Hi, Ben Hutchings writes: > You can also find the detached signatures in the source package, > linux-signed-amd64. For this module, the signature is: > > debian/signatures/linux-image-5.3.0-1-amd64-unsigned/lib/modules/5.3.0-1-amd64/kernel/sound/pci/hda/snd-hda-codec-hdmi.ko.sig
Tomas Janousek suggested in https://bugs.debian.org/942881#41 that the file might be truncated and two bytes missing. I think that might be the problem, but with three bytes missing: src:linux-signed-amd64/5.3.7+1 has for linux-image-5.3.0-1-amd64 a total of 3568 detached signatures: one is 1378 bytes (kernel itself), then 3566 module signatures at 396 bytes each, then one module signature for snd-hda-codec-hdmi.ko.sig which is only 393 bytes. That is very suspicious... > It might be worth > adding verification to the code signing service so we can catch this if > it happens again. We could alternately verify signatures at the point > we attach them to binaries, but that would need to be implemented in > multiple places. Ack; validating the signatures when attaching them might notice when the process of attaching them causes bugs, but I'm not sure how likely that is. But then signing stuff producing truncated files also shouldn't happen... Ansgar