ppa uefi certificates are generated for 10 years; Canonical CA and signing keys are done for 30 years

Bug #1890204 reported by Steve Langasek on 2020-08-03
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lp-signing
High
Colin Watson

Bug Description

The lp-signing code generates certificates valid for 10 years. For the official Ubuntu UEFI SecureBoot chain, we have been producing certificates valid for 30 years (which is 2x the validity of the Microsoft CA, which is 15 years).

The intent when generating these for 30 years is that, if no revocations happen, we don't in principle want keys to stop being valid for booting due to the passage of time only.

Of course, in practice it is unlikely to ever go 30 years without needing a revocation. We have just had our first revocation of a signing key after 7 years of use.

So I don't know if 30 years is actually any more sensible than 10 years, but it would probably be good to have some consistency here and either update Canonical's internal documentation, or update lp-signing.

Related branches

Tom Wardill (twom) wrote :

We should make sure we're consistent before creating too many keys / widely using the feature.

Changed in lp-signing:
status: New → Triaged
importance: Undecided → High
Colin Watson (cjwatson) on 2020-08-10
Changed in lp-signing:
status: Triaged → In Progress
assignee: nobody → Colin Watson (cjwatson)
Colin Watson (cjwatson) wrote :

Belatedly deployed to production.

Changed in lp-signing:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers