shim-15 for CloudReady with renewed certificate

[nicholasbishop]

Make sure you have provided the following information:

• link to your code branch cloned from rhboot/shim-review in the form user/repo@tag
  neverware/shim-review@neverware-shim-20180820
• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate embedded in shim (the file passed to VENDOR_CERT_FILE)
• any extra patches to shim via your own git tree or as files
• any extra patches to grub via your own git tree or as files
• build logs

What organization or people are asking to have this signed:

Neverware Inc. (https://www.neverware.com)

Version of shim:

15

Sysdev Submission ID:

Microsoft told us to get approval from the shim review board before submitting it to them.

What product or service is this for:

CloudReady

What's the justification that this really does need to be signed for the whole world to be able to boot it:

CloudReady is a Linux distro; we'd like to encourage people to boot our OS with secure boot enabled.

Note: our submission was previously reviewed here: #21. Unfortunately I had not realized our certificate was close to expiration. Our new shim build should be identical to the previous release, except with a renewed certificate valid until September 2020.

[cyphermox]

Looks fine to me. This reproduces exactly. Note that it looks like this build contains both your old and new certificates (there's evidence of the old expiration date in). If this isn't what you expect, you might want to resubmit.

I find this shim acceptable for signing.

1cb02fa0e3cbd5c6af4ddf4fb77a48fcbe527299db631bc8e82d8bb1e8d3e40a shimia32.efi
301861b782aa2e61cdd6f66cad3a55dc94a77f95ed143e58ce797bd6102f6302 shimx64.efi

[nicholasbishop]

Thanks for reviewing. Could you expand on where/how you see evidence of the old certificate? I'm not sure how that would be getting in there.