search

Foxboron / sbctl

:computer: :lock: :key: Secure Boot key manager
MIT License
1.35k stars 71 forks source link

`sbctl verify` still lists Microsoft bootloader as 'not signed' when Microsoft keys are enrolled #260

Closed jinliu closed 7 months ago

jinliu commented 7 months ago 
$ sbctl enroll-keys --microsoft
$ sbctl status
Installed:  ✓ sbctl is installed
Owner GUID: eb5132d1-cfad-44d5-b94e-e69ed6fb36df
Setup Mode: ✓ Disabled
Secure Boot:    ✓ Enabled
Vendor Keys:    microsoft
$ sbctl verify
...
✗ /efi/EFI/Microsoft/Boot/bootmgr.efi is not signed
...
$ sbverify --list /efi/EFI/Microsoft/Boot/bootmgr.efi
signature 1
image signature issuers:
 - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Development PCA 2014
image signature certificates:
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows
   issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Development PCA 2014
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Development PCA 2014
   issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Development Root Certificate Authority 2014
Cornelicorn commented 7 months ago

See https://github.com/Foxboron/sbctl/issues/238