Add CAs for new signing certificates to RAUC keyring

[sairon]

Add certificates with new PKI chain to replace the old one. Until May 14th 2028, bundles signed with the old certs will be accepted as well. The transition to the new authority using bundles signed by the new certs is ensured by the intermediate certificate signed by the old CA. This, and the old CA certificates can be removed from the keyring after their expiry.

The keyrings no longer contain CRLs, but the validity of the certificates will be shortened to 4 years, as discussed in the linked issue.

Closes #4743

Summary by CodeRabbit

Release Notes

• Chores
  • Updated OTA update certificate configuration to include intermediate CA certificate support for backward compatibility. This addition is scheduled for removal on May 14th, 2028.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 2b6a237b-07b4-42da-84e3-687845bc1401

📥 Commits

Reviewing files that changed from the base of the PR and between b7bb667 and 5de930f.

⛔ Files ignored due to path filters (4)

• buildroot-external/ota/dev-ca.pem is excluded by !**/*.pem
• buildroot-external/ota/provisioning-ca.pem is excluded by !**/*.pem
• buildroot-external/ota/rel-ca-xsign-oldroot.cert.pem is excluded by !**/*.pem
• buildroot-external/ota/rel-ca.pem is excluded by !**/*.pem

📒 Files selected for processing (2)

• buildroot-external/genimage/image-raucb-nospl.cfg
• buildroot-external/genimage/image-raucb-spl.cfg

---

📝 Walkthrough

Walkthrough

The PR adds intermediate CA certificate configuration entries to two RAUC build configuration files supporting the PKI root certificate rotation. Both the SPL and no-SPL variants now reference the same intermediate certificate at ${BR2_EXTERNAL_HAOS_PATH}/ota/rel-ca-xsign-oldroot.cert.pem, with a removal date marked for May 14, 2028.

Changes

PKI Certificate Rotation

Layer / File(s)	Summary
Add intermediate certificate to RAUC configurations buildroot-external/genimage/image-raucb-nospl.cfg, buildroot-external/genimage/image-raucb-spl.cfg	Both RAUC configuration files add an intermediate certificate entry for rel-ca-xsign-oldroot.cert.pem with a removal date comment of May 14, 2028, supporting the PKI certificate rotation.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

A hop, skip, and cert rotation away,
Old roots retire on a May-day,
Intermediate guardians stand in place,
Until twenty-twenty-eight ends the race,
Fresh certificates keep trust safe today! 🐰🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding intermediate certificates to RAUC configuration files for PKI chain transition.
Linked Issues check	✅ Passed	The PR adds intermediate certificates to enable PKI rotation as required by #4743, supporting the transition from old to new signing certificates before May 14, 2028.
Out of Scope Changes check	✅ Passed	All changes are scoped to adding intermediate certificates in RAUC configuration files, directly supporting the PKI rotation objective without extraneous modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch new-ota-certs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}