Nov 07 2022 06:25 AM
I'm using the following 3 commands to add a new key to my Secure Boot db:
$CurrentTime=Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ";Format-SecureBootUEFI -Name db -SignatureOwner 12345678-1234-1234-1234-123456789abc -FormatWithCert -Certificate .\dbKey.cer -ContentFilePath .\FormattedContent.bin -SignableFilePath GeneratedFileToSign.bin -Time $CurrentTime -AppendWrite
.\signtool.exe sign /fd sha256 /p7 .\ /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /a /f PrivateKey.pfx /p thePassword GeneratedFileToSign.bin
Set-SecureBootUEFI -ContentFilePath .\FormattedContent.bin -SignedFilePath GeneratedFileToSign.bin.p7
The first two commands succeeds but Set-SecureBootUEFI unexpectedly produces the following prompt:
Supply values for the following parameters:
Name:
Shouldn't it be able to obtain the name from FormattedContent.bin? This behavior isn't described anywhere in the documentation and is contrary to the behavior shown in example 2 where the command succeeds without any further prompt.
I entered "db", and then it prompted:
Time:
Again this should have been obtained from `FormattedContent.bin`, and the behavior isn't documented anywhere.
When I repeated everything in the same session with a slight modification, Set-SecureBootUEFI succeeds immediately:
$CurrentTime=Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ";$ObjectFromFormat=Format-SecureBootUEFI -Name db -SignatureOwner 12345678-1234-1234-1234-123456789abc -FormatWithCert -Certificate .\dbKey.cer -SignableFilePath GeneratedFileToSign.bin -Time $CurrentTime -AppendWrite
.\signtool.exe sign /fd sha256 /p7 .\ /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /a /f PrivateKey.pfx /p thePassword GeneratedFileToSign.bin
$ObjectFromFormat | Set-SecureBootUEFI -SignedFilePath GeneratedFileToSign.bin.p7
The only different between the two sets of commands is that the first outputs the formatted data to a file which is then supplied as a parameter to Set-SecureBootUEFI while the second outputs the formatted data to a PowerShell object which is then piped to Set-SecureBootUEFI. Functionally both are identical and it is puzzling why they have different behavior.
Mar 08 2023 08:32 AM