Hi, > As of today the cc grub does not look very stripped down to me: > > kraxel@fedora ~# ll /boot/efi/EFI/fedora/grubaa64* > -rwxr-xr-x. 1 root root 4473256 Jun 12 12:23 > /boot/efi/EFI/fedora/grubaa64-cc.efi* > -rwxr-xr-x. 1 root root 4407720 Jun 4 02:00 > /boot/efi/EFI/fedora/grubaa64.efi*
Oh, and while being at it: Is there any documentation for the secure boot signing changes which seem to go on in fedora right now? The grub binaries are signed like this: kraxel@fedora-rawhide ~# pe-inspect /boot/efi/EFI/fedora/grubx64-cc.efi # file: /boot/efi/EFI/fedora/grubx64-cc.efi [ ... ] # sigdata: addr 0x003f4000 +0x000011a8 # signature: len 0xa3f, type 0x2 # certificate # subject CN: fedora-signer-20250530 # issuer CN: fedora-ca-20250530 # signature: len 0x762, type 0x2 # certificate # subject CN: kernel-signer # issuer CN: fedoraca So, the first signature seems to be from a new signer and CA, but that certificate is not included in the most recent shim builds, even though the CA seems to exist for a year already. Also it seems the (old) kernel-signer is used for grub signing. IIRC grub had its own signer in the past. Is that an intentional change? take care, Gerd -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
