mokmanager is part of shim and you should always have the matching
versions of mmx64.efi and shimx64.efi on the ESP, so the use of
ephemeral vs archive key is not material at runtime for a properly-
installed system.  Reducing the overall number of asset types signed
directly with the online signing key is preferable in terms of
management of our key hierarchy.  And if we were to sign it directly
with the archive key, I would want it split out of the shim package
entirely and treated as a separate source, with a separate upload and
signing cycle - which is a lot of extra work for very little benefit.

If the issue is that the description on the ephemeral certificate is
opaque, that is something we could address in the shim source instead.

Currently:

$ openssl pkcs7 -noout -print_certs -inform DER -in /tmp/detached.der
subject=C = US, L = SomeCity, O = SomeOrg, CN = shim

issuer=C = US, L = SomeCity, O = SomeOrg


$

I can see how we might want to improve on that.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1880197

Title:
  mokmanager is signed using ephemeral key, instead of Vendor Key

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1880197/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to