I think UEFI spec says to not check timestamps against current time. But
I am not sure it says it is ok to have signature time to be outside of
the cert validity. Which violates pkcs7 signature spec.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages,
In addition to what Steve has said, I'm wondering if you can work around
this by using faketime when signing.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/2003701
Title:
The best we can do, is to take notAfter time of the signing certificate
and add that as the signingTime, which will then be used by the Sign
command as given.
This will ensure the signature is within valid time-series.
I don't see an easy openssl API to sign things without any signature
setting PKCS7_NOATTR is not enough, as that only removes the smime
capabilities signed attribute, whilst signature timestamp remains.
--- ./regular.text 2023-01-23 11:42:49.992929526 +
+++ noattr.text 2023-01-23 11:42:59.288981639 +
@@ -128,7 +128,7 @@
object:
4 matches
Mail list logo