Public bug reported: [ Reason ] Open source IPA (Image Processing Algorithms) modules are signed at build time allowing them to be trusted. However, IPA binaries are modified by dh_strip invalidating the signatures. Thus IPA modules provided in the package are not trusted anymore and need to be re-signed after the dh_strip step. This fix is applied in 0.0.4-3.
[ Impact ] Not resigning IPA modules will make them untrusted, they will be isolated inside a Sandbox environment with restricted access to the system (like any closed-source module). Provided IPA modules won't work as expected. [ Risks ] The risk is low since we only regenerate signatures after dh_strip, i.e. /usr/lib/*/libcamera/ipa_.so.sign files. ** Affects: libcamera (Ubuntu) Importance: Undecided Status: Confirmed ** Affects: libcamera (Debian) Importance: Unknown Status: Unknown ** Bug watch added: Debian Bug tracker #1033118 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033118 ** Also affects: libcamera (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033118 Importance: Unknown Status: Unknown ** Changed in: libcamera (Ubuntu) Status: New => Confirmed ** Changed in: libcamera (Ubuntu) Milestone: None => ubuntu-23.04 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libcamera in Ubuntu. https://bugs.launchpad.net/bugs/2012745 Title: IPA modules are not resigned after dh_strip Status in libcamera package in Ubuntu: Confirmed Status in libcamera package in Debian: Unknown Bug description: [ Reason ] Open source IPA (Image Processing Algorithms) modules are signed at build time allowing them to be trusted. However, IPA binaries are modified by dh_strip invalidating the signatures. Thus IPA modules provided in the package are not trusted anymore and need to be re-signed after the dh_strip step. This fix is applied in 0.0.4-3. [ Impact ] Not resigning IPA modules will make them untrusted, they will be isolated inside a Sandbox environment with restricted access to the system (like any closed-source module). Provided IPA modules won't work as expected. [ Risks ] The risk is low since we only regenerate signatures after dh_strip, i.e. /usr/lib/*/libcamera/ipa_.so.sign files. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcamera/+bug/2012745/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp