lp-signing

Merge ~cjwatson/lp-signing:reduce-key-validity into lp-signing:master

  1. Git
  2. lp:~cjwatson/lp-signing
  3. reduce-key-validity
  4. Merge into master
Proposed by Colin Watson
Status: Merged
Approved by: Colin Watson
Approved revision: 6f6c61e3bfd8acde7f711c28f03b6cd8c6beabb0
Merge reported by: Otto Co-Pilot
Merged at revision: not available
Proposed branch: ~cjwatson/lp-signing:reduce-key-validity
Merge into: lp-signing:master
Diff against target: 80 lines (+8/-8)
2 files modified
lp_signing/model/key.py (+2/-2)
lp_signing/model/tests/test_key.py (+6/-6)
Reviewer Review Type Date Requested Status
Jürgen Gmach Approve
Review via email: mp+432573@code.launchpad.net

Commit message

Reduce key validity period to 25 years

Description of the change

Apparently some firmware has trouble with certificates that have 30 years of validity, but is fine with 25 years.

To post a comment you must log in.
Revision history for this message
Jürgen Gmach (jugmac00) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/lp_signing/model/key.py b/lp_signing/model/key.py
2index 39c902b..2f74892 100644
3--- a/lp_signing/model/key.py
4+++ b/lp_signing/model/key.py
5@@ -345,7 +345,7 @@ class Key(Storm):
6 _log_subprocess_run([
7 "openssl", "req", "-new", "-x509", "-newkey", "rsa:2048",
8 "-subj", f"/CN={common_name_esc}/", "-keyout", str(key),
9- "-out", str(cert), "-days", "10956", "-nodes", "-sha256",
10+ "-out", str(cert), "-days", "9131", "-nodes", "-sha256",
11 ], check=True)
12 return key.read_bytes(), cert.read_bytes()
13
14@@ -385,7 +385,7 @@ class Key(Storm):
15 cert = tmp / f"{key_type.name.lower()}.x509"
16 _log_subprocess_run([
17 "openssl", "req", "-new", "-nodes", "-utf8", "-sha512",
18- "-days", "10956", "-batch", "-x509", "-config", str(keygen),
19+ "-days", "9131", "-batch", "-x509", "-config", str(keygen),
20 "-outform", "PEM", "-out", str(pem), "-keyout", str(pem),
21 ], check=True)
22 _log_subprocess_run([
23diff --git a/lp_signing/model/tests/test_key.py b/lp_signing/model/tests/test_key.py
24index 3a49a28..ab051b2 100644
25--- a/lp_signing/model/tests/test_key.py
26+++ b/lp_signing/model/tests/test_key.py
27@@ -137,7 +137,7 @@ class TestKey(TestCase):
28 "openssl", "req", "-new", "-x509", "-newkey", "rsa:2048",
29 "-subj", r"/CN=~signing-owner\/ubuntu\/testing UEFI/",
30 "-keyout", EndsWith("uefi.key"), "-out", EndsWith("uefi.crt"),
31- "-days", "10956", "-nodes", "-sha256",
32+ "-days", "9131", "-nodes", "-sha256",
33 ]
34 x509_args = [
35 "openssl", "x509", "-inform", "PEM", "-noout", "-fingerprint",
36@@ -178,7 +178,7 @@ class TestKey(TestCase):
37 r"codeSigning,1.3.6.1.4.1.2312.16.1.2\s*\b", flags=re.S))
38 req_args = [
39 "openssl", "req", "-new", "-nodes", "-utf8", "-sha512",
40- "-days", "10956", "-batch", "-x509",
41+ "-days", "9131", "-batch", "-x509",
42 "-config", EndsWith("kmod.keygen"),
43 "-outform", "PEM", "-out", EndsWith("kmod.pem"),
44 "-keyout", EndsWith("kmod.pem"),
45@@ -225,7 +225,7 @@ class TestKey(TestCase):
46 self.assertNotIn("extendedKeyUsage", fake_openssl.keygen_text)
47 req_args = [
48 "openssl", "req", "-new", "-nodes", "-utf8", "-sha512",
49- "-days", "10956", "-batch", "-x509",
50+ "-days", "9131", "-batch", "-x509",
51 "-config", EndsWith("opal.keygen"),
52 "-outform", "PEM", "-out", EndsWith("opal.pem"),
53 "-keyout", EndsWith("opal.pem"),
54@@ -272,7 +272,7 @@ class TestKey(TestCase):
55 self.assertNotIn("extendedKeyUsage", fake_openssl.keygen_text)
56 req_args = [
57 "openssl", "req", "-new", "-nodes", "-utf8", "-sha512",
58- "-days", "10956", "-batch", "-x509",
59+ "-days", "9131", "-batch", "-x509",
60 "-config", EndsWith("sipl.keygen"),
61 "-outform", "PEM", "-out", EndsWith("sipl.pem"),
62 "-keyout", EndsWith("sipl.pem"),
63@@ -317,7 +317,7 @@ class TestKey(TestCase):
64 "openssl", "req", "-new", "-x509", "-newkey", "rsa:2048",
65 "-subj", r"/CN=~signing-owner\/ubuntu\/testing FIT/",
66 "-keyout", EndsWith("fit.key"), "-out", EndsWith("fit.crt"),
67- "-days", "10956", "-nodes", "-sha256",
68+ "-days", "9131", "-nodes", "-sha256",
69 ]
70 x509_args = [
71 "openssl", "x509", "-inform", "PEM", "-noout", "-fingerprint",
72@@ -443,7 +443,7 @@ class TestKey(TestCase):
73 "openssl", "req", "-new", "-x509", "-newkey", "rsa:2048",
74 "-subj", r"/CN=~signing-owner\/ubuntu\/testing Android Kernel/",
75 "-keyout", EndsWith("android_kernel.key"),
76- "-out", EndsWith("android_kernel.crt"), "-days", "10956",
77+ "-out", EndsWith("android_kernel.crt"), "-days", "9131",
78 "-nodes", "-sha256",
79 ]
80 rsa_args = [

Subscribers

People subscribed via source and target branches