How is fwupd signed?

swsnr · April 12, 2024, 4:18pm

Hello,

while setting up secure boot with custom keys on my machine I noticed that (unlike e.g. systemd-boot-unsigned) fwupd-efi contains a signed EFI binary for fwupd, as /usr/libexec/fwupd/efi/fwupdx64.efi.signed.

How is this binary signed, i.e. what certificate is used and where can I obtain it from, e.g. to add it to my firmware’s secure boot db?

Or can I just overwrite the binary with one signed with my own keys? If so will that conflict with RPM?

Cheers, Basti

barryascott · April 12, 2024, 4:32pm

Related question: How can the signature of a EFI binary be queried?

I wonder if that query will show that the fwupd is signed by the microsoft key as is the case with the shim?

barryascott · April 12, 2024, 4:33pm

Are you saying that you cannot run that signed EFI binary?

vekruse · April 12, 2024, 5:08pm

sudo pesign -i fwupdx64.efi.signed -S

barryascott · April 12, 2024, 5:29pm

Armed with pesign I get:

$ pesign -i /usr/libexec/fwupd/efi/fwupdx64.efi.signed -S
---------------------------------------------
certificate address is 0x7f58344a0e38
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is Fedora Secure Boot Signer
No signer email address.
Signing time: Fri Jan 27, 2023
There were certs or crls included.
---------------------------------------------
certificate address is 0x7f58344a1418
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is fwupd-signer
No signer email address.
Signing time: Fri Jan 27, 2023
There were certs or crls included.
---------------------------------------------
$ pesign -S -i /boot/efi/EFI/fedora/grubx64.efi
---------------------------------------------
certificate address is 0x7f56cadff008
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is Fedora Secure Boot Signer
No signer email address.
Signing time: Mon Mar 04, 2024
There were certs or crls included.
---------------------------------------------
certificate address is 0x7f56cadff5e8
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is grub2-signer
No signer email address.
Signing time: Mon Mar 04, 2024
There were certs or crls included.
---------------------------------------------

As grub and fwupd are signed the same way I assume that you already have the keys in your EFI to prove the images are valid for secure boot from the BIOS vendor.

swsnr · April 12, 2024, 7:39pm

Okay, thanks for pointing out pesign; that’d let me extract the chain all up to the CA from the signed file.

Turns out, tho, I’m not the first one to ask this question: Certificate used to sign Fedora kernels for UEFI Secure Boot? — Fedora Linux Kernel

This thread refers to dist-git for the CA certificate, and indeed it’s at Tree - rpms/shim-unsigned-x64 - src.fedoraproject.org as fedora-ca-20200709.cer.

I’ll try and see if I can import this into the secure boot db.

Meanwhile, anyone happens to know what’d dnf have to say if I just overwrote this file with one signed by my own keys?

Topic		Replies	Views
What upgrades /boot/efi/EFI/fedora/fwupdx64.efi Ask Fedora upgrades , fwupd , uefi , f40	6	565	June 20, 2024
Fwupdmgr update broke secure boot Ask Fedora	11	483	February 6, 2025
F41 Secure Boot with only your own keys Ask Fedora secure-boot , uefi , security , f41 , sbctl , mokutil	7	1570	November 25, 2024
Why is systemd-boot not signed? Ask Fedora secure-boot , systemd-boot	3	1074	November 4, 2024
Silverblue + UEFI dbx + shim Project Discussion silverblue-team	5	1345	November 11, 2022

How is fwupd signed?

Related topics