On Mon, Jan 23, 2023 at 11:19:56AM -0000, Dimitri John Ledkov wrote: > UEFI specifications in general ignore signing time.
> IMHO we should remove / not include signing timestamp in the UEFI > signatures to avoid this. Doesn't this suggest it's actually a kernel bug for enforcing something here that UEFI does not expect to be enforced? Not including timestamps in signatures doesn't sound ideal to me. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/2003701 Title: PKCS7: Message signed outside of X.509 validity window Status in openssl package in Ubuntu: New Status in sbsigntool package in Ubuntu: New Bug description: When signing UEFI applications, the signature includes signing timestamp. Kernels, upon kexec, check that message signature is within the validity of the X.509 signing certificate. When using original canonical kernel team test key, I no longer can kexec kernels, as the test key has expired. UEFI specifications in general ignore signing time. IMHO we should remove / not include signing timestamp in the UEFI signatures to avoid this. --- i guess openssl needs to provide ability to create signatures without signingtime attribute. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2003701/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
