[Bug 1234649] Re: UEFI shim verification against microsoft-uefica-public.pem fails with 20131003 saucy images

Steve Langasek steve.langasek at canonical.com
Wed Jun 8 05:04:32 UTC 2016 

Hello Para, or anyone else affected,

Accepted sbsigntool into precise-proposed. The package will build now
and be available at
https://launchpad.net/ubuntu/+source/sbsigntool/0.6-0ubuntu4~12.04.2 in
a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: sbsigntool (Ubuntu Precise)
       Status: In Progress => Fix Committed

** Tags added: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sbsigntool in Ubuntu.
https://bugs.launchpad.net/bugs/1234649

Title:
  UEFI shim verification against microsoft-uefica-public.pem fails with
  20131003 saucy images

Status in sbsigntool package in Ubuntu:
  Fix Released
Status in sbsigntool source package in Precise:
  Fix Committed
Status in sbsigntool source package in Quantal:
  Won't Fix
Status in sbsigntool source package in Raring:
  Won't Fix

Bug description:
  [Impact]
  Validating signature using sbsigntool for EFI binaries on Precise.

  [Test case]
  1) pull-lp-source shim-signed
  2) sbverify --cert MicCorUEFCA2011_2011-06-27.crt shim.efi.signed

  [Regression potential]
  This is dependent on the date of the system being correct -- wrong date may cause an unexpected success or failure of the test case.

  ---

  UEFI shim verification fails (PKCS7 verification failed) with the images of 20131003 against the microsoft-uefica-public. keys present in
  http://bazaar.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master/files/head:/notes_testing/secure-boot/keys/

  The following is the failure results (http://bazaar.launchpad.net/~utah/utah/dev/view/head:/utah/isotest/iso_static_validation.py)
  DEBUG: Using iso at: /tmp/utah-saucy-server-amd64.iso
  INFO: Preparing image: /tmp/utah-saucy-server-amd64.iso
  INFO: /tmp/utah-saucy-server-amd64.iso is locally available as /tmp/utah-saucy-server-amd64.iso
  INFO: Getting image type of /tmp/utah-saucy-server-amd64.iso
  DEBUG: bsdtar list command: bsdtar -t -f /tmp/utah-saucy-server-amd64.iso
  INFO: Image type is: server
  DEBUG: Using normal image
  DEBUG: bsdtar list command: bsdtar -t -v -f /tmp/utah-saucy-server-amd64.iso ./.disk/info
  DEBUG: bsdtar extract command: bsdtar -x -f /tmp/utah-saucy-server-amd64.iso -O .disk/info
  INFO: Arch is: amd64
  INFO: Series is saucy
  DEBUG: Standard name for this iso is: saucy-server-amd64.iso
  DEBUG: Generating verification certificates
  DEBUG: Extracting UEFI boot and kernel images
  DEBUG: bsdtar list command: bsdtar -t -v -f /tmp/utah-saucy-server-amd64.iso ./EFI/BOOT/BOOTx64.EFI
  DEBUG: bsdtar extract command: bsdtar -x -f /tmp/utah-saucy-server-amd64.iso -O EFI/BOOT/BOOTx64.EFI
  DEBUG: bsdtar list command: bsdtar -t -v -f /tmp/utah-saucy-server-amd64.iso ./EFI/BOOT/grubx64.efi
  DEBUG: bsdtar extract command: bsdtar -x -f /tmp/utah-saucy-server-amd64.iso -O EFI/BOOT/grubx64.efi
  DEBUG: bsdtar list command: bsdtar -t -v -f /tmp/utah-saucy-server-amd64.iso ./install/vmlinuz
  DEBUG: bsdtar extract command: bsdtar -x -f /tmp/utah-saucy-server-amd64.iso -O install/vmlinuz
  DEBUG: Verifying UEFI shim
  ERROR: test_efi_secure_boot_signatures (__main__.TestValidateISO)
  ERROR: Traceback (most recent call last):
    File "/usr/lib/python2.7/unittest/case.py", line 327, in run
      testMethod()
    File "/usr/share/utah/isotest/iso_static_validation.py", line 481, in test_efi_secure_boot_signatures
      self.assertEqual(stdout, 'Signature verification OK\n')
    File "/usr/lib/python2.7/unittest/case.py", line 511, in assertEqual
      assertion_func(first, second, msg=msg)
    File "/usr/lib/python2.7/unittest/case.py", line 504, in _baseAssertEqual
      raise self.failureException(msg)
  AssertionError: 'PKCS7 verification failed\nSignature verification failed\n' != 'Signature verification OK\n'

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sbsigntool/+bug/1234649/+subscriptions

More information about the foundations-bugs mailing list