**Subject:** Confirmed root causes and complete multi-step workaround
for `sign-file` failure (`SSL error:FFFFFFFF80000002`) on modern kernels
(e.g., 6.8.x) when manually signing DKMS modules (NVIDIA/VirtualBox).
My system encountered this exact failure (`SSL
error:FFFFFFFF80000002...`) when attempting to sign the NVIDIA 580
driver modules on a **6.8.0-xx-generic** kernel. The issue is multi-
faceted, involving three points of failure in the standard toolchain:
#### 1\. Failure to Handle Protected Private Key
The `sign-file` script cannot correctly handle the passphrase for a
password-protected private key (`MOK.priv`), resulting in the `- SSL
error:FFFFFFFF80000002...`
**Workaround:** The private key must be temporarily unlocked/unprotected
before signing:
```bash
# Back up and create an unlocked key:
sudo openssl rsa -in /etc/ssl/MOK.priv -out /etc/ssl/MOK_unlocked.priv
```
#### 2\. Failure to Handle ZSTD Compression
Since modules are now compressed as `.ko.zst`, the signing process
should manually include decompression and recompression:
**Workaround (Simplified):**
```bash
# Assuming MOK_unlocked.priv is in the current directory, run this loop:
NVIDIA_DIR="/lib/modules/$(uname -r)/updates/dkms"
UNLOCKED_KEY="MOK_unlocked.priv" # Or use the full path
for MODULE_ZST in *.ko.zst; do
MODULE_KO=${MODULE_ZST%.zst}
# Decompress
sudo zstd -d ${NVIDIA_DIR}/${MODULE_ZST} -o ${MODULE_KO}
# Sign using the sign-file script and the UNLOCKED key
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 \
${UNLOCKED_KEY} /etc/ssl/MOK.der ${MODULE