certs: include both root CA and direct signing certificate. closes: #924545

Module loading needs the issuer certificate to validate the signature, and that certificate is not embedded in the signature itself. For now embed both the signing certificate and the root CA.
2026-03-24 19:40:21 +09:00 · 2019-03-14 13:21:57 +01:00
parent 2f067b01ec
commit af53d158a0
4 changed files with 24 additions and 2 deletions
--- a/debian/certs/debian-uefi-certs.pem
+++ b/debian/certs/debian-uefi-certs.pem
@@ -20,3 +20,21 @@ UdeTk566CA1Zl/LiKaBETeru+D4CYMoVz06aJZGEP7dax+68a4Cj2f2ybXoeYxTr
 7/GwQCXV6A6B62v3y//lIQAiLC6aNWASS1tfOEaEDAacz3KTYhjuXJjWs30GJTmV
 305gdrAGewiwbuNknyFWrTkP
 -----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIC/DCCAeSgAwIBAgIFAKdGje8wDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UEAxMV
+RGViaWFuIFNlY3VyZSBCb290IENBMB4XDTE2MDgxNjE4MjI1MFoXDTI2MDgxNjE4
+MjI1MFowJDEiMCAGA1UEAxMZRGViaWFuIFNlY3VyZSBCb290IFNpZ25lcjCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANPRg5AP2mWiLwdaYJXr98eGfCCG
+2mWjphLrWzvOyPs/oXJLnt9QxQMzpAwrX9ZBBA22z5VI7YqyrdblATdOYM2ySjgE
+s0SAlK+fblTbqB88t0sw3iGBbwmjZrpqK5bWmmF3DNTtPNBxu62M8CJcPiXMbSIu
+YZeVr5suTVi2fngCww65+rJbJ959or4MFKxz7JewFV7t7eWldT944HHOL86D7VMx
+MJhO5vkBooiIpiMIfA23VDoWle1eeV6QTv7Nqt6C/PaWcU5JSbnT6bCrf9cqR7dT
+MCd83GaYCW/RfvV/PT7UomqIWQIvLz3IxijeQv7ZUj0kwvxAmBH2dr+Mu2UCAwEA
+AaM5MDcwEQYJYIZIAYb4QgEBBAQDAgQQMBUGA1UdJQQOMAwGCisGAQQBgjcKAwEw
+CwYDVR0PBAQDAgeAMA0GCSqGSIb3DQEBCwUAA4IBAQBXG6RgTCnp8n1rXJPbzGyf
+GD9pSJp13mTzg0oJqSYh7ulWXeE+2XXLzH+/TeToiT1+EUKHQMPV4HF53ABs4XFi
+x5jCyycLL5/M7PqLsvMLnvPyw8mf2yWTkKTNuwHljvTXVai0dUEx/U5dAxigwqzF
+3kbn3BzPEtWd6Eedk4wyzUTVdMcwmlelVtB+zwURtPTzKfnbm1PSvS+tanUmRWS6
+uiiWh4638HlX+noOPEo4krzylfLnKND32JgaXjmetWWAvfPaEj9Qdmcpn9ELCh6H
+l1xy2/MBdErdB7p26Wr83SLbRgLXrwrF7RW8Dyup242/f2+torfFTUpHs8FWkLYX
+-----END CERTIFICATE-----
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,6 +10,10 @@ linux (4.19.28-2) UNRELEASED; urgency=medium
  * [arm64] Enable I2C_GPIO as a module.
  * [arm64] Enable MESON_EFUSE as a module.

+  [ Yves-Alexis Perez ]
+  * certs: include both root CA and direct signing certificate.
+    closes: #924545
+
 -- Ben Hutchings <ben@decadent.org.uk>  Tue, 12 Mar 2019 15:44:31 +0000

 linux (4.19.28-1) unstable; urgency=medium
--- a/debian/config/config
+++ b/debian/config/config
@@ -77,7 +77,7 @@ CONFIG_MODULE_SIG_KEY=""
 #. Actually a file containing X.509 certificates, not keys.
 #. Whenever the filename changes, this also needs to be updated in
 #. debian/featureset-*/config
-CONFIG_SYSTEM_TRUSTED_KEYS="debian/certs/debian-uefi-ca.pem"
+CONFIG_SYSTEM_TRUSTED_KEYS="debian/certs/debian-uefi-certs.pem"

 ##
 ## file: crypto/Kconfig
--- a/debian/config/featureset-rt/config
+++ b/debian/config/featureset-rt/config
@@ -2,7 +2,7 @@
 ## file: certs/Kconfig
 ##
 #. Certificate paths are resolved relative to debian/build/source_rt
-CONFIG_SYSTEM_TRUSTED_KEYS="../../certs/debian-uefi-ca.pem"
+CONFIG_SYSTEM_TRUSTED_KEYS="../../certs/debian-uefi-certs.pem"

 ##
 ## file: kernel/Kconfig.preempt