hardenedbsd/HardenedBSD
1
0
Fork 0
mirror of https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git synced 2024-12-20 15:26:43 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Make the uefikeys script output slightly more obvious.

Browse Source 
MFC after:	1 month
Sponsored by:	The FreeBSD Foundation
This commit is contained in:
Edward Tomasz Napierala 2015-02-26 14:22:27 +00:00
parent 3e78ee6328
commit 984a1cbfd6
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=279321
1 changed files with 1 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
share/examples/uefisign/uefikeys
View File

@ -18,7 +18,6 @@ fi
certfile="${1}.pem"
efifile="${1}.cer"
keyfile="${1}.key"
p12file="${1}.p12"
# XXX: Set this to ten years; we don't want system to suddenly stop booting
# due to certificate expiration. Better way would be to use Authenticode
# Timestamp. That said, the rumor is UEFI implementations ignore it anyway.
@ -28,13 +27,11 @@ subj="/CN=${1}"
[ ! -e "${certfile}" ] || die "${certfile} already exists"
[ ! -e "${efifile}" ] || die "${efifile} already exists"
[ ! -e "${keyfile}" ] || die "${keyfile} already exists"
[ ! -e "${p12file}" ] || die "${p12file} already exists"
umask 077 || die "umask 077 failed"
openssl genrsa -out "${keyfile}" 2048 2> /dev/null || die "openssl genrsa failed"
openssl req -new -x509 -sha256 -days "${days}" -subj "${subj}" -key "${keyfile}" -out "${certfile}" || die "openssl req failed"
openssl x509 -inform PEM -outform DER -in "${certfile}" -out "${efifile}" || die "openssl x509 failed"
openssl pkcs12 -export -out "${p12file}" -inkey "${keyfile}" -in "${certfile}" -password 'pass:' || die "openssl pkcs12 failed"
echo "certificate: ${certfile}; private key: ${keyfile}; UEFI public key: ${efifile}; private key with empty password for pesign: ${p12file}"
echo "certificate: ${certfile}; private key: ${keyfile}; certificate to enroll in UEFI: ${efifile}"