b9:e7:45:49:28:ca:6d:98:17:68:97:cb:7b:36:81:0a: + 37:9e:34:79:f3:e1:0e:5b:77:43:bb:5a:a5:45:b7:16:50:86: + fd:12:a4:96:0f:15:19:09:1c:e1:fa:80:a5:80:09:be:bb:c8: + 26:0b:3e:de:03:d2:c2:18:a4:8d:0d:de:c5:32:82:0b:fb:75: + 55:66:1a:2a:bb:e4:bd:25:91:20:15:d4:be:b8:3f:53:e3:fb: + a8:c3:55:e3:d5:e7:82:18:95:df:39:09:a7:fc:89:6e:b4:1c: + aa:2d:e8:67:c2:0d:34:34:3e:f9:fa:0b:ce:81:92:11:ae:12: + 0a:fe:35:63:ce:46:29:c4:2b:4f:cb:4e:05:0a:a1:11:e2:35: + f6:5a:5d:b5:e8:d2:6f:4c:fc:3d:24:a6:03:4b:dd:98:6b:f2: + 71:58:16:1d:a5:25:ef:d9:06:7c:e8:db:7b:88:6a:89:5c:59: + 01:92:64:db:44:08:63:6c:7c:32:d6:55:98:63:09:26:61:67: + 0a:fe:5d:ee:fd:23:59:b3:4d:91:c1:4d:41:8b:cd:20:58:fa: + 2d:45:e5:bd:1d:69:5c:03:a0:49:a6:97:54:13:b6:c9:e0:f8: + 56:83:a1:2a:c3:f4:6c:fd:ab:20:ca:3d:9c:95:c0:cf:04:bb: + 46:39:cf:34:81:65:45:27:64:01:7d:62:b3:b8:72:ea:10:d5: + 0f:53:7d:39:88:25:09:6f:8c:bc:e0:49:bb:39:e2:0e:8d:cf: + 56:4d:c1:82:6d:87:d2:e7:fc:c0:9f:a7:65:60:d2:6c:65:18: + 59:38:6e:d0:9c:d7:c3:81:9a:9a:29:8f:83:84:c3:b5:44:ff: + 28:ac:13:17:64:f2:26:13:d9:55:06:b7:69:68:7c:bf:ec:d1: + 8c:ef:b7:da:76:e1:07:73:c6:31:62:31:cb:b6:e1:e7:7f:0c: + c3:f7:4c:52:be:25:36:8e:a1:bb:60:02:c3:cb:3e:6f:29:fc: + 7f:6a:fa:f8:ec:0a:df:49:e2:57:0e:bc:bd:93:c3:1b:d5:36: + 8a:ff:d8:1b:17:c7:1f:cb:69:00:d2:54:9e:ad:61:89:92:95: + 11:f8:ea:17:83:9f:9b:09:7d:b8:94:a4:ea:f5:ae:ea:dc:dd: + 62:b9:9e:68:9c:18:ec:19:c4:13:08:c8:b1:62:ab:8e:84:69: + 11:3c:da:ea:0d:b7:22:bd +-----BEGIN CERTIFICATE----- +MIIF2jCCA8KgAwIBAgIJAOnfEw+Skqm3MA0GCSqGSIb3DQEBDQUAMH0xCzAJBgNV +BAYTAkdCMRQwEgYDVQQIDAtJc2xlIG9mIE1hbjEQMA4GA1UEBwwHRG91Z2xhczEX +MBUGA1UECgwOQ2Fub25pY2FsIEx0ZC4xLTArBgNVBAMMJENhbm9uaWNhbCBMdGQu +IEtlcm5lbCBNb2R1bGUgU2lnbmluZzAeFw0xNjA1MzExNjA2MDlaFw0yNjA1Mjkx +NjA2MDlaMH0xCzAJBgNVBAYTAkdCMRQwEgYDVQQIDAtJc2xlIG9mIE1hbjEQMA4G +A1UEBwwHRG91Z2xhczEXMBUGA1UECgwOQ2Fub25pY2FsIEx0ZC4xLTArBgNVBAMM +JENhbm9uaWNhbCBMdGQuIEtlcm5lbCBNb2R1bGUgU2lnbmluZzCCAiIwDQYJKoZI +hvcNAQEBBQADggIPADCCAgoCggIBALOwT8YKd4v50VMzNNKAtWNv4faig5nVtrHk +mZH6bBnG0JEquX21mKYNKAG4fI6qOOxRNzOW8LCbjYZfZyNpL9fC8/vF1/kE//Ll +YWi3KbnGjktNLY+SDACzo9JaCGTN8gkLpQ7mZHXVQfRNSToN3LknjsTWsd+PbPDk +9zHLqQSh+aeqFdpZA01GFNDdv+D1nvBxDHB4Kwj74LZopHQSnffyZIgXKortGpG1 +bBO9TBAKC3ILkNt983hETNKlQfccd31ailS8j/637uG8WTfE1OgU0FtCmwQAjm2D +iiUhWwjEe7LZmVLJXlltxKpSWeLkL35+rAUBmb8TcrdFxRfaitU+cXMu2Krm61rQ +msST877r0kclNBYp+t2aL7Eg5UFO7epRfCOAuj21OguMnIVIbDyLKS8vEsdSNALq +D6xTIzz4PkAbMGPpLeb2WMxR+esISrTHFoDRi8JkanGpcDGkpzrAk5kbDkLBAG1D +J5ls5f0jFsGOtWYXK0xTWm0elhYTasbUhVt0Ls58RS+ty3WeXpG9mmqGGga9Ob6j +UFbq4fbjlWnXMeRm9za1UcIitJx0nEQLDhZfU/AjxrlAvda4fRv2c/Yn58DjZaBY +q1xZt4CMjAS0qa6gUUAQO2NZSYfRm9+jjMQu63DBChgfyyLC8kplDeWBdNjOcsY1 +vrpjcsT5AgMBAAGjXTBbMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1Ud +DgQWBBSI91LlYKHgc34xFjpGate3CoUMGTAfBgNVHSMEGDAWgBSI91LlYKHgc34x +FjpGate3CoUMGTANBgkqhkiG9w0BAQ0FAAOCAgEABIUWJ1i6cShXhnvCg9vlcm8e +shxjsNutwEKWwE9l9jVNwAcNRr7THuzxIhgqGF27aaam1A3DVwO550VJKMptmBdo +l8t7NoEKN540efPhDlt3Q7tapUW3FlCG/RKklg8VGQkc4fqApYAJvrvIJgs+3gPS +whikjQ3exTKCC/t1VWYaKrvkvSWRIBXUvrg/U+P7qMNV49XnghiV3zkJp/yJbrQc +qi3oZ8INNDQ++foLzoGSEa4SCv41Y85GKcQrT8tOBQqhEeI19lpdtejSb0z8PSSm +A0vdmGvycVgWHaUl79kGfOjbe4hqiVxZAZJk20QIY2x8MtZVmGMJJmFnCv5d7v0j +WbNNkcFNQYvNIFj6LUXlvR1pXAOgSaaXVBO2yeD4VoOhKsP0bP2rIMo9nJXAzwS7 +RjnPNIFlRSdkAX1is7hy6hDVD1N9OYglCW+MvOBJuzniDo3PVk3Bgm2H0uf8wJ+n +ZWDSbGUYWThu0JzXw4GamimPg4TDtUT/KKwTF2TyJhPZVQa3aWh8v+zRjO+32nbh +B3PGMWIxy7bh538Mw/dMUr4lNo6hu2ACw8s+byn8f2r6+OwK30niVw68vZPDG9U2 +iv/YGxfHH8tpANJUnq1hiZKVEfjqF4Ofmwl9uJSk6vWu6tzdYrmeaJwY7BnEEwjI +sWKrjoRpETza6g23Ir0= +-----END CERTIFICATE-----