[Bug 1961864] Re: fwupd daemon failed verifying firmware signature

Crag Wang 1961864 at bugs.launchpad.net
Wed Feb 23 11:48:46 UTC 2022 

Can you please paste your output from running below?
$ gcab -x 4e3f12fc1901c05790ab17ff2223a79631477aa87979498874c4c262cfafc144-WD19FirmwareUpdateLinux_01.00.21.cab
$ jcat-tool verify ./firmware.jcat --public-keys /etc/pki/fwupd

package.bin:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
ec.bin:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
vmm5331.bin:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
rts5413.bin:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
rts5487.bin:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
titanridge.bin:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
package.metainfo.xml:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
ec.metainfo.xml:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
vmm5331.metainfo.xml:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
rts5413.metainfo.xml:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
rts5487.metainfo.xml:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
titanridge.metainfo.xml:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
Validation failed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libjcat in Ubuntu.
https://bugs.launchpad.net/bugs/1961864

Title:
  fwupd daemon failed verifying firmware signature

Status in OEM Priority Project:
  Triaged
Status in fwupd package in Ubuntu:
  New
Status in libjcat package in Ubuntu:
  New

Bug description:
  The firmware blobs in cabinet archive are presently LVFS signed with
  gpg and pkcs7, if libjcat at compilation time without one then the
  blobs signed with both can't be verified.

  Impact is fwupd daemon will fail the firmware install immediately
  because OnlyTrusted=true is defaulted (in fwupd 1.7.x) to verifying
  the signature for daemon.

  We need uprev libjcat at least 0.1.4 onward to fix this issue.

  Issue is reproducible with fwupd 1.7.4
  -> https://launchpad.net/~ycheng-twn/+archive/ubuntu/fwupd174

  $ fwupdmgr --version
  client version:	1.7.4
  compile-time dependency versions
   gusb:	0.3.4

  daemon version: 1.7.4

  $ dpkg -l | grep libjcat
  ii  libjcat1:amd64    0.1.3-2   amd64   JSON catalog library

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1961864/+subscriptions

More information about the foundations-bugs mailing list