Fail the build if VENDOR_CERT_FILE is PEM-encoded #645
Labels
Comments
steve-mcintyre
pushed a commit
to steve-mcintyre/shim
that referenced
this issue
Mar 19, 2024
If we see "BEGIN CERTIFICATE", it's a PEM certificate and won't work. Fail the build early and say so. Fixes rhboot#645 Signed-off-by: Steve McIntyre <steve@einval.com>
steve-mcintyre
pushed a commit
to steve-mcintyre/shim
that referenced
this issue
Mar 19, 2024
If we see "BEGIN", it's likely a PEM certificate and won't work. Fail the build early and say so. Fixes rhboot#645 Signed-off-by: Steve McIntyre <steve@einval.com>
steve-mcintyre
pushed a commit
that referenced
this issue
Mar 19, 2024
If we see "BEGIN", it's likely a PEM certificate and won't work. Fail the build early and say so. Fixes #645 Signed-off-by: Steve McIntyre <steve@einval.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A common failure mode in shim reviews is people embedding certificates which are PEM-encoded rather than DER-encoded. It's a very easy mistake to make, and easy to miss in reviews too.
I've added an extra message in rhboot/shim-review#402 , but it would be even nicer if the shim build process would notice this mistake and fail the build with an appropriate error.
The text was updated successfully, but these errors were encountered: