diff options
Diffstat (limited to '')
-rw-r--r-- | man/ukify.xml | 8 | ||||
-rwxr-xr-x | src/ukify/ukify.py | 15 |
2 files changed, 21 insertions, 2 deletions
diff --git a/man/ukify.xml b/man/ukify.xml index 33d9d26d2d..06ae550530 100644 --- a/man/ukify.xml +++ b/man/ukify.xml @@ -330,6 +330,14 @@ </varlistentry> <varlistentry> + <term><varname>SecureBootCertificateValidity=<replaceable>DAYS</replaceable></varname></term> + <term><option>--secureboot-certificate-validity=<replaceable>DAYS</replaceable></option></term> + + <listitem><para>Period of validity (in days) for a certificate created by + <command>genkey</command>. Defaults to 3650, i.e. 10 years.</para></listitem> + </varlistentry> + + <varlistentry> <term><varname>SigningEngine=<replaceable>ENGINE</replaceable></varname></term> <term><option>--signing-engine=<replaceable>ENGINE</replaceable></option></term> diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py index 4fc3ce2e19..3db2bac384 100755 --- a/src/ukify/ukify.py +++ b/src/ukify/ukify.py @@ -759,8 +759,8 @@ def temporary_umask(mask: int): def generate_key_cert_pair( common_name: str, + valid_days: int, keylength: int = 2048, - valid_days: int = 365 * 10, # TODO: can we drop the expiration date? ) -> tuple[bytes]: from cryptography import x509 @@ -835,7 +835,10 @@ def generate_keys(opts): if opts.sb_key or opts.sb_cert: fqdn = socket.getfqdn() cn = f'SecureBoot signing key on host {fqdn}' - key_pem, cert_pem = generate_key_cert_pair(common_name=cn) + key_pem, cert_pem = generate_key_cert_pair( + common_name=cn, + valid_days=opts.sb_cert_validity, + ) print(f'Writing SecureBoot private key to {opts.sb_key}') with temporary_umask(0o077): opts.sb_key.write_bytes(key_pem) @@ -1153,6 +1156,14 @@ uki.addon,1,UKI Addon,uki.addon,1,https://www.freedesktop.org/software/systemd/m help = 'required by --signtool=pesign. pesign needs a certificate nickname of nss certificate database entry to use for PE signing', config_key = 'UKI/SecureBootCertificateName', ), + ConfigItem( + '--secureboot-certificate-validity', + metavar = 'DAYS', + dest = 'sb_cert_validity', + default = 365 * 10, + help = "period of validity (in days) for a certificate created by 'genkey'", + config_key = 'UKI/SecureBootCertificateValidity', + ), ConfigItem( '--sign-kernel', |