Hi, Am I reading this right that removing SCCS keywords causes a problem for BFU? If so, does getting BFU in sync w/ Mercurial work need to go on the SCM task list?
Thanks. Bonnie -------- Original Message -------- Subject: [tools-discuss] Re: bfu problems with on-closed-bins-20070409.i386.tar.bz2 [Heads Up: elfs Date: Mon, 23 Apr 2007 01:57:24 -0700 (PDT) From: J?rgen Keil <j...@tools.de> To: tools-discuss at opensolaris.org Seems I found something; I wrote > Problem is that after the bfu, elfsign fails verification > for the kernel module /kernel/crypto/arcfour. This > breaks WEP support for the wlan driver "ipw", and it seems > as a result of this, my machine was unable to boot into > multiuser mode (the kernel complains about /kernel/crypto/arcfour > module verification errors). > > > I'm seeing errors like this: > > # elfsign verify -v /kernel/crypto/arcfour > elfsign: verification of /kernel/crypto/arcfour failed. > format: rsa_md5_sha1. > signer: O=Sun Microsystems Inc, OU=Solaris Cryptographic Framework, CN=SunOS > 5.10. .. > Question is: how do we bfu upgrade to newer onnv > bits? Is the certificate file /etc/crypto/certs/SUNWObjectCA > invalid? The problem is that the opensolaris mercurial repository doesn't have the SCCS keywords expanded any more: http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/cmd/cmd-crypto/etc/certs/SUNWObjectCA Note the ident "%Z%%M% %I% %E% SMI" line in this file. Problem is that /usr/lib/libelfsign.so.1 has the MD5 checksum of both /etc/crypto/certs/CA and /etc/crypto/certs/SUNWObjectCA compiled into the libelfsign.so shared library and the code refuses to use these certs if their MD5 checksum doesn't match the compiled-in values: % strings - /usr/lib/libelfsign.so.1 | /usr/xpg4/bin/grep -E '^[0-9a-f]{32}$' 4ede9ecb4868c0d2683b602f71596085 <<--- MD5: "SUNWObjectCA" 2646d63d62617aeae629d85cbd5daefc <<--- MD5: "CA" % gmd5sum /etc/crypto/certs/CA /etc/crypto/certs/SUNWObjectCA 2646d63d62617aeae629d85cbd5daefc /etc/crypto/certs/CA a8e0f35c570d3b379424f99f8ef5d409 /etc/crypto/certs/SUNWObjectCA I had to use the following patch, which restores the original expanded SCCS keyword values, so that the MD5 checksum for SUNWObjectCA matches the value that is compiled into libelfsign.so.1: diff -r 4c31c5bc2389 usr/src/cmd/cmd-crypto/etc/certs/SUNWObjectCA --- a/usr/src/cmd/cmd-crypto/etc/certs/SUNWObjectCA Fri Apr 20 06:09:57 2007 -0700 +++ b/usr/src/cmd/cmd-crypto/etc/certs/SUNWObjectCA Sat Apr 21 14:36:43 2007 +0200 @@ -20,7 +20,7 @@ Copyright 2007 Sun Microsystems, Inc. A Copyright 2007 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. -ident "%Z%%M% %I% %E% SMI" +ident "@(#)SUNWObjectCA 1.1 07/01/08 SMI" Subject: O=Sun Microsystems Inc, OU=VeriSign Trust Network, OU=Class 2 OnSite Subscriber CA, CN=Object Signing CA This message posted from opensolaris.org _______________________________________________ tools-discuss mailing list tools-discuss at opensolaris.org
