[Bug 1980057] Re: dkms fails to sign modules in kinetic, no more kmodsign

Launchpad Bug Tracker 1980057 at bugs.launchpad.net
Tue Jun 28 10:46:26 UTC 2022 

This bug was fixed in the package sbsigntool - 0.9.4-3.1ubuntu1

---------------
sbsigntool (0.9.4-3.1ubuntu1) kinetic; urgency=medium

  * Merge from Debian unstable to restore Ubuntu delta (LP: #1980057)
    Remaining changes:
    - d/p/ubuntu-kernel-module-signing.patch (rebased on 0.9.4) and
      d/p/ubuntu-kernel-module-signing-fixes.patch (rebased on 0.9.4):
      add the kernel module signing tool to the package.
    - d/p/ubuntu-clear-image-before-use.patch: avoid use of uninitialised
      data causing a startup crash.
    - dp/sbkeysync-Don-t-ignore-errors-from-insert_new_keys.patch: exit non-zero
      upon key insertion failure
    Dropped changes, applied in Debian:
    - Disable -Werror on deprecation warnings for the OpenSSL transition
    - Apply patch to fix the OpenSSL3 build

 -- Simon Chopin <schopin at ubuntu.com>  Tue, 28 Jun 2022 10:20:23 +0200

** Changed in: sbsigntool (Ubuntu)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sbsigntool in Ubuntu.
https://bugs.launchpad.net/bugs/1980057

Title:
  dkms fails to sign modules in kinetic, no more kmodsign

Status in sbsigntool package in Ubuntu:
  Fix Released

Bug description:
  It seems that dkms uses a tool called kmodsign to sign modules, which
  no longer exists in kinetic according to apt-file, causing dkms
  modules to be unsigned.

  sign_build()
  {
      [[ -x "$(command -v kmodsign)" && -d "/var/lib/shim-signed/mok/" ]] || return
      local base_dir="$dkms_tree/$module/$module_version/$kernelver/$arch"
      if type update-secureboot-policy >/dev/null 2>&1; then
          echo $"Signing module:"
          SHIM_NOTRIGGER=y update-secureboot-policy --new-key
          for ko in `find "$base_dir/module/" -name "*.ko" -print`;
          do
              echo " - $ko"
              kmodsign sha512 \
                  /var/lib/shim-signed/mok/MOK.priv \
                  /var/lib/shim-signed/mok/MOK.der \
                  "$ko"
          done
          update-secureboot-policy --enroll-key
      fi
  }

  instead of kmodsign, it should use

  /lib/modules/$kernelver/build/scripts/sign-file

  AFAICT

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sbsigntool/+bug/1980057/+subscriptions

More information about the foundations-bugs mailing list