Tomas Janousek writes: > On Fri, Oct 25, 2019 at 09:45:55AM +0200, Ansgar wrote: >> Tomas Janousek suggested in https://bugs.debian.org/942881#41 that the >> file might be truncated and two bytes missing. I think that might be >> the problem, but with three bytes missing: >> >> src:linux-signed-amd64/5.3.7+1 has for linux-image-5.3.0-1-amd64 a total >> of 3568 detached signatures: one is 1378 bytes (kernel itself), then >> 3566 module signatures at 396 bytes each, then one module signature for >> snd-hda-codec-hdmi.ko.sig which is only 393 bytes. That is very >> suspicious... > > Not really. That's just the ASN.1. For 256 byte octet string, the length field > is one byte longer than for 255 or 254 bytes.
Ah, I see: the asn1parse output has hl=2 vs. hl=3. > Yesterday I got one more idea: we've ruled out padding, but maybe a zero byte > in the middle would somehow get lost. So I tried all the ways one could place > two zero bytes into the 254 byte string, and got nothing. I tried running `sign-file` manually and can reproduce the truncated file with Debian's production key. I also tried signing the same key with a test key instead of the production key: then the signature is 256 bytes long, just as with any other file... `strace -e write sign-file` reports only a single call to `write()` which writes the entire file in one go. The return value also matches the number of bytes asked to be written in every case. Ansgar
