launchpad-reviewers team mailing list archive
-
launchpad-reviewers team
-
Mailing list archive
-
Message #25132
[Merge] ~cjwatson/lp-signing:30-year-expiry into lp-signing:master
Colin Watson has proposed merging ~cjwatson/lp-signing:30-year-expiry into lp-signing:master.
Commit message:
Extend key expiration to 30 years
Requested reviews:
Launchpad code reviewers (launchpad-reviewers)
Related bugs:
Bug #1890204 in lp-signing: "ppa uefi certificates are generated for 10 years; Canonical CA and signing keys are done for 30 years"
https://bugs.launchpad.net/lp-signing/+bug/1890204
For more details, see:
https://code.launchpad.net/~cjwatson/lp-signing/+git/lp-signing/+merge/388991
OpenSSL doesn't permit creating a certificate without an expiry date, but for these keys we want something that's functionally non-expiring. Launchpad historically used 10 years, while the official Ubuntu UEFI Secure Boot chain uses 30 years. As far as I know there's no real reason for the discrepancy here, so extend our expiry duration to match that used by Ubuntu.
--
Your team Launchpad code reviewers is requested to review the proposed merge of ~cjwatson/lp-signing:30-year-expiry into lp-signing:master.
diff --git a/lp_signing/model/key.py b/lp_signing/model/key.py
index 71fdecc..6b0673c 100644
--- a/lp_signing/model/key.py
+++ b/lp_signing/model/key.py
@@ -344,7 +344,7 @@ class Key(Storm):
_log_subprocess_run([
"openssl", "req", "-new", "-x509", "-newkey", "rsa:2048",
"-subj", f"/CN={common_name_esc}/", "-keyout", str(key),
- "-out", str(cert), "-days", "3650", "-nodes", "-sha256",
+ "-out", str(cert), "-days", "10956", "-nodes", "-sha256",
], check=True)
return key.read_bytes(), cert.read_bytes()
@@ -364,7 +364,7 @@ class Key(Storm):
cert = tmp / f"{key_type.name.lower()}.x509"
_log_subprocess_run([
"openssl", "req", "-new", "-nodes", "-utf8", "-sha512",
- "-days", "3650", "-batch", "-x509", "-config", str(keygen),
+ "-days", "10956", "-batch", "-x509", "-config", str(keygen),
"-outform", "PEM", "-out", str(pem), "-keyout", str(pem),
], check=True)
_log_subprocess_run([
diff --git a/lp_signing/model/tests/test_key.py b/lp_signing/model/tests/test_key.py
index 0509593..00115d7 100644
--- a/lp_signing/model/tests/test_key.py
+++ b/lp_signing/model/tests/test_key.py
@@ -131,7 +131,7 @@ class TestKey(TestCase):
"openssl", "req", "-new", "-x509", "-newkey", "rsa:2048",
"-subj", r"/CN=~signing-owner\/ubuntu\/testing UEFI/",
"-keyout", EndsWith("uefi.key"), "-out", EndsWith("uefi.crt"),
- "-days", "3650", "-nodes", "-sha256",
+ "-days", "10956", "-nodes", "-sha256",
]
x509_args = [
"openssl", "x509", "-inform", "PEM", "-noout", "-fingerprint",
@@ -172,7 +172,7 @@ class TestKey(TestCase):
r"codeSigning,1.3.6.1.4.1.2312.16.1.2\s*\b", flags=re.S))
req_args = [
"openssl", "req", "-new", "-nodes", "-utf8", "-sha512",
- "-days", "3650", "-batch", "-x509",
+ "-days", "10956", "-batch", "-x509",
"-config", EndsWith("kmod.keygen"),
"-outform", "PEM", "-out", EndsWith("kmod.pem"),
"-keyout", EndsWith("kmod.pem"),
@@ -219,7 +219,7 @@ class TestKey(TestCase):
self.assertNotIn("extendedKeyUsage", fake_openssl.keygen_text)
req_args = [
"openssl", "req", "-new", "-nodes", "-utf8", "-sha512",
- "-days", "3650", "-batch", "-x509",
+ "-days", "10956", "-batch", "-x509",
"-config", EndsWith("opal.keygen"),
"-outform", "PEM", "-out", EndsWith("opal.pem"),
"-keyout", EndsWith("opal.pem"),
@@ -266,7 +266,7 @@ class TestKey(TestCase):
self.assertNotIn("extendedKeyUsage", fake_openssl.keygen_text)
req_args = [
"openssl", "req", "-new", "-nodes", "-utf8", "-sha512",
- "-days", "3650", "-batch", "-x509",
+ "-days", "10956", "-batch", "-x509",
"-config", EndsWith("sipl.keygen"),
"-outform", "PEM", "-out", EndsWith("sipl.pem"),
"-keyout", EndsWith("sipl.pem"),
@@ -311,7 +311,7 @@ class TestKey(TestCase):
"openssl", "req", "-new", "-x509", "-newkey", "rsa:2048",
"-subj", r"/CN=~signing-owner\/ubuntu\/testing FIT/",
"-keyout", EndsWith("fit.key"), "-out", EndsWith("fit.crt"),
- "-days", "3650", "-nodes", "-sha256",
+ "-days", "10956", "-nodes", "-sha256",
]
x509_args = [
"openssl", "x509", "-inform", "PEM", "-noout", "-fingerprint",
