[Bug 1921387] [NEW] launchpad signing shimaa64.efi fails to validate
Dimitri John Ledkov
1921387 at bugs.launchpad.net
Thu Mar 25 12:59:51 UTC 2021
Public bug reported:
launchpad signing shimaa64.efi fails to validate
cd $(mktemp -d)
wget
http://ppa.launchpad.net/xnox/nonvirt/ubuntu/dists/hirsute/main/signed
/shim-arm64/15.3-0ubuntu1~ppa1/signed.tar.gz
tar xvf ./signed.tar.gz
sbverify --cert 15.3-0ubuntu1~ppa1/control/uefi.crt
15.3-0ubuntu1~ppa1/shimaa64.efi.signed
Signature verification failed
And yet inside bionic-amd64 chroot I get:
# sbverify --cert 15.3-0ubuntu1~ppa1/control/uefi.crt 15.3-0ubuntu1~ppa1/shimaa64.efi.signed
warning: gap in section table:
.data : 0x0007f000 - 0x000b3800,
.sbat : 0x000b4000 - 0x000b5000,
gaps in the section table may result in different checksums
warning: data remaining[740864 vs 800872]: gaps between PE/COFF sections?
Signature verification OK
However,
If in xenial-amd64 I perform
update-secureboot-policy new-key
openssl x509 -inform der -outform pem -in /var/lib/shim-signed/mok/MOK.der -out /var/lib/shim-signed/mok/MOK.pem
sbsign --key /var/lib/shim-signed/mok/MOK.priv --cert /var/lib/shim-
signed/mok/MOK.pem 15.3-0ubuntu1~ppa1/shimaa64.efi
sbverify --cert /var/lib/shim-signed/mok/MOK.pem 15.3-0ubuntu1~ppa1/shimaa64.efi.signed
Signature verification OK
Looks like something is dodgy in sbverify in bionic; i.e. it calculates
/ signs / verifies wrong hash.
** Affects: launchpad
Importance: Undecided
Status: New
** Affects: sbsigntool (Ubuntu)
Importance: Undecided
Status: New
** Also affects: sbsigntool (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
launchpad signing shimaa64.efi fails to validate
- mktemp -d
+ cd $(mktemp -d)
wget
http://ppa.launchpad.net/xnox/nonvirt/ubuntu/dists/hirsute/main/signed
/shim-arm64/15.3-0ubuntu1~ppa1/signed.tar.gz
tar xvf ./signed.tar.gz
sbverify --cert 15.3-0ubuntu1~ppa1/control/uefi.crt
15.3-0ubuntu1~ppa1/shimaa64.efi.signed
Signature verification failed
-
However,
If in xenial-amd64 I perform
update-secureboot-policy new-key
openssl x509 -inform der -outform pem -in /var/lib/shim-signed/mok/MOK.der -out /var/lib/shim-signed/mok/MOK.pem
sbsign --key /var/lib/shim-signed/mok/MOK.priv --cert /var/lib/shim-
signed/mok/MOK.pem 15.3-0ubuntu1~ppa1/shimaa64.efi
sbverify --cert /var/lib/shim-signed/mok/MOK.pem 15.3-0ubuntu1~ppa1/shimaa64.efi.signed
Signature verification OK
** Description changed:
launchpad signing shimaa64.efi fails to validate
cd $(mktemp -d)
wget
http://ppa.launchpad.net/xnox/nonvirt/ubuntu/dists/hirsute/main/signed
/shim-arm64/15.3-0ubuntu1~ppa1/signed.tar.gz
tar xvf ./signed.tar.gz
sbverify --cert 15.3-0ubuntu1~ppa1/control/uefi.crt
15.3-0ubuntu1~ppa1/shimaa64.efi.signed
Signature verification failed
+
+ And yet inside bionic-amd64 chroot I get:
+
+ # sbverify --cert 15.3-0ubuntu1~ppa1/control/uefi.crt 15.3-0ubuntu1~ppa1/shimaa64.efi.signed
+ warning: gap in section table:
+ .data : 0x0007f000 - 0x000b3800,
+ .sbat : 0x000b4000 - 0x000b5000,
+ gaps in the section table may result in different checksums
+ warning: data remaining[740864 vs 800872]: gaps between PE/COFF sections?
+ Signature verification OK
+
+
However,
If in xenial-amd64 I perform
update-secureboot-policy new-key
openssl x509 -inform der -outform pem -in /var/lib/shim-signed/mok/MOK.der -out /var/lib/shim-signed/mok/MOK.pem
sbsign --key /var/lib/shim-signed/mok/MOK.priv --cert /var/lib/shim-
signed/mok/MOK.pem 15.3-0ubuntu1~ppa1/shimaa64.efi
sbverify --cert /var/lib/shim-signed/mok/MOK.pem 15.3-0ubuntu1~ppa1/shimaa64.efi.signed
Signature verification OK
+
+ Looks like something is dodgy in sbverify in bionic; i.e. it calculates
+ / signs / verifies wrong hash.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sbsigntool in Ubuntu.
https://bugs.launchpad.net/bugs/1921387
Title:
launchpad signing shimaa64.efi fails to validate
Status in Launchpad itself:
New
Status in sbsigntool package in Ubuntu:
New
Bug description:
launchpad signing shimaa64.efi fails to validate
cd $(mktemp -d)
wget
http://ppa.launchpad.net/xnox/nonvirt/ubuntu/dists/hirsute/main/signed
/shim-arm64/15.3-0ubuntu1~ppa1/signed.tar.gz
tar xvf ./signed.tar.gz
sbverify --cert 15.3-0ubuntu1~ppa1/control/uefi.crt
15.3-0ubuntu1~ppa1/shimaa64.efi.signed
Signature verification failed
And yet inside bionic-amd64 chroot I get:
# sbverify --cert 15.3-0ubuntu1~ppa1/control/uefi.crt 15.3-0ubuntu1~ppa1/shimaa64.efi.signed
warning: gap in section table:
.data : 0x0007f000 - 0x000b3800,
.sbat : 0x000b4000 - 0x000b5000,
gaps in the section table may result in different checksums
warning: data remaining[740864 vs 800872]: gaps between PE/COFF sections?
Signature verification OK
However,
If in xenial-amd64 I perform
update-secureboot-policy new-key
openssl x509 -inform der -outform pem -in /var/lib/shim-signed/mok/MOK.der -out /var/lib/shim-signed/mok/MOK.pem
sbsign --key /var/lib/shim-signed/mok/MOK.priv --cert /var/lib/shim-
signed/mok/MOK.pem 15.3-0ubuntu1~ppa1/shimaa64.efi
sbverify --cert /var/lib/shim-signed/mok/MOK.pem 15.3-0ubuntu1~ppa1/shimaa64.efi.signed
Signature verification OK
Looks like something is dodgy in sbverify in bionic; i.e. it
calculates / signs / verifies wrong hash.
To manage notifications about this bug go to:
https://bugs.launchpad.net/launchpad/+bug/1921387/+subscriptions
More information about the foundations-bugs
mailing list