$ sbattach --detach detached-sig ./vmlinuz-4.17.0-7-generic $ openssl pkcs7 -in detached-sig -inform DER -print_certs subject=/CN=PPA canonical-kernel-team bootstrap issuer=/CN=PPA canonical-kernel-team bootstrap -----BEGIN CERTIFICATE----- MIIDLzCCAhegAwIBAgIJALAA1ykifR9iMA0GCSqGSIb3DQEBCwUAMC4xLDAqBgNV BAMMI1BQQSBjYW5vbmljYWwta2VybmVsLXRlYW0gYm9vdHN0cmFwMB4XDTE2MDYz MDE3MjI0NVoXDTI2MDYyODE3MjI0NVowLjEsMCoGA1UEAwwjUFBBIGNhbm9uaWNh bC1rZXJuZWwtdGVhbSBib290c3RyYXAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQDHr2awtaHArh/VCMV+o3yVwIz4tQ9j8CY4Al2UBwOY2+N2S9Qjg4uz 7mcfJiASEal6I2XBgq7FN8R9Qkdud9Dy6Q0uRdgTMnncy0mwbUTonR/FFk2pMDZ0 +T/riNheiGgnhFsMIHFUkrrujKiO22C0K75OWrkqnwZg7rFiBaXEH8bOTXAiH6K1 I56wOgkV83+mnTTOYs0TzJxwqpBVQyD3Nu35KxDWwbe7mJtiNA5qbaIjdaDxfbfN nLdV8uhVkOBiaM7c/0AvTZMpuqknA201obDO1LO0Dz6+MrTA2u7JVPaCaXi70D4E pFw4RAEgwTujRI1GgRh80VamV6fGK3//AgMBAAGjUDBOMB0GA1UdDgQWBBTJCyC/ /VAHgSo/zK8YQE5ib/pOujAfBgNVHSMEGDAWgBTJCyC//VAHgSo/zK8YQE5ib/pO ujAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCTDTSPO174e5z0dk+q 4GPEDGMUZrgaUmuGIvlhFpurzDDmM0EcaEvQoer/zkP8MMSWaUwPUXp02Oh6hoNM YDHe/mY8n/bY02qND/jjIyY6mIK6B7mKmT6O7kSGzgTWN4CNoBntkpjXplwYknDi +XwDAxqryCzHIpNstD+klxUGURrZnqdInJIhKjP7KX+pkbnXTgA2SmHGQbjNZi90 vtrIfIhWUny41pX59D57p4MtJ3GjUySrn2y/tn1G8wI92pxihy5BTg16KVeUJeoy pWa9vwIpDqtVA3sHCyHvR2v8V0oXVM86t+eWEhzA0NHDuMWp8qzAQOl7APH/kNrw uVoh -----END CERTIFICATE----- $
Thanks, this confirms that the kernel you have installed came from the ckt ppa, and not from the archive. So it is not a bug that grub fails to boot this kernel; though we should revisit whether we could have detected this case at the time grub was upgraded and avoid installing the new bootloader in the case that all your kernels are signed but with a key not trusted by the firmware. This was discussed in https://code.launchpad.net/~juliank/grub/+git/ubuntu/+merge/345403/comments/909708 and at the time it sounded like it was infeasible. I think we need to take another run at it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1789918 Title: grub2 signed kernel enforcement doesn't check on upgrade that signatures are from trusted keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1789918/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
