Hi
at boot of incus os it warns about invalid certificates: RSA key length 4096 is greater than 2048 bits.
For so far I know these are valid certificates. Is this check not outdated?
Nope, the check is correct.
The current UEFI Secure Boot specification only allows for 2048 bit RSA certificates to be present in the DB keyring. IncusOS flags systems that have Secure Boot certificates that do not comply with the specification as that may cause issues on update or lead to unexpected TPM state.
OK,
thanks for the update
There’s some additional discussion at Handle invalid Secure Boot certificates by gibmat · Pull Request #660 · lxc/incus-os · GitHub for those who are interested in further details.
Interesting.
For now it is now causing issues. so I’m just ignoring the warning