ppa uefi certificates are generated for 10 years; Canonical CA and signing keys are done for 30 years
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| lp-signing |
Fix Released
|
High
|
Colin Watson | ||
Bug Description
The lp-signing code generates certificates valid for 10 years. For the official Ubuntu UEFI SecureBoot chain, we have been producing certificates valid for 30 years (which is 2x the validity of the Microsoft CA, which is 15 years).
The intent when generating these for 30 years is that, if no revocations happen, we don't in principle want keys to stop being valid for booting due to the passage of time only.
Of course, in practice it is unlikely to ever go 30 years without needing a revocation. We have just had our first revocation of a signing key after 7 years of use.
So I don't know if 30 years is actually any more sensible than 10 years, but it would probably be good to have some consistency here and either update Canonical's internal documentation, or update lp-signing.
Related branches
- Kristian Glass (community): Approve
-
Diff: 71 lines (+7/-7)2 files modifiedlp_signing/model/key.py (+2/-2)
lp_signing/model/tests/test_key.py (+5/-5)
| Tom Wardill (twom) wrote | #1 |
| Changed in lp-signing: | |
| status: | New → Triaged |
| importance: | Undecided → High |
| Changed in lp-signing: | |
| status: | Triaged → In Progress |
| assignee: | nobody → Colin Watson (cjwatson) |
| Colin Watson (cjwatson) wrote | #2 |
| Changed in lp-signing: | |
| status: | In Progress → Fix Released |
We should make sure we're consistent before creating too many keys / widely using the feature.