sbvarsign: use SignedData instead of PKCS7 for authenticated updates

The EFI standard is ambiguous about which one to use for variable
updates (it is definite about using PKCS7 for signed binaries).  Until
recently, the reference platform, tianocore, accepted both.  However
after patch

commit c035e37335ae43229d7e68de74a65f2c01ebc0af
Author: Zhang Lubo <>
Date:   Thu Jan 5 14:58:05 2017 +0800

    SecurityPkg: enhance secure boot Config Dxe & Time Based AuthVariable.

The acceptance of PKCS7 got broken.  This breakage seems to be
propagating to the UEFI ecosystem, so update the variable signing
tools to emit the SignedData type (which all previous EFI
implementations accepted).

Signed-off-by: James Bottomley <>
1 file changed