Wimboot v2.8.0 certificate expired

[skyblaster]

Looks like the cert expired on 2024-10-16.
Hopefully it's not too long of a process to renew.

EDIT: My apologies, it's the "Microsoft Windows UEFI Driver Publisher" cert that has expired.

[NiKiZe]

What issues are you seeing?
I have not verified the details, but certificates for codesigning only have to be valid at the time of signing, as long as the signing timestamp is included, this is done by Microsoft, so it would be a horrible oversight if they missed that.

As such, even if any part of the chain is now after the NotAfter timestamp, it shouldn't be relevant.

[skyblaster]

False alarm. My issue is with Hyper-V where I see the following:

On a Lenovo X390, I was able to boot the same boot.wim successfully.

[skyblaster]

In the image from my last comment I was attempting to use the "Microsoft UEFI Certificate Authority" template in Hyper-V.

If I attempt to use the "Microsoft Windows" template, I see the following error instead:

If I boot the ISO where I extracted my boot.wim (taking wimboot out of the equation) it boots successfully.

Here is the list of Secure Boot certs in Hyper-V:

PK:
CN=Microsoft Hyper-V Firmware PK, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

KEK:
CN=Microsoft Corporation KEK CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US

DB:
CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US

wimboot 2.8.0 was signed by the UEFI CA 2011 cert:

I could be wrong, but I believe this means that wimboot will need to be signed with the new 2023 CA. both for Hyper-V and for devices with the BlackLotus mitigation applied.