Files
Michał Kopeć 0285e00e8b BaseTools/Source/Python: Add -noattr to capsule signing openssl commands
This makes capsule PKCS#7 signatures reproducible.

openssl smime -sign embeds a signingTime signed attribute (current
UTCTime) by default. Because the attribute is inside the signed
digest, the resulting RSA signature differs on every invocation even
when the key and payload are identical, breaking reproducible builds
of signed FMP capsules.

Pass -noattr to drop all signed attributes from the SignerInfo. The
signature is then computed directly over the content, producing
byte-identical output across runs.

The FMP update path is unaffected: FmpAuthenticationLibPkcs7 calls
Pkcs7Verify() without extracting signed attributes, and rollback
protection uses FwVersion / LowestSupportedVersion in
FMP_PAYLOAD_HEADER plus the auth header MonotonicCount, not
signingTime. signingTime is only consumed by DxeImageVerificationLib
for Secure Boot dbt checks on PE/COFF images, which is a separate
code path.

Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
2026-05-19 16:43:55 +03:00
..