mokmanager is part of shim and you should always have the matching versions of mmx64.efi and shimx64.efi on the ESP, so the use of ephemeral vs archive key is not material at runtime for a properly- installed system. Reducing the overall number of asset types signed directly with the online signing key is preferable in terms of management of our key hierarchy. And if we were to sign it directly with the archive key, I would want it split out of the shim package entirely and treated as a separate source, with a separate upload and signing cycle - which is a lot of extra work for very little benefit.
If the issue is that the description on the ephemeral certificate is opaque, that is something we could address in the shim source instead. Currently: $ openssl pkcs7 -noout -print_certs -inform DER -in /tmp/detached.der subject=C = US, L = SomeCity, O = SomeOrg, CN = shim issuer=C = US, L = SomeCity, O = SomeOrg $ I can see how we might want to improve on that. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1880197 Title: mokmanager is signed using ephemeral key, instead of Vendor Key To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1880197/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
