fix: use correct cert for sig-kernel (#3 )

fix: use correct cert for sig-kernel
I accidentally commited the sig-cloud aarch cert, this change puts the right cert in place. Signed-off-by: Neil Hanlon <neil@rockylinux.org>
2024-02-14 17:31:08 +01:00 · 2024-02-14 11:29:59 -05:00 · 2024-02-14 16:43:24 +01:00 · 2024-02-14 09:56:51 -05:00
4 changed files with 40 additions and 2 deletions
--- a/tools/kernelmanager/kernel_repack/v1/BUILD
+++ b/tools/kernelmanager/kernel_repack/v1/BUILD
@ -17,7 +17,8 @@ go_library(
        "data/kvm_stat.logrotate",
        "data/mod-denylist.sh",
        "data/mod-sign.sh",
-        "data/rocky-sigkernel.cer",
+        "data/secureboot-sig-kernel-x86_64.cer",
+        "data/secureboot-sig-kernel-aarch64.cer",
        "data/rockykpatch1.x509",
        "data/x509.genkey",
        "data/rockydup1.x509",
--- a/tools/kernelmanager/kernel_repack/v1/data/ml.spec
+++ b/tools/kernelmanager/kernel_repack/v1/data/ml.spec
@ -240,11 +240,18 @@ Source2000: cpupower.service
 Source2001: cpupower.config
 Source2002: kvm_stat.logrotate

-Source3000: rocky-sigkernel.cer
+Source3000: secureboot-sig-kernel-x86_64.cer
+Source3001: secureboot-sig-kernel-aarch64.cer

 %if %{signkernel}
 %define secureboot_ca_0 %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer
+
+%ifarch x86_64
 %define secureboot_key_0 %{SOURCE3000}
+%endif
+%ifarch aarch64
+%define secureboot_key_0 %{SOURCE3001}
+%endif

 %define pesign_name_0 rockybootsigningsigkernelcert
 %endif
--- a/tools/kernelmanager/kernel_repack/v1/data/secureboot-sig-kernel-aarch64.cer
+++ b/tools/kernelmanager/kernel_repack/v1/data/secureboot-sig-kernel-aarch64.cer
@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFNjCCBB6gAwIBAgIBHjANBgkqhkiG9w0BAQsFADCB1DELMAkGA1UEBhMCVVMx
+ETAPBgNVBAgMCERlbGF3YXJlMQ4wDAYDVQQHDAVEb3ZlcjEtMCsGA1UECgwkUm9j
+a3kgRW50ZXJwcmlzZSBTb2Z0d2FyZSBGb3VuZGF0aW9uMSEwHwYDVQQLDBhSZWxl
+YXNlIGVuZ2luZWVyaW5nIHRlYW0xKDAmBgNVBAMMH1JvY2t5IExpbnV4IFNlY3Vy
+ZSBCb290IFJvb3QgQ0ExJjAkBgkqhkiG9w0BCQEWF3NlY3VyaXR5QHJvY2t5bGlu
+dXgub3JnMB4XDTIzMTAyMDE5Mzc1MloXDTI0MTAxOTE5Mzc1Mlowge0xCzAJBgNV
+BAYTAlVTMREwDwYDVQQIDAhEZWxhd2FyZTEOMAwGA1UEBwwFRG92ZXIxLTArBgNV
+BAoMJFJvY2t5IEVudGVycHJpc2UgU29mdHdhcmUgRm91bmRhdGlvbjEhMB8GA1UE
+CwwYUmVsZWFzZSBlbmdpbmVlcmluZyB0ZWFtMUEwPwYDVQQDDDhSb2NreSBMaW51
+eCBLZXJuZWwgU0lHIEtlcm5lbCBTaWduaW5nIENlcnQgMTAxIChhYXJjaDY0KTEm
+MCQGCSqGSIb3DQEJARYXc2VjdXJpdHlAcm9ja3lsaW51eC5vcmcwggGiMA0GCSqG
+SIb3DQEBAQUAA4IBjwAwggGKAoIBgQCvRkiuaBxdWyLeQRHKRxcoiBoQeDA4/pFx
+0073j2Mrk/PTyNg9E3/tw2nR1fQvFMhy0uPBXPCLyLru9GwMxGHGXZgNk0HpuFER
+FyFqUOanqZieCjAxcxC53fExASR30bcRnxqNM/LC8Uq6m0vzwma9lGv/pinxCME5
+Znjw6YkPwbwIGocAc2MZtfkUw6vXHs7N+ZIX62EqwSThFVsMwVj9bpjFJlZTlgOT
+jS0VHAVHmR6/08I02xrqSiOHQaKB8BAffJSvihQNTuJUfM31Y9874Pr9whSAfkKV
+OoeMU0zJuGaYRMBGTPbZx0VYlfoOgXHwoAsIOu/2XtY5R8r/n+e/lBKVStM9e8wx
+eImF8/BxRPgMUk4GFNfEdwwFC1iDXdGmzg/t6gqIEtc2ljQ7rFWjMfmXsTUlkMxU
+DM0BQMQ4Hzg3N4ajEaHRNM9QZvkag6bdOYYqz3hwRVD+I2uu5zywTH2pHdI7HViW
+Os86ASZvLThmR6Bqf0O7pPh6soh3+20CAwEAAaN4MHYwDAYDVR0TAQH/BAIwADAO
+BgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwMwHQYDVR0OBBYE
+FGrfzX8K1i83Ns6lipNwBOk83UcgMB8GA1UdIwQYMBaAFEwsa9fWTugVgcq46YZm
+H2XiFm/EMA0GCSqGSIb3DQEBCwUAA4IBAQCKRVszxEgeGGJlegRwupSVqjSpGglM
+0Alrq+rjcZhM6CFdyvi8a0uNuf7mFdwum+XG6CGRAN66Mw8szqo0kov/icIH6JcS
+hEH6iXZ5QbO529y7cHZ2guBjM6qju/khB46Aa7Q1zmBDNgnAADp+1q3hIo050ae0
+d+i4R8rTY0Vhqegw9yKYrNFUEBL5ZDfU0fF1tlJ9CanspjEYCV5y2MwqYfrGrCDd
+0ITa6KKSdRWROZwSVzSBls9sL1cevgOH6IwEkL2jgso5M7xb1uGD+L9WHomAjz/q
+PLhtPqMEh187v/4a8vMJiQlWDjpqYVGQQQPyVbDceUrrW2NyYZbLVc1A
+-----END CERTIFICATE-----
--- a/tools/kernelmanager/kernel_repack/v1/data/secureboot-sig-kernel-x86_64.cer
+++ b/tools/kernelmanager/kernel_repack/v1/data/secureboot-sig-kernel-x86_64.cer
Author	SHA1	Message	Date
Mustafa Gezen	850969184d	fix: use correct cert for sig-kernel (#3 )	2024-02-14 17:31:08 +01:00
Neil Hanlon	3ba5e2f619	fix: use correct cert for sig-kernel I accidentally commited the sig-cloud aarch cert, this change puts the right cert in place. Signed-off-by: Neil Hanlon <neil@rockylinux.org>	2024-02-14 11:29:59 -05:00
Mustafa Gezen	f3394c9537	fix build for aarch64 SB signing (#2 ) we are submitting for a new shim and wish to release arm artifacts. This change implements a new conditional definition of which certificate to use when signing, based on the architecture.	2024-02-14 16:43:24 +01:00
Neil Hanlon	b0c766efdc	fix build for aarch64 SB signing	2024-02-14 09:56:51 -05:00