How is fwupd signed?

Hello,

while setting up secure boot with custom keys on my machine I noticed that (unlike e.g. systemd-boot-unsigned) fwupd-efi contains a signed EFI binary for fwupd, as /usr/libexec/fwupd/efi/fwupdx64.efi.signed.

How is this binary signed, i.e. what certificate is used and where can I obtain it from, e.g. to add it to my firmware’s secure boot db?

Or can I just overwrite the binary with one signed with my own keys? If so will that conflict with RPM?

Cheers, Basti

Related question: How can the signature of a EFI binary be queried?

I wonder if that query will show that the fwupd is signed by the microsoft key as is the case with the shim?

Are you saying that you cannot run that signed EFI binary?

sudo pesign -i fwupdx64.efi.signed -S

1 Like

Armed with pesign I get:

$ pesign -i /usr/libexec/fwupd/efi/fwupdx64.efi.signed -S
---------------------------------------------
certificate address is 0x7f58344a0e38
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is Fedora Secure Boot Signer
No signer email address.
Signing time: Fri Jan 27, 2023
There were certs or crls included.
---------------------------------------------
certificate address is 0x7f58344a1418
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is fwupd-signer
No signer email address.
Signing time: Fri Jan 27, 2023
There were certs or crls included.
---------------------------------------------
$ pesign -S -i /boot/efi/EFI/fedora/grubx64.efi
---------------------------------------------
certificate address is 0x7f56cadff008
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is Fedora Secure Boot Signer
No signer email address.
Signing time: Mon Mar 04, 2024
There were certs or crls included.
---------------------------------------------
certificate address is 0x7f56cadff5e8
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is grub2-signer
No signer email address.
Signing time: Mon Mar 04, 2024
There were certs or crls included.
---------------------------------------------

As grub and fwupd are signed the same way I assume that you already have the keys in your EFI to prove the images are valid for secure boot from the BIOS vendor.

Okay, thanks for pointing out pesign; that’d let me extract the chain all up to the CA from the signed file.

Turns out, tho, I’m not the first one to ask this question: Certificate used to sign Fedora kernels for UEFI Secure Boot? — Fedora Linux Kernel

This thread refers to dist-git for the CA certificate, and indeed it’s at Tree - rpms/shim-unsigned-x64 - src.fedoraproject.org as fedora-ca-20200709.cer.

I’ll try and see if I can import this into the secure boot db.

Meanwhile, anyone happens to know what’d dnf have to say if I just overwrote this file with one signed by my own keys?