Skip to content

Revert to 2022 certificates

Luca Boccassi requested to merge bluca/code-signing:restore_old_certs into master

The linux certificate is also embedded in the linux source package, and needs to be updated, in bullseye and bookworm too. Revert to the 2022 certificates for now. Leave the new systemd-boot certificate in place, as it's new and not used in oldstable/stable.

For additional verification, git diff to pre-new-cert-MR-merge:

diff --git a/etc/debian-prod-2024-systemd-boot.pem b/etc/debian-prod-2024-systemd-boot.pem
new file mode 100644
index 0000000..1fb6b40
--- /dev/null
+++ b/etc/debian-prod-2024-systemd-boot.pem
@@ -0,0 +1,80 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            0e:c1:9b:35:21:0f:03:59:cb:a4:56:33:39:d7:f4:29:b8:b2:39:95
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Debian Secure Boot CA
+        Validity
+            Not Before: Dec 24 09:47:39 2024 GMT
+            Not After : Dec 22 09:47:39 2034 GMT
+        Subject: CN=Debian Secure Boot Signer 2024 - 20425036 - systemd-boot
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:a4:4b:fa:67:54:e8:c5:58:13:c1:c5:a4:ab:68:
+                    c8:1d:49:52:2f:23:b3:4b:bd:29:0a:98:d5:ed:ef:
+                    aa:07:79:5c:6e:06:bb:1d:9d:c3:72:1a:ef:55:ec:
+                    45:d8:f1:2f:68:9f:b7:43:49:b3:90:25:d3:b0:13:
+                    4f:04:c7:8e:68:59:de:24:07:3d:ae:23:80:8d:55:
+                    38:0e:3c:ae:92:82:e3:78:5f:54:a0:76:43:f8:d6:
+                    d0:67:f0:eb:9e:61:c7:74:08:a7:f9:40:2b:65:50:
+                    e0:11:e6:4e:b0:61:3a:42:56:93:51:73:c2:a1:96:
+                    5b:0b:17:d7:90:a5:b5:55:e6:7a:bd:cc:a8:07:8d:
+                    b8:d6:0c:98:a5:f6:14:e4:9b:8b:13:4c:cd:fd:cb:
+                    4b:5f:56:2e:59:20:96:10:3f:e7:03:58:46:42:fb:
+                    57:b8:64:23:02:d9:e1:d2:8f:be:28:f8:3f:e4:a5:
+                    bb:7d:90:a2:59:dd:9d:5c:9e:89:d3:e3:a4:89:dd:
+                    3b:aa:8b:10:68:e9:f5:bb:fc:56:20:04:11:ad:56:
+                    ca:e9:84:82:80:09:7d:7f:4e:18:b1:06:a4:fe:dc:
+                    21:41:cd:52:62:d6:20:fc:3a:6d:46:9a:71:f5:d8:
+                    e7:96:d7:c1:25:95:9b:76:af:93:25:a5:2e:8a:50:
+                    fb:a3
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Extended Key Usage: 
+                Code Signing
+            X509v3 Subject Key Identifier: 
+                94:24:23:86:D4:59:61:46:39:FA:B9:AB:02:E0:BD:EA:AC:07:D4:AC
+            X509v3 Authority Key Identifier: 
+                6C:CE:CE:7E:4C:6C:0D:1F:61:49:F3:DD:27:DF:CC:5C:BB:41:9E:A1
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        12:a8:57:2e:cd:47:75:a7:52:41:ca:21:4f:79:7b:4b:a9:c6:
+        dc:a9:a4:66:e9:d9:c1:19:b3:21:9c:ac:31:f5:50:62:aa:e9:
+        db:d6:2f:54:55:2d:f4:c5:e9:56:bd:d7:be:3d:d4:59:e0:44:
+        02:36:00:e4:c3:51:50:cc:40:be:94:0c:6b:c8:03:d1:bb:43:
