lp-signing

Merge ~cjwatson/lp-signing:30-year-expiry into lp-signing:master

  1. Git
  2. lp:~cjwatson/lp-signing
  3. 30-year-expiry
  4. Merge into master
Proposed by Colin Watson
Status: Merged
Approved by: Colin Watson
Approved revision: 151f5ddf84cd676b7afa53e13fb5a5e9ec862d47
Merge reported by: Otto Co-Pilot
Merged at revision: not available
Proposed branch: ~cjwatson/lp-signing:30-year-expiry
Merge into: lp-signing:master
Diff against target: 71 lines (+7/-7)
2 files modified
lp_signing/model/key.py (+2/-2)
lp_signing/model/tests/test_key.py (+5/-5)
Reviewer Review Type Date Requested Status
Kristian Glass (community) Approve
Review via email: mp+388991@code.launchpad.net

Commit message

Extend key expiration to 30 years

Description of the change

OpenSSL doesn't permit creating a certificate without an expiry date, but for these keys we want something that's functionally non-expiring. Launchpad historically used 10 years, while the official Ubuntu UEFI Secure Boot chain uses 30 years. As far as I know there's no real reason for the discrepancy here, so extend our expiry duration to match that used by Ubuntu.

To post a comment you must log in.
Revision history for this message
Kristian Glass (doismellburning) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/lp_signing/model/key.py b/lp_signing/model/key.py
index 71fdecc..6b0673c 100644
--- a/lp_signing/model/key.py
+++ b/lp_signing/model/key.py
@@ -344,7 +344,7 @@ class Key(Storm):
344 _log_subprocess_run([344 _log_subprocess_run([
345 "openssl", "req", "-new", "-x509", "-newkey", "rsa:2048",345 "openssl", "req", "-new", "-x509", "-newkey", "rsa:2048",
346 "-subj", f"/CN={common_name_esc}/", "-keyout", str(key),346 "-subj", f"/CN={common_name_esc}/", "-keyout", str(key),
347 "-out", str(cert), "-days", "3650", "-nodes", "-sha256",347 "-out", str(cert), "-days", "10956", "-nodes", "-sha256",
348 ], check=True)348 ], check=True)
349 return key.read_bytes(), cert.read_bytes()349 return key.read_bytes(), cert.read_bytes()
350350
@@ -364,7 +364,7 @@ class Key(Storm):
364 cert = tmp / f"{key_type.name.lower()}.x509"364 cert = tmp / f"{key_type.name.lower()}.x509"
365 _log_subprocess_run([365 _log_subprocess_run([
366 "openssl", "req", "-new", "-nodes", "-utf8", "-sha512",366 "openssl", "req", "-new", "-nodes", "-utf8", "-sha512",
367 "-days", "3650", "-batch", "-x509", "-config", str(keygen),367 "-days", "10956", "-batch", "-x509", "-config", str(keygen),
368 "-outform", "PEM", "-out", str(pem), "-keyout", str(pem),368 "-outform", "PEM", "-out", str(pem), "-keyout", str(pem),
369 ], check=True)369 ], check=True)
370 _log_subprocess_run([370 _log_subprocess_run([
diff --git a/lp_signing/model/tests/test_key.py b/lp_signing/model/tests/test_key.py
index 0509593..00115d7 100644
--- a/lp_signing/model/tests/test_key.py
+++ b/lp_signing/model/tests/test_key.py
@@ -131,7 +131,7 @@ class TestKey(TestCase):
131 "openssl", "req", "-new", "-x509", "-newkey", "rsa:2048",131 "openssl", "req", "-new", "-x509", "-newkey", "rsa:2048",
132 "-subj", r"/CN=~signing-owner\/ubuntu\/testing UEFI/",132 "-subj", r"/CN=~signing-owner\/ubuntu\/testing UEFI/",
133 "-keyout", EndsWith("uefi.key"), "-out", EndsWith("uefi.crt"),133 "-keyout", EndsWith("uefi.key"), "-out", EndsWith("uefi.crt"),
134 "-days", "3650", "-nodes", "-sha256",134 "-days", "10956", "-nodes", "-sha256",
135 ]135 ]
136 x509_args = [136 x509_args = [
137 "openssl", "x509", "-inform", "PEM", "-noout", "-fingerprint",137 "openssl", "x509", "-inform", "PEM", "-noout", "-fingerprint",
@@ -172,7 +172,7 @@ class TestKey(TestCase):
172 r"codeSigning,1.3.6.1.4.1.2312.16.1.2\s*\b", flags=re.S))172 r"codeSigning,1.3.6.1.4.1.2312.16.1.2\s*\b", flags=re.S))
173 req_args = [173 req_args = [
174 "openssl", "req", "-new", "-nodes", "-utf8", "-sha512",174 "openssl", "req", "-new", "-nodes", "-utf8", "-sha512",
175 "-days", "3650", "-batch", "-x509",175 "-days", "10956", "-batch", "-x509",
176 "-config", EndsWith("kmod.keygen"),176 "-config", EndsWith("kmod.keygen"),
177 "-outform", "PEM", "-out", EndsWith("kmod.pem"),177 "-outform", "PEM", "-out", EndsWith("kmod.pem"),
178 "-keyout", EndsWith("kmod.pem"),178 "-keyout", EndsWith("kmod.pem"),
@@ -219,7 +219,7 @@ class TestKey(TestCase):
219 self.assertNotIn("extendedKeyUsage", fake_openssl.keygen_text)219 self.assertNotIn("extendedKeyUsage", fake_openssl.keygen_text)
220 req_args = [220 req_args = [
221 "openssl", "req", "-new", "-nodes", "-utf8", "-sha512",221 "openssl", "req", "-new", "-nodes", "-utf8", "-sha512",
222 "-days", "3650", "-batch", "-x509",222 "-days", "10956", "-batch", "-x509",
223 "-config", EndsWith("opal.keygen"),223 "-config", EndsWith("opal.keygen"),
224 "-outform", "PEM", "-out", EndsWith("opal.pem"),224 "-outform", "PEM", "-out", EndsWith("opal.pem"),
225 "-keyout", EndsWith("opal.pem"),225 "-keyout", EndsWith("opal.pem"),
@@ -266,7 +266,7 @@ class TestKey(TestCase):
266 self.assertNotIn("extendedKeyUsage", fake_openssl.keygen_text)266 self.assertNotIn("extendedKeyUsage", fake_openssl.keygen_text)
267 req_args = [267 req_args = [
268 "openssl", "req", "-new", "-nodes", "-utf8", "-sha512",268 "openssl", "req", "-new", "-nodes", "-utf8", "-sha512",
269 "-days", "3650", "-batch", "-x509",269 "-days", "10956", "-batch", "-x509",
270 "-config", EndsWith("sipl.keygen"),270 "-config", EndsWith("sipl.keygen"),
271 "-outform", "PEM", "-out", EndsWith("sipl.pem"),271 "-outform", "PEM", "-out", EndsWith("sipl.pem"),
272 "-keyout", EndsWith("sipl.pem"),272 "-keyout", EndsWith("sipl.pem"),
@@ -311,7 +311,7 @@ class TestKey(TestCase):
311 "openssl", "req", "-new", "-x509", "-newkey", "rsa:2048",311 "openssl", "req", "-new", "-x509", "-newkey", "rsa:2048",
312 "-subj", r"/CN=~signing-owner\/ubuntu\/testing FIT/",312 "-subj", r"/CN=~signing-owner\/ubuntu\/testing FIT/",
313 "-keyout", EndsWith("fit.key"), "-out", EndsWith("fit.crt"),313 "-keyout", EndsWith("fit.key"), "-out", EndsWith("fit.crt"),
314 "-days", "3650", "-nodes", "-sha256",314 "-days", "10956", "-nodes", "-sha256",
315 ]315 ]
316 x509_args = [316 x509_args = [
317 "openssl", "x509", "-inform", "PEM", "-noout", "-fingerprint",317 "openssl", "x509", "-inform", "PEM", "-noout", "-fingerprint",

Subscribers

People subscribed via source and target branches