[10:50] <psivaa> cjwatson: apw: UEFI shim signature verification (?) fails with todays images..
[10:51] <psivaa> reported bug against linux-signed: bug #1234649
[10:51] <ubot2> Launchpad bug 1234649 in linux-signed (Ubuntu) "UEFI shim verification against microsoft-uefica-public.pem fails with 20131003 images" [Undecided,New] https://launchpad.net/bugs/1234649
[10:51] <psivaa> not sure if that's the right package tough
[10:52] <cjwatson> Nothing I can help with
[10:53] <cjwatson> Reassigned to shim-signed - you want slangasek
[10:53] <psivaa> cjwatson: ack, thanks
[10:54] <cjwatson> (Though could also be the fault of sbsigntool or utah itself)
[10:54] <cjwatson> What release are you running this on?
[10:54] <cjwatson> I mean, utah itself
[10:55] <psivaa> this is saucy
[10:55] <cjwatson> OK, no idea why anything would've changed recently then
[10:57]  * xnox ponders if this is my check failing. I've written tests to verify sb signatures, statically.
[10:58] <apw> sbsigntool changed, but a month back, and (cjwatson) isn't the sbsigntool we use on the backend at least separatly manually upgraded
[10:59] <apw> xnox, you added a new test ?
[10:59] <cjwatson> apw: Dunno
[11:00] <xnox> apw: i added the test, way back when, to utah static tests to extract signed things from the .iso and execute sbverify on them.
[11:04] <psivaa> apw: 0.6-0ubuntu1~12.04.1 is the version of sbsigntool that's being used for this test
[11:05] <xnox> $ sbverify --cert microsoft-uefica-public.pem /mnt/EFI/BOOT/BOOTx64.EFI
[11:05] <xnox> warning: data remaining[1230256 vs 1355656]: gaps between PE/COFF sections?
[11:05] <xnox> PKCS7 verification failed
[11:05] <xnox> 139756278539968:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smime.c:342:Verify error:certificate has expired
[11:05] <xnox> Signature verification failed
[11:06] <xnox> has microsoft certificate got updated?! /me goes to poke slangasek / jdstrand / et al
[11:07]  * apw would expect the public ones to change over time, like they do on websites
[11:10] <xnox> apw: well, the microsoft cert is listed as valid for 15 years, until 2026
[11:10] <apw> well doh
[11:15] <apw> xnox, but they may use an intermediate cert from that master one
[11:15] <apw> i would expect them to get the master out yearly and make a cert for that year
[11:51] <xnox> psivaa: raring iso also failing verification.
[11:51] <xnox> apw: did microsoft sign us for 2 years only =/ O_o
[15:10] <xnox> apw: extracted certs from the signature, there is intermediate cert which expired today, and it only lasts 15months, vs all other certs last for 15 years.
[15:16] <apw> hmmm i wonder if they missed
[15:16] <apw> xnox, ^^
[15:16] <apw> xnox, is that one ours or one of m$'s
[15:16] <xnox> apw: m$'s