Skip to content

Comments

KEK: Update the get_auth_var_signing_certificate and kek_update_map.json#325

Merged
Flickdm merged 4 commits intomicrosoft:mainfrom
Flickdm:fix/get_auth_var_signing_certificate.py
Dec 10, 2025
Merged

KEK: Update the get_auth_var_signing_certificate and kek_update_map.json#325
Flickdm merged 4 commits intomicrosoft:mainfrom
Flickdm:fix/get_auth_var_signing_certificate.py

Conversation

@Flickdm
Copy link
Member

@Flickdm Flickdm commented Nov 29, 2025

Description

Updates the get_auth_var_signing_certificate.py script to not assume that the certificates uses valid positive integers for the serial of the certificate.

Also updates the kek_update_map.json to be script created rather than by hand. This should help reduce human error in the future.

For details on how to complete these options and their meaning refer to CONTRIBUTING.md.

  • Impacts functionality?
  • Impacts security?
  • Breaking change?
  • Includes tests?
  • Includes documentation?

How This Was Tested

N/A

Integration Instructions

N/A

@Flickdm
Copy link
Member Author

Flickdm commented Nov 29, 2025

Addresses both #323 and #318

Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the get_auth_var_signing_certificate.py script to handle non-standard certificate serial numbers and adds functionality to automatically generate JSON mappings from directories of authenticated files. The key improvement is removing the assumption that certificate serial numbers are valid positive 128-bit integers.

Key Changes:

  • Removed the 128-bit positive integer conversion for certificate serial numbers in the matching logic
  • Added new directory processing mode that generates JSON mappings for bulk certificate processing
  • Extended the return value of process_auth_file to include SHA1 and SHA256 thumbprints for convenience

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Flickdm Flickdm force-pushed the fix/get_auth_var_signing_certificate.py branch from 37d0de3 to d9151b0 Compare December 4, 2025 17:53
@Flickdm Flickdm force-pushed the fix/get_auth_var_signing_certificate.py branch 2 times, most recently from 8dac934 to a3bb863 Compare December 9, 2025 23:32
@Flickdm Flickdm enabled auto-merge (rebase) December 10, 2025 00:42
Updates the get_auth_var_signing_certificate.py script to not assume
that the certificates uses valid positive integers for the serial of
the certificate.

Also updates the kek_update_map.json to be script created rather than by
hand. This should help reduce human error in the future.
@Flickdm Flickdm force-pushed the fix/get_auth_var_signing_certificate.py branch from a3bb863 to a8ef663 Compare December 10, 2025 00:42
@Flickdm Flickdm merged commit 8caaac3 into microsoft:main Dec 10, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants