launchpad-reviewers team mailing list archive
-
launchpad-reviewers team
-
Mailing list archive
-
Message #29372
[Merge] ~cjwatson/lp-signing:reduce-key-validity into lp-signing:master
Colin Watson has proposed merging ~cjwatson/lp-signing:reduce-key-validity into lp-signing:master.
Commit message:
Reduce key validity period to 25 years
Requested reviews:
Launchpad code reviewers (launchpad-reviewers)
For more details, see:
https://code.launchpad.net/~cjwatson/lp-signing/+git/lp-signing/+merge/432573
Apparently some firmware has trouble with certificates that have 30 years of validity, but is fine with 25 years.
--
Your team Launchpad code reviewers is requested to review the proposed merge of ~cjwatson/lp-signing:reduce-key-validity into lp-signing:master.
diff --git a/lp_signing/model/key.py b/lp_signing/model/key.py
index 39c902b..2f74892 100644
--- a/lp_signing/model/key.py
+++ b/lp_signing/model/key.py
@@ -345,7 +345,7 @@ class Key(Storm):
_log_subprocess_run([
"openssl", "req", "-new", "-x509", "-newkey", "rsa:2048",
"-subj", f"/CN={common_name_esc}/", "-keyout", str(key),
- "-out", str(cert), "-days", "10956", "-nodes", "-sha256",
+ "-out", str(cert), "-days", "9131", "-nodes", "-sha256",
], check=True)
return key.read_bytes(), cert.read_bytes()
@@ -385,7 +385,7 @@ class Key(Storm):
cert = tmp / f"{key_type.name.lower()}.x509"
_log_subprocess_run([
"openssl", "req", "-new", "-nodes", "-utf8", "-sha512",
- "-days", "10956", "-batch", "-x509", "-config", str(keygen),
+ "-days", "9131", "-batch", "-x509", "-config", str(keygen),
"-outform", "PEM", "-out", str(pem), "-keyout", str(pem),
], check=True)
_log_subprocess_run([
diff --git a/lp_signing/model/tests/test_key.py b/lp_signing/model/tests/test_key.py
index 3a49a28..ab051b2 100644
--- a/lp_signing/model/tests/test_key.py
+++ b/lp_signing/model/tests/test_key.py
@@ -137,7 +137,7 @@ class TestKey(TestCase):
"openssl", "req", "-new", "-x509", "-newkey", "rsa:2048",
"-subj", r"/CN=~signing-owner\/ubuntu\/testing UEFI/",
"-keyout", EndsWith("uefi.key"), "-out", EndsWith("uefi.crt"),
- "-days", "10956", "-nodes", "-sha256",
+ "-days", "9131", "-nodes", "-sha256",
]
x509_args = [
"openssl", "x509", "-inform", "PEM", "-noout", "-fingerprint",
@@ -178,7 +178,7 @@ class TestKey(TestCase):
r"codeSigning,1.3.6.1.4.1.2312.16.1.2\s*\b", flags=re.S))
req_args = [
"openssl", "req", "-new", "-nodes", "-utf8", "-sha512",
- "-days", "10956", "-batch", "-x509",
+ "-days", "9131", "-batch", "-x509",
"-config", EndsWith("kmod.keygen"),
"-outform", "PEM", "-out", EndsWith("kmod.pem"),
"-keyout", EndsWith("kmod.pem"),
@@ -225,7 +225,7 @@ class TestKey(TestCase):
self.assertNotIn("extendedKeyUsage", fake_openssl.keygen_text)
req_args = [
"openssl", "req", "-new", "-nodes", "-utf8", "-sha512",
- "-days", "10956", "-batch", "-x509",
+ "-days", "9131", "-batch", "-x509",
"-config", EndsWith("opal.keygen"),
"-outform", "PEM", "-out", EndsWith("opal.pem"),
"-keyout", EndsWith("opal.pem"),
@@ -272,7 +272,7 @@ class TestKey(TestCase):
self.assertNotIn("extendedKeyUsage", fake_openssl.keygen_text)
req_args = [
"openssl", "req", "-new", "-nodes", "-utf8", "-sha512",
- "-days", "10956", "-batch", "-x509",
+ "-days", "9131", "-batch", "-x509",
"-config", EndsWith("sipl.keygen"),
"-outform", "PEM", "-out", EndsWith("sipl.pem"),
"-keyout", EndsWith("sipl.pem"),
@@ -317,7 +317,7 @@ class TestKey(TestCase):
"openssl", "req", "-new", "-x509", "-newkey", "rsa:2048",
"-subj", r"/CN=~signing-owner\/ubuntu\/testing FIT/",
"-keyout", EndsWith("fit.key"), "-out", EndsWith("fit.crt"),
- "-days", "10956", "-nodes", "-sha256",
+ "-days", "9131", "-nodes", "-sha256",
]
x509_args = [
"openssl", "x509", "-inform", "PEM", "-noout", "-fingerprint",
@@ -443,7 +443,7 @@ class TestKey(TestCase):
"openssl", "req", "-new", "-x509", "-newkey", "rsa:2048",
"-subj", r"/CN=~signing-owner\/ubuntu\/testing Android Kernel/",
"-keyout", EndsWith("android_kernel.key"),
- "-out", EndsWith("android_kernel.crt"), "-days", "10956",
+ "-out", EndsWith("android_kernel.crt"), "-days", "9131",
"-nodes", "-sha256",
]
rsa_args = [
