-
Notifications
You must be signed in to change notification settings - Fork 291
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fail the build if VENDOR_CERT_FILE is PEM-encoded #645
Labels
Comments
steve-mcintyre
pushed a commit
to steve-mcintyre/shim
that referenced
this issue
Mar 19, 2024
If we see "BEGIN CERTIFICATE", it's a PEM certificate and won't work. Fail the build early and say so. Fixes rhboot#645 Signed-off-by: Steve McIntyre <steve@einval.com>
steve-mcintyre
pushed a commit
to steve-mcintyre/shim
that referenced
this issue
Mar 19, 2024
If we see "BEGIN", it's likely a PEM certificate and won't work. Fail the build early and say so. Fixes rhboot#645 Signed-off-by: Steve McIntyre <steve@einval.com>
steve-mcintyre
pushed a commit
that referenced
this issue
Mar 19, 2024
If we see "BEGIN", it's likely a PEM certificate and won't work. Fail the build early and say so. Fixes #645 Signed-off-by: Steve McIntyre <steve@einval.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A common failure mode in shim reviews is people embedding certificates which are PEM-encoded rather than DER-encoded. It's a very easy mistake to make, and easy to miss in reviews too.
I've added an extra message in rhboot/shim-review#402 , but it would be even nicer if the shim build process would notice this mistake and fail the build with an appropriate error.
The text was updated successfully, but these errors were encountered: