[Bug 2044606] Re: Reset Checksum upon removing all signatures
Launchpad Bug Tracker
2044606 at bugs.launchpad.net
Thu Dec 7 22:06:49 UTC 2023
This bug was fixed in the package sbsigntool - 0.9.4-3.1ubuntu4
---------------
sbsigntool (0.9.4-3.1ubuntu4) noble; urgency=medium
* d/p/zero-checksum-unsigned.patch: ensure sbsign/sbattach --remove are
roundtrip safe and produce identical original binaries. LP: #2044606
-- Dimitri John Ledkov <dimitri.ledkov at canonical.com> Sat, 25 Nov 2023
15:37:27 +0000
** Changed in: sbsigntool (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sbsigntool in Ubuntu.
https://bugs.launchpad.net/bugs/2044606
Title:
Reset Checksum upon removing all signatures
Status in sbsigntool package in Ubuntu:
Fix Released
Bug description:
When compiling grub, shim, kernels the unsigned binaries are typically
produced with a checksum set to zero in PE header.
The checksum is updated upon signing.
To ensure signing a binary, and removing signatures from it, is round
trip safe - one needs to zero out the checksum.
Otherwise it is difficult to prove that signing/unsigned/kernel.efi
builds of the kernel are the same, which leads to different hmacs of
it, as has been highlighted during FIPS certification.
Upstream shim was notified about this at
https://github.com/rhboot/shim/issues/612
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sbsigntool/+bug/2044606/+subscriptions
More information about the foundations-bugs
mailing list