Both shim and TianoCore include the following code:
static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) { #if defined(OPENSSL_SYS_UEFI) /* Bypass Certificate Time Checking for UEFI version. */ return 1; #else [...] #endif }
So effectively, we don't do verification of signature times in UEFI. So this is a bug in sbsigntool.
Both shim and TianoCore include the following code:
static int check_cert_ time(X509_ STORE_CTX *ctx, X509 *x) OPENSSL_ SYS_UEFI)
{
#if defined(
/* Bypass Certificate Time Checking for UEFI version. */
return 1;
#else
[...]
#endif
}
So effectively, we don't do verification of signature times in UEFI. So this is a bug in sbsigntool.