From: Jan Stancek <[email protected]>
redhat: replace redhatsecureboot303 signing key with redhatsecureboot601
Forward-port of c9s commit
50f1da0079cb ("redhat: replace redhatsecureboot303 signing key with
redhatsecureboot601")
Intent is to separate trust between the different architectures,
and to avoid shipping 2 CAs on ppc, since grub is also signed
with redhatsecureboot601.
Signed-off-by: Jan Stancek <[email protected]>
diff --git a/redhat/Makefile b/redhat/Makefile
index blahblah..blahblah 100644
--- a/redhat/Makefile
+++ b/redhat/Makefile
@@ -709,7 +709,7 @@ sources-rh: $(TARBALL) $(KABI_TARBALL) $(KABIDW_TARBALL)
generate-testpatch-tmp
@cat $$(ls -1 $(SPECPACKAGE_NAME).changelog-* | sort -t '.' -k 3 -n -r)
\
> $(SOURCES)/kernel.changelog
@if [ "$(RELEASED_KERNEL)" -ne 0 ]; then \
- cp keys/redhatsecureboot{302,303,501,ca5,ca3}.cer $(SOURCES)/; \
+ cp keys/redhatsecureboot{302,501,601,ca3,ca5,ca6}.cer
$(SOURCES)/; \
else \
cp keys/redhatsecureboot{401,ca4}.cer $(SOURCES)/; \
fi
diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
index blahblah..blahblah 100644
--- a/redhat/kernel.spec.template
+++ b/redhat/kernel.spec.template
@@ -816,24 +816,25 @@ Source2: kernel.changelog
Source10: redhatsecurebootca5.cer
Source11: redhatsecurebootca3.cer
-Source12: redhatsecureboot501.cer
-Source13: redhatsecureboot302.cer
-Source14: redhatsecureboot303.cer
+Source12: redhatsecurebootca6.cer
+Source13: redhatsecureboot501.cer
+Source14: redhatsecureboot302.cer
+Source15: redhatsecureboot601.cer
%ifarch x86_64 aarch64
%define secureboot_ca_0 %{SOURCE10}
-%define secureboot_key_0 %{SOURCE12}
+%define secureboot_key_0 %{SOURCE13}
%define pesign_name_0 redhatsecureboot501
%endif
%ifarch s390x
%define secureboot_ca_0 %{SOURCE11}
-%define secureboot_key_0 %{SOURCE13}
+%define secureboot_key_0 %{SOURCE14}
%define pesign_name_0 redhatsecureboot302
%endif
%ifarch ppc64le
-%define secureboot_ca_0 %{SOURCE11}
-%define secureboot_key_0 %{SOURCE14}
-%define pesign_name_0 redhatsecureboot303
+%define secureboot_ca_0 %{SOURCE12}
+%define secureboot_key_0 %{SOURCE15}
+%define pesign_name_0 redhatsecureboot601
%endif
# released_kernel
diff --git a/redhat/keys/redhatsecureboot303.cer
b/redhat/keys/redhatsecureboot303.cer
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/keys/redhatsecureboot303.cer
+++ /dev/null
Binary files a/redhat/keys/redhatsecureboot303.cer and /dev/null differ
diff --git a/redhat/keys/redhatsecureboot601.cer
b/redhat/keys/redhatsecureboot601.cer
new file mode 100644
index blahblah..blahblah 100644
--- /dev/null
+++ b/redhat/keys/redhatsecureboot601.cer
diff --git a/redhat/keys/redhatsecurebootca6.cer
b/redhat/keys/redhatsecurebootca6.cer
new file mode 100644
index blahblah..blahblah 100644
--- /dev/null
+++ b/redhat/keys/redhatsecurebootca6.cer
--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2849
--
_______________________________________________
kernel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
