Public bug reported: launchpad signing shimaa64.efi fails to validate
cd $(mktemp -d) wget http://ppa.launchpad.net/xnox/nonvirt/ubuntu/dists/hirsute/main/signed /shim-arm64/15.3-0ubuntu1~ppa1/signed.tar.gz tar xvf ./signed.tar.gz sbverify --cert 15.3-0ubuntu1~ppa1/control/uefi.crt 15.3-0ubuntu1~ppa1/shimaa64.efi.signed Signature verification failed And yet inside bionic-amd64 chroot I get: # sbverify --cert 15.3-0ubuntu1~ppa1/control/uefi.crt 15.3-0ubuntu1~ppa1/shimaa64.efi.signed warning: gap in section table: .data : 0x0007f000 - 0x000b3800, .sbat : 0x000b4000 - 0x000b5000, gaps in the section table may result in different checksums warning: data remaining[740864 vs 800872]: gaps between PE/COFF sections? Signature verification OK However, If in xenial-amd64 I perform update-secureboot-policy new-key openssl x509 -inform der -outform pem -in /var/lib/shim-signed/mok/MOK.der -out /var/lib/shim-signed/mok/MOK.pem sbsign --key /var/lib/shim-signed/mok/MOK.priv --cert /var/lib/shim- signed/mok/MOK.pem 15.3-0ubuntu1~ppa1/shimaa64.efi sbverify --cert /var/lib/shim-signed/mok/MOK.pem 15.3-0ubuntu1~ppa1/shimaa64.efi.signed Signature verification OK Looks like something is dodgy in sbverify in bionic; i.e. it calculates / signs / verifies wrong hash. ** Affects: launchpad Importance: Undecided Status: New ** Affects: sbsigntool (Ubuntu) Importance: Undecided Status: New ** Also affects: sbsigntool (Ubuntu) Importance: Undecided Status: New ** Description changed: launchpad signing shimaa64.efi fails to validate - mktemp -d + cd $(mktemp -d) wget http://ppa.launchpad.net/xnox/nonvirt/ubuntu/dists/hirsute/main/signed /shim-arm64/15.3-0ubuntu1~ppa1/signed.tar.gz tar xvf ./signed.tar.gz sbverify --cert 15.3-0ubuntu1~ppa1/control/uefi.crt 15.3-0ubuntu1~ppa1/shimaa64.efi.signed Signature verification failed - However, If in xenial-amd64 I perform update-secureboot-policy new-key openssl x509 -inform der -outform pem -in /var/lib/shim-signed/mok/MOK.der -out /var/lib/shim-signed/mok/MOK.pem sbsign --key /var/lib/shim-signed/mok/MOK.priv --cert /var/lib/shim- signed/mok/MOK.pem 15.3-0ubuntu1~ppa1/shimaa64.efi sbverify --cert /var/lib/shim-signed/mok/MOK.pem 15.3-0ubuntu1~ppa1/shimaa64.efi.signed Signature verification OK ** Description changed: launchpad signing shimaa64.efi fails to validate cd $(mktemp -d) wget http://ppa.launchpad.net/xnox/nonvirt/ubuntu/dists/hirsute/main/signed /shim-arm64/15.3-0ubuntu1~ppa1/signed.tar.gz tar xvf ./signed.tar.gz sbverify --cert 15.3-0ubuntu1~ppa1/control/uefi.crt 15.3-0ubuntu1~ppa1/shimaa64.efi.signed Signature verification failed + + And yet inside bionic-amd64 chroot I get: + + # sbverify --cert 15.3-0ubuntu1~ppa1/control/uefi.crt 15.3-0ubuntu1~ppa1/shimaa64.efi.signed + warning: gap in section table: + .data : 0x0007f000 - 0x000b3800, + .sbat : 0x000b4000 - 0x000b5000, + gaps in the section table may result in different checksums + warning: data remaining[740864 vs 800872]: gaps between PE/COFF sections? + Signature verification OK + + However, If in xenial-amd64 I perform update-secureboot-policy new-key openssl x509 -inform der -outform pem -in /var/lib/shim-signed/mok/MOK.der -out /var/lib/shim-signed/mok/MOK.pem sbsign --key /var/lib/shim-signed/mok/MOK.priv --cert /var/lib/shim- signed/mok/MOK.pem 15.3-0ubuntu1~ppa1/shimaa64.efi sbverify --cert /var/lib/shim-signed/mok/MOK.pem 15.3-0ubuntu1~ppa1/shimaa64.efi.signed Signature verification OK + + Looks like something is dodgy in sbverify in bionic; i.e. it calculates + / signs / verifies wrong hash. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921387 Title: launchpad signing shimaa64.efi fails to validate To manage notifications about this bug go to: https://bugs.launchpad.net/launchpad/+bug/1921387/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
