SecureBoot in Ubuntu (WinQual signed)


To maintain maximum compatibility, Canonical will participate in the WinQual program and purchase a secure boot code-signing certificate. The Ubuntu boot images will be signed in the following manner:

  1. The to-be-signed binary for the shim bootloader is given to IS with an RT to request signing
  2. IS uses Canonical's WinQual key pair to sign the binary, and submits this binary to Microsoft's WinQual program

  3. In parallel, Canonical submits a review request for shim at

  4. Microsoft then verifies the submitted signed binary was signed by the Canonical WinQual key pair, and if so, re-signs it with their key such that it will verify with Microsoft's key in UEFI firmware and allow SecureBoot.

  5. The Microsoft-signed shim is given to Canonical
  6. Canonical takes the Microsoft-signed shim binary and updates the shim, shim-signed packaging to include it

Previous discussions assumed that the WinQual key pair would act as a sort of intermediate CA and did not require the round-trip through Microsoft's WinQual program. Microsoft has stated they will not sign a Canonical x509 certificate in this manner and that Canonical must use a WinQual certificate for the purpose of proving its identity to Microsoft. By doing so, Microsoft retains control of secure boot for Ubuntu.

Sign the certificate

To purchase a code-signing certificate you must:

  • generate a private key
  • generate a CSR for the private key
  • submit the CSR to the WinQual program for signing

Image signing procedure

For WinQual only signing, please see the image signing procedure by WinQual for more information.

UEFI/SecureBoot/KeyManagement/WinQual (last edited 2017-12-04 22:18:09 by cyphermox)