Veracrypt appears to be signed with the 2011 CA which will stop working June 27th 2026

[Motophan]

From what I can tell in June everyone w/ veracrypt will have their secureboot stop working because vc signs itself from the 2011 ca and not the 2023 ca. This means w11 will complain about secure boot not being valid, and in some cases will not show a screen / ignore the boot option instead of continuing.

Can we rush a version bump for this please?

sudo sbverify --list DcsBoot.efi

results in

    signature 1
    image signature issuers:
     - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
    image signature certificates:
     - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher
       issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
     - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
       issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root

[dacervera]

If the leaf cert is a code or firmware-signing cert, the signer applies a time stamp on signed objects so that what matters is that the certificate was valid at the moment it was originally signed so that even if the certificate (or any of the CAs above it) were to simply expire (not revoked), software signed a decade ago will still keep working. My sense is, it's the same in this case. People depend on their hardware for quite a long time--we don't want these devices to brick--but we still want the cert chains to continue to validate, so that's why you'll sometimes see expired CA certs in a trust store--if that CA or its subordinates issued code/firmware signing certs, the aging cert is kept to allow software that some parts of the industry still rely on will continue to function.

[Motophan]

For me, setting my BIOS clock ahead to 1-1-27 causes a warn about secure boot, then reboot to firmware interface. This may not be what is suppose to happen, but it do.

Yes I can turn secure boot off, but then I cant play MMO's anymore because their anticheat will see secure boot off (vanguard get mad). I will also be noncompliant for w11 minimum standards.

it was vbios, ignore above comment. >2027 seeems to work in bios clock, sorry.