Fedora Secure Boot CA expired in January 2022

Hello,

I noticed that Fedora Secure Boot CA on my system is expired. It has no effect on SecureBoot as it properly works. I would like to check if the certificate was updated, my system has been upgraded multiple times so likely it was enrolled during installation.

I would love to inform developers but I am unsure which package this CA file was distributed in. Anyone knows? Thanks.

[root@nuc fedora]# mokutil --list-enrolled
[key 1]
SHA1 Fingerprint: 7e:68:65:1d:52:68:5f:7b:f5:8e:a0:1d:78:4d:2f:90:d3:f4:0f:0a
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2574709492 (0x9976f2f4)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Fedora Secure Boot CA
        Validity
            Not Before: Dec  7 16:25:54 2012 GMT
            Not After : Dec  5 16:25:54 2022 GMT
        Subject: CN=Fedora Secure Boot CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ae:f5:f7:52:81:a9:5c:3e:2b:f7:1d:55:f4:5a:
                    68:84:2d:bc:8b:76:96:85:0d:27:b8:18:a5:cd:c1:
                    83:b2:8c:27:5d:23:0a:d1:12:0a:75:98:a2:e6:5d:
                    01:8a:f4:d9:9f:fc:70:bc:c3:c4:17:7b:02:b5:13:
                    c4:51:92:e0:c0:05:74:b9:2e:3d:24:78:a0:79:73:
                    94:c0:c2:2b:b2:82:a7:f4:ab:67:4a:22:f3:64:cd:
                    c3:f9:0c:26:01:bf:1b:d5:3d:39:bf:c9:fa:fb:5e:
                    52:b9:a4:48:fb:13:bf:87:29:0a:64:ef:21:7b:bc:
                    1e:16:7b:88:4f:f1:40:2b:d9:22:15:47:4e:84:f6:
                    24:1c:4d:53:16:5a:b1:29:bb:5e:7d:7f:c0:d4:e2:
                    d5:79:af:59:73:02:dc:b7:48:bf:ae:2b:70:c1:fa:
                    74:7f:79:f5:ee:23:d0:03:05:b1:79:18:4f:fd:4f:
                    2f:e2:63:19:4d:77:ba:c1:2c:8b:b3:d9:05:2e:d9:
                    d8:b6:51:13:bf:ce:36:67:97:e4:ad:58:56:07:ab:
                    d0:8c:66:12:49:dc:91:68:b4:c8:ea:dd:9c:c0:81:
                    c6:91:5b:db:12:78:db:ff:c1:af:08:16:fc:70:13:
                    97:5b:57:ad:6b:44:98:7e:1f:ec:ed:46:66:95:0f:
                    05:55
                Exponent: 65537 (0x10001)

The cert seems to be embedded in the shim package:

[root@nuc fedora]# rpm -ql shim-x64
/boot/efi/EFI/BOOT/BOOTX64.EFI
/boot/efi/EFI/BOOT/fbx64.efi
/boot/efi/EFI/fedora/BOOTX64.CSV
/boot/efi/EFI/fedora/mmx64.efi
/boot/efi/EFI/fedora/shim.efi
/boot/efi/EFI/fedora/shimx64.efi
/etc/dnf/protected.d/shim.conf

[root@nuc fedora]# rpm -q shim-x64
shim-x64-15.6-2.x86_64

[root@nuc fedora]# strings /boot/efi/EFI/fedora/shim.efi | grep "Fedora Secure Boot CA"
Fedora Secure Boot CA0
Fedora Secure Boot CA0

But in dist-git I only see the binary. The reason is apparently it needs to be signed by Microsoft key, but I wonder if there is a time to refresh that certificate. I am on Fedora 36 right now :slight_smile:

1 Like

Yeah, feel free to file a bugzilla bug on shim for it. :slight_smile:

Thanks. Reported as

https://bugzilla.redhat.com/show_bug.cgi?id=2189197

I just noticed the same on my system. I cannot check the bugzilla ticket because I get access denied.

Is there a fix for this issue?

Also
https://bugzilla.redhat.com/show_bug.cgi?id=2198977

1 Like

It seems nothing is checking the expire date, so things just keep on working.

Yeah the bug was triaged as security so it is no longer visible, however, it was shortly closed as dupe of 2198977 – Secure boot shim cert seems to be out of date (exp. Dec. 2022) after. The latter one is public.

The latest shim does have a new certificate for signing grub2 and the kernel. It expires on Not After : Jan 19 03:14:07 2037 GMT.