Ubuntu
shim package

Merge ~jsquyres-cisco/ubuntu/+source/shim:pr/better-make-cert-field-values into ubuntu/+source/shim:ubuntu/devel

  1. Git
  2. lp:~jsquyres-cisco/ubuntu/+source/shim
  3. pr/better-make-cert-field-values
  4. Merge into ubuntu/devel
Proposed by Jeff Squyres
Status: Rejected
Rejected by: Robie Basak
Proposed branch: ~jsquyres-cisco/ubuntu/+source/shim:pr/better-make-cert-field-values
Merge into: ubuntu/+source/shim:ubuntu/devel
Diff against target: 71 lines (+10/-13)
1 file modified
make-certs (+10/-13)
Reviewer Review Type Date Requested Status
Julian Andres Klode (community) Disapprove
git-ubuntu developers Pending
Review via email: mp+395923@code.launchpad.net

Description of the change

My group recently had a somewhat-alarming day when we noticed a basically-unlabeled MOK on our machines. After several hours, we finally tracked the cert down to https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1880197.

This merge proposal simply updates the certificate meta data in an attempt to help future admins who notice this MOK be able to track it down and see that it is, indeed, a legitimate / necessary certificate.

To post a comment you must log in.
Revision history for this message
Jeff Squyres (jsquyres-cisco) wrote :

Could someone from the review team have a look at this PR? Thanks!

Revision history for this message
Julian Andres Klode (juliank) wrote :

We no longer use this certificate

review: Disapprove

Unmerged commits

b74e498... by Jeff Squyres <email address hidden>

make-certs: improve locality, org, and comments

Use something slightly less generic than "SomeCity" / "SomeOrg" for
meta data given to new certs. The intent to be help a curious
sysadmin who stumbles across a MOK on their system that was created by
an ephemeral certificate have a better/easier chance of tracking down
exactly what that MOK is / is for (see
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1880197).

Signed-off-by: Jeff Squyres <email address hidden>

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/make-certs b/make-certs
2index 3e9293b..990884b 100755
3--- a/make-certs
4+++ b/make-certs
5@@ -219,9 +219,8 @@ subjectKeyIdentifier=hash
6
7 [req_ca_name]
8 C=US
9-#stateOrProvinceName=SomeState
10-localityName=SomeCity
11-O=SomeOrg
12+localityName=Internal
13+O=Ubuntu shim package build system
14 EOF
15 #echo $DOMAIN | awk 'BEGIN {FS="."}{for(i=NF;i>0;i--){print NF-i ".domainComponent="$i;}}' >> openssl.cnf
16 cat >> openssl.cnf <<- EOF
17@@ -233,7 +232,7 @@ authorityKeyIdentifier=keyid:always
18 #authorityKeyIdentifier=keyid:always,issuer:always
19 keyUsage=nonRepudiation,digitalSignature,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign
20 basicConstraints=critical,CA:TRUE
21-nsComment="Testing CA Certificate"
22+nsComment="CA Certificate from Ubuntu shim package build system"
23 EOF
24 if test -n "$aia" ; then
25 echo "authorityInfoAccess = ${aia}" >> openssl.cnf
26@@ -254,9 +253,8 @@ default_md = $DIGEST
27
28 [req_ocsp_name]
29 C=US
30-#stateOrProvinceName=SomeState
31-localityName=SomeOrg
32-O=SomeOrg
33+localityName=Internal
34+O=Ubuntu shim package build system
35 EOF
36 #echo $DOMAIN | awk 'BEGIN {FS="."}{for(i=NF;i>0;i--){print NF-i ".domainComponent="$i;}}' >> openssl.cnf
37 cat >> openssl.cnf <<- EOF
38@@ -270,7 +268,7 @@ keyUsage=digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgr
39 extendedKeyUsage=1.3.6.1.5.5.7.3.9
40 #basicConstraints=CA:FALSE
41 basicConstraints=CA:TRUE
42-nsComment="Testing OCSP Certificate"
43+nsComment="OCSP Certificate from Ubuntu shim package build system"
44 1.3.6.1.5.5.7.48.1.5=ASN1:NULL
45 EOF
46 if test -n "$aia" ; then
47@@ -289,9 +287,8 @@ default_md = $DIGEST
48
49 [req_issued_name]
50 C=US
51-#stateOrProvinceName=SomeState
52-localityName=SomeCity
53-O=SomeOrg
54+localityName=Internal
55+O=Ubuntu shim package build system
56 EOF
57 #echo $DOMAIN | awk 'BEGIN {FS="."}{for(i=NF;i>0;i--){print NF-i ".domainComponent="$i;}}' >> openssl.cnf
58 #mail = $GIVENUSER
59@@ -322,10 +319,10 @@ if test -n "$eku" ; then
60 fi
61 if test "x$CA" = xTRUE ; then
62 echo "basicConstraints=critical,CA:TRUE" >> openssl.cnf
63- echo 'nsComment="Testing CA Certificate for '"$commonname"'"' >> openssl.cnf
64+ echo 'nsComment="CA Certificate from Ubuntu shim package build system for '"$commonname"'"' >> openssl.cnf
65 else
66 echo "basicConstraints=CA:FALSE" >> openssl.cnf
67- echo 'nsComment="Testing Certificate for '"$commonname"'"' >> openssl.cnf
68+ echo 'nsComment="Certificate from Ubuntu shim package build system for '"$commonname"'"' >> openssl.cnf
69 fi
70 for value in $principals; do
71 user=`echo "$value" | cut -f1 -d@`

Subscribers

People subscribed via source and target branches