This is just to align better with Junos usage.

Typo is minor enough to fix at commit without another round of reviews unless something else justifies it.

On our systems ve_utc is set to a fixed constant timestamp, and certificate expiration is always checked against that fixed clock.

If I got this right, the -S option lives for a single veriexec call. As such, nothing would prevent users from calling veriexec again without -S and skip the date check?

If this is a security feature, then wouldn't it be better to make it so that calling veriexec -S (or some sysctl) would turn on certificate validity checks until the system is rebooted? This would work similar to other security features in FreeBSD (like mac_veriexec states that cannot removed or secure level that cannot be lowered).

Doing so would allow to boot the kernel and verify the base system even with an outdated system (so users that do not upgrade still get something that works). More security sensitive features can be loaded at a later stage, with certificate validity checks enforced until reboot?

In D35758#811651, @sebastien.bini_stormshield.eu wrote:

On our systems ve_utc is set to a fixed constant timestamp, and certificate expiration is always checked against that fixed clock.

If I got this right, the -S option lives for a single veriexec call. As such, nothing would prevent users from calling veriexec again without -S and skip the date check?

Correct, that is exactly the idea.
As I think I mentioned, in Junos for various certifications (FIPS/Common Criteria) we need to strictly enforce all certificate restrictions - during s/w install.
Once software is installed we have a compelling requirement that it NOT stop working just because a certificate has expired - yes people do run 10yo s/w on Internet core routers.

If this is a security feature, then wouldn't it be better to make it so that calling veriexec -S (or some sysctl) would turn on certificate validity checks until the system is rebooted?

Per above, this is not necessary. Our s/w install process always uses the -S option, and we do not want it at any other time.

This would work similar to other security features in FreeBSD (like mac_veriexec states that cannot removed or secure level that cannot be lowered).

Very different situation.

Doing so would allow to boot the kernel and verify the base system even with an outdated system (so users that do not upgrade still get something that works). More security sensitive features can be loaded at a later stage, with certificate validity checks enforced until reboot?

I believe this is already what we have, via -S.