+        ca:49:89:5b:bf:53:c4:7a:01:20:c9:81:09:d6:45:45:6d:52:
+        d1:a2:f9:9a:e2:ad:40:ab:64:9b:c9:97:da:58:a1:6d:dd:65:
+        28:9b:d1:5d:6e:2a:b6:0e:f5:1a:f5:9c:b6:83:65:c3:1c:61:
+        f2:bf:8c:ca:e7:d7:51:26:a3:df:1d:35:39:9b:72:ce:76:88:
+        c1:bd:ca:32:60:f9:41:75:cc:87:73:f6:ff:e1:b1:f8:4f:89:
+        de:c0:d0:f4:1e:e0:e0:2d:fa:5b:96:99:1f:fe:d2:f3:d9:67:
+        7f:b5:ae:65:9e:a8:3a:8b:84:0b:e2:2a:45:bb:f6:aa:a2:11:
+        7e:80:f4:fb:5e:e6:b0:e4:09:17:ec:76:a9:be:32:58:dc:cc:
+        f1:49:64:74:ba:5d:49:5a:5b:f3:aa:85:f1:21:69:5a:0b:75:
+        ff:40:fc:00:cf:53:3f:cd:d7:40:64:2e:54:e3:9a:78:93:e9:
+        af:78:1c:b1
+-----BEGIN CERTIFICATE-----
+MIIDVTCCAj2gAwIBAgIUDsGbNSEPA1nLpFYzOdf0KbiyOZUwDQYJKoZIhvcNAQEL
+BQAwIDEeMBwGA1UEAxMVRGViaWFuIFNlY3VyZSBCb290IENBMB4XDTI0MTIyNDA5
+NDczOVoXDTM0MTIyMjA5NDczOVowQzFBMD8GA1UEAww4RGViaWFuIFNlY3VyZSBC
+b290IFNpZ25lciAyMDI0IC0gMjA0MjUwMzYgLSBzeXN0ZW1kLWJvb3QwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCkS/pnVOjFWBPBxaSraMgdSVIvI7NL
+vSkKmNXt76oHeVxuBrsdncNyGu9V7EXY8S9on7dDSbOQJdOwE08Ex45oWd4kBz2u
+I4CNVTgOPK6SguN4X1SgdkP41tBn8OueYcd0CKf5QCtlUOAR5k6wYTpCVpNRc8Kh
+llsLF9eQpbVV5nq9zKgHjbjWDJil9hTkm4sTTM39y0tfVi5ZIJYQP+cDWEZC+1e4
+ZCMC2eHSj74o+D/kpbt9kKJZ3Z1cnonT46SJ3TuqixBo6fW7/FYgBBGtVsrphIKA
+CX1/ThixBqT+3CFBzVJi1iD8Om1GmnH12OeW18EllZt2r5MlpS6KUPujAgMBAAGj
+ZDBiMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQU
+lCQjhtRZYUY5+rmrAuC96qwH1KwwHwYDVR0jBBgwFoAUbM7OfkxsDR9hSfPdJ9/M
+XLtBnqEwDQYJKoZIhvcNAQELBQADggEBABKoVy7NR3WnUkHKIU95e0upxtyppGbp
+2cEZsyGcrDH1UGKq6dvWL1RVLfTF6Va917491FngRAI2AOTDUVDMQL6UDGvIA9G7
+Q8pJiVu/U8R6ASDJgQnWRUVtUtGi+ZrirUCrZJvJl9pYoW3dZSib0V1uKrYO9Rr1
+nLaDZcMcYfK/jMrn11Emo98dNTmbcs52iMG9yjJg+UF1zIdz9v/hsfhPid7A0PQe
+4OAt+luWmR/+0vPZZ3+1rmWeqDqLhAviKkW79qqiEX6A9Pte5rDkCRfsdqm+Mljc
+zPFJZHS6XUlaW/OqhfEhaVoLdf9A/ADPUz/N10BkLlTjmniT6a94HLE=
+-----END CERTIFICATE-----
diff --git a/etc/debian-prod.yaml b/etc/debian-prod.yaml
index e735127..3f47972 100644
--- a/etc/debian-prod.yaml
+++ b/etc/debian-prod.yaml
@@ -40,6 +40,11 @@ signing-keys:
     cert_path: /var/lib/codesign/code-signing/etc/debian-prod-2022-shim.pem
     token: "YubiKey PIV #20425036"
     certname: "X.509 Certificate for Retired Key 5"
+  debian-2024-systemd-boot:
+    pkcs11_uri: "pkcs11:model=YubiKey%20YK5;manufacturer=Yubico%20%28www.yubico.com%29;serial=20425036;token=YubiKey%20PIV%20%2320425036;id=%0f;object=X.509%20Certificate%20for%20Retired%20Key%2011"
+    cert_path: /var/lib/codesign/code-signing/etc/debian-prod-2024-systemd-boot.pem
+    token: "YubiKey PIV #20425036"
+    certname: "X.509 Certificate for Retired Key 11"
 
 maintainer:
   key_id: 7CA15FBC7108FA0914F84F9D8B415188B74E3736
@@ -61,6 +66,7 @@ package-keys:
   linux: debian-2022-linux
   linux-6.1: debian-2022-linux
   shim: debian-2022-shim
+  systemd-boot: debian-2024-systemd-boot
 
 #interactive: true

Merge request reports