Hi,

> As of today the cc grub does not look very stripped down to me:
> 
> kraxel@fedora ~# ll /boot/efi/EFI/fedora/grubaa64*
> -rwxr-xr-x. 1 root root 4473256 Jun 12 12:23 
> /boot/efi/EFI/fedora/grubaa64-cc.efi*
> -rwxr-xr-x. 1 root root 4407720 Jun  4 02:00 
> /boot/efi/EFI/fedora/grubaa64.efi*

Oh, and while being at it:  Is there any documentation for the secure
boot signing changes which seem to go on in fedora right now?

The grub binaries are signed like this:

  kraxel@fedora-rawhide ~# pe-inspect /boot/efi/EFI/fedora/grubx64-cc.efi 
  # file: /boot/efi/EFI/fedora/grubx64-cc.efi
  [ ... ]
  #    sigdata: addr 0x003f4000 +0x000011a8
  #       signature: len 0xa3f, type 0x2
  #          certificate
  #             subject CN: fedora-signer-20250530
  #             issuer  CN: fedora-ca-20250530
  #       signature: len 0x762, type 0x2
  #          certificate
  #             subject CN: kernel-signer
  #             issuer  CN: fedoraca

So, the first signature seems to be from a new signer and CA, but that
certificate is not included in the most recent shim builds, even though
the CA seems to exist for a year already.

Also it seems the (old) kernel-signer is used for grub signing.  IIRC
grub had its own signer in the past.  Is that an intentional change?

take care,
  Gerd

-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to