Package: osslsigncode Version: 2.5-4 Severity: important X-Debbugs-Cc: [email protected]
Dear Maintainer, version 2.5 is apparently unable t process (some? - all my) SafeNet tokens, with online advice being to either downgrade to 2.4 or upgrade to 2.6: https://stackoverflow.com/a/78308879 . Unfortunately it would seem that right now there are no other versions but 2.5 available for Bookworm and installing those available on SID transitively requires several library versions themselves not (yet?) available on Bookworm. Could you please provide a version 2.6+? * What led up to the situation? Switching to Debian 12 and - osslsigncode 2.5-4 - openssl 3.0.13-1~deb12u1 - libp11-kit0 0.24.1-2 - libengine-pkcs11-openssl 0.4.12-0.1 from Debian 10 and - osslsigncode 2.0+really2.5-4+deb10u1 - openssl 1.1.1n-0+deb10u6 - libp11-kit0 0.23.15-2+deb10u1 - libengine-pkcs11-openssl 0.4.9-4 * What exactly did you do (or not do) that was effective (or ineffective)? This invocation works on Debian 10: osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so \ -pkcs11module /usr/lib/libIDPrimePKCS11.so \ -pkcs11cert <certificate uri obtained from p11tool> \ -h sha2 \ -n <application name> \ -i <vendor url> \ -t <time server> \ -in <unsigned file> -out <signed file> This invocation fails on Debian 12: osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so \ -pkcs11module /usr/lib/libIDPrimePKCS11.so \ -pkcs11cert <certificate uri obtained from p11tool> \ -h sha2 \ -n <application name> \ -i <vendor url> \ -t <time server> \ -in <unsigned file> -out <signed file> with error message $ <invocation> bad engine id Failed to set 'dynamic' engine 40D912A3047F0000:error:1300006D:engine routines:dynamic_load:init failed:../crypto/engine/eng_dyn.c:514: Failed To troubleshoot, I tried: - read certificates via p11tool to ascertain lib11-kit0 is not responsible (still works as in Debian 10) - find https://mta.openssl.org/pipermail/openssl-users/2024-July/017278.html , downgrade to openssl 3.0.11 (no effect; reverted) - downgrade to libengine-pkcs11-openssl 0.4.9-4, which had engine-1.1/pkcs.so, that worked on Buster (failed: error was replaced with 'Failed to init crypto'; reverted) - find https://stackoverflow.com/a/78308879 - add engine to openssl via https://github.com/OpenSC/libp11#using-the-engine-from-the-command-line , test it via https://github.com/OpenSC/libp11#testing-the-engine-operation (fixed error "bad engine id") - This step seems new - I checked /etc/ssl/openssl.cnf on Debian 10 and no such lines exist there, nor are they necessary. Feels like a regression to me, but nb. - check for additional versions at https://packages.debian.org/bookworm/osslsigncode (none available) - check for additional versions using 'sudo apt list --all-versions osslsigncode', including on bookworm-backports, bookworm-backports-sloppy (none available) - install osslsigncode_2.9-1_amd64.deb (failed: dependencies transitively require newer packages than available on Bookworm, not ready to open this can of... worms) * What was the outcome of this action? I managed to eliminate one line of error, but now I am stuck. * What outcome did you expect instead? It would be nice if some combination of Bookworm-available packages worked. I hope that, as long as Bookworm is supported, newer already-released versions of programs will keep arriving. Another nb.: I would expect the necessary packages to be listed as / similar to dependencies, e.g. evidently osslsigncode uses openssl and can fail from openssl misconfiguration, but it has no mention of openssl and only by blind internet search was I able to find whence the "bad engine id" came. packages.debian.org has e.g. relations 'Depends', 'Recommends', 'Suggests' to document soft dependencies like this. (Can I add to those myself? It is presumably a thankless task to keep them up-to-date.) Yours sincerely Simon Beyer -- System Information: Debian Release: 12.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.1.0-23-amd64 (SMP w/8 CPU threads; PREEMPT) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages osslsigncode depends on: ii libc6 2.36-9+deb12u7 ii libcurl4 7.88.1-10+deb12u6 ii libssl3 3.0.13-1~deb12u1 osslsigncode recommends no packages. osslsigncode suggests no packages. -- no debconf information
