[Bug 1789918] Re: /boot/vmlinux-4.17 has invalid signature

Thu Aug 30 20:45:55 UTC 2018

$ sbattach --detach detached-sig ./vmlinuz-4.17.0-7-generic 
$ openssl pkcs7 -in detached-sig -inform DER -print_certs
subject=/CN=PPA canonical-kernel-team bootstrap
issuer=/CN=PPA canonical-kernel-team bootstrap
-----BEGIN CERTIFICATE-----
MIIDLzCCAhegAwIBAgIJALAA1ykifR9iMA0GCSqGSIb3DQEBCwUAMC4xLDAqBgNV
BAMMI1BQQSBjYW5vbmljYWwta2VybmVsLXRlYW0gYm9vdHN0cmFwMB4XDTE2MDYz
MDE3MjI0NVoXDTI2MDYyODE3MjI0NVowLjEsMCoGA1UEAwwjUFBBIGNhbm9uaWNh
bC1rZXJuZWwtdGVhbSBib290c3RyYXAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDHr2awtaHArh/VCMV+o3yVwIz4tQ9j8CY4Al2UBwOY2+N2S9Qjg4uz
7mcfJiASEal6I2XBgq7FN8R9Qkdud9Dy6Q0uRdgTMnncy0mwbUTonR/FFk2pMDZ0
+T/riNheiGgnhFsMIHFUkrrujKiO22C0K75OWrkqnwZg7rFiBaXEH8bOTXAiH6K1
I56wOgkV83+mnTTOYs0TzJxwqpBVQyD3Nu35KxDWwbe7mJtiNA5qbaIjdaDxfbfN
nLdV8uhVkOBiaM7c/0AvTZMpuqknA201obDO1LO0Dz6+MrTA2u7JVPaCaXi70D4E
pFw4RAEgwTujRI1GgRh80VamV6fGK3//AgMBAAGjUDBOMB0GA1UdDgQWBBTJCyC/
/VAHgSo/zK8YQE5ib/pOujAfBgNVHSMEGDAWgBTJCyC//VAHgSo/zK8YQE5ib/pO
ujAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCTDTSPO174e5z0dk+q
4GPEDGMUZrgaUmuGIvlhFpurzDDmM0EcaEvQoer/zkP8MMSWaUwPUXp02Oh6hoNM
YDHe/mY8n/bY02qND/jjIyY6mIK6B7mKmT6O7kSGzgTWN4CNoBntkpjXplwYknDi
+XwDAxqryCzHIpNstD+klxUGURrZnqdInJIhKjP7KX+pkbnXTgA2SmHGQbjNZi90
vtrIfIhWUny41pX59D57p4MtJ3GjUySrn2y/tn1G8wI92pxihy5BTg16KVeUJeoy
pWa9vwIpDqtVA3sHCyHvR2v8V0oXVM86t+eWEhzA0NHDuMWp8qzAQOl7APH/kNrw
uVoh
-----END CERTIFICATE-----
$

Thanks, this confirms that the kernel you have installed came from the
ckt ppa, and not from the archive.

So it is not a bug that grub fails to boot this kernel; though we should
revisit whether we could have detected this case at the time grub was
upgraded and avoid installing the new bootloader in the case that all
your kernels are signed but with a key not trusted by the firmware.

This was discussed in
https://code.launchpad.net/~juliank/grub/+git/ubuntu/+merge/345403/comments/909708
and at the time it sounded like it was infeasible.  I think we need to
take another run at it.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1789918

Title:
  grub2 signed kernel enforcement doesn't check on upgrade that
  signatures are from trusted keys

Status in grub2 package in Ubuntu:
  New

Bug description:
  This is on a cosmic system. I wanted to test the 4.18 kernel in the kernel teams unstable ppa. I enabled that ppa, then ran "sudo apt-get update; sudo apt-get dist-upgrade" and then rebooted. Upon boot grub started reporting that none of the kernels I have installed have valid signatures. These were working just fine before this update. The only remedy was to disable secure boot in my bios.
  --- 
  ProblemType: Bug
  ApportVersion: 2.20.10-0ubuntu9
  Architecture: amd64
  CurrentDesktop: ubuntu:GNOME
  DistroRelease: Ubuntu 18.10
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2017-08-14 (380 days ago)
  InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Alpha amd64 (20170812)
  Package: grub2 (not installed)
  ProcEnviron:
   TERM=tmux-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  ProcVersionSignature: Ubuntu 4.18.0-7.8-generic 4.18.5
  Tags:  wayland-session cosmic
  Uname: Linux 4.18.0-7-generic x86_64
  UpgradeStatus: No upgrade log present (probably fresh install)
  UserGroups: adm cdrom dip kvm libvirt lpadmin plugdev sambashare sudo
  _MarkForUpload: True

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1789918/+subscriptions