FTR: NSA says[1] that most UEFI implementations only support one hash, which might be the first one or a random one, and upstream confirms that to some extent - PE 8.3 not having a coherent spec for alignment or padding of signatures, causing incompatibilites - so that seems like a no-go anyway.
[1] 4.3.2 " Most UEFI implementations only read one/the first signature in a binary. Remove or overwrite existing signatures before signing." -https://media.defense.gov/2020/Sep/15/2002497594/-1/-1/0/CTR-UEFI- SECURE-BOOT-CUSTOMIZATION-20200915.PDF/CTR-UEFI-SECURE-BOOT- CUSTOMIZATION-20200915.PDF -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895817 Title: [FFe] Dual-signed shim To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1895817/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
