Hi

Are there any news regarding the signed binary verification with sbverify? It 
still fails when used with the provided secure boot CA from 
https://dsa.debian.org/secure-boot-ca.

I managed to verify the certificate used to sign the binaries with the 
following commands - but I hope we get a version with sbverify and the root CA 
directly :)

1. Download CA cert from https://dsa.debian.org/secure-boot-ca

2. Convert downloaded CA cert to pem
    openssl x509 -inform der -outform pem -in secure-boot-ca -out debian-ca.pem

3. Extract the signature from the binary
    osslsigncode extract-signature -pem /boot/vmlinuz-... vmlinuz.sig

4. Show the signer cert and use it for verification
    openssl pkcs7 -inform pem -print_certs -text -in vmlinuz.sig

5. Verify the used signing cert against the CA from d.o
    openssl verify -verbose -CAfile debian-ca.pem debian-signer.pem
    debian-signer.pem: OK

I would also add a section to https://wiki.debian.org/SecureBoot or to a 
subpage for how to verify signed secure boot binaries (e.g. a new subpage like 
https://wiki.debian.org/SecureBoot/Verification)

Thanks
Andreas

--
OpenPGP Key AE852913B3757F790297FA2CF04BCF398957A857 @ https://keys.openpgp.org

Reply via email to