[Bug 1968260] Re: [UBUNTU 20.04] genprotimg fails to process z15 host key documents after April 2022 (s390-tools)

Ubuntu Foundations Team Bug Bot 1968260 at bugs.launchpad.net
Fri Apr 8 16:20:23 UTC 2022 

The attachment "s390-tools debdiff for LP#1968259 and LP#1968260 /
jammy" seems to be a debdiff.  The ubuntu-sponsors team has been
subscribed to the bug report so that they can review and hopefully
sponsor the debdiff.  If the attachment isn't a patch, please remove the
"patch" flag from the attachment, remove the "patch" tag, and if you are
member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by
~brian-murray, for any issue please contact him.]

** Tags added: patch

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to s390-tools-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1968260

Title:
  [UBUNTU 20.04] genprotimg fails to process z15 host key documents
  after April 2022 (s390-tools)

Status in Ubuntu on IBM z Systems:
  New
Status in s390-tools package in Ubuntu:
  In Progress
Status in s390-tools-signed package in Ubuntu:
  In Progress
Status in s390-tools source package in Focal:
  New
Status in s390-tools-signed source package in Focal:
  New
Status in s390-tools source package in Impish:
  New
Status in s390-tools-signed source package in Impish:
  New
Status in s390-tools source package in Jammy:
  In Progress
Status in s390-tools-signed source package in Jammy:
  In Progress

Bug description:
  == Comment: #0 - Viktor Mihajlovski <MIHAJLOV at de.ibm.com> - 2022-04-07 08:55:11 ==
  DigiCert is the CA issuing the signing certificate for Secure Execution host key documents. This certificate is used for the verification of the host key document validity. Recently, DigiCert has changed the root CA certificate used for issuance of the signing certificates.
  As genprotimg is checking the CA serial, the verification of the chain of trust will fail. As a workaround, it is possible to disable certificate verification, but this is not recommended because it makes it easier to provide a fake host key document.
  Since the previously issued host key documents are expiring in April 2022, it is necessary to fix genprotimg to accept the newly issued host key documents.
   
  Contact Information = Viktor Mihajlovski <mihajlov at de.ibm.com>

  == Comment: #2 - Viktor Mihajlovski <MIHAJLOV at de.ibm.com> - 2022-04-07 08:57:47 ==
  Fixed by:

  https://github.com/ibm-s390-linux/s390-tools

  commit 78b053326c504c0535b5ec1c244ad7bb5a1df29d
  Author: Marc Hartmayer <mhartmay at linux.ibm.com>
  Date:   Thu Mar 31 14:00:31 2022 +0000

      genprotimg: remove DigiCert root CA pinning

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1968260/+subscriptions

More information about the foundations-bugs mailing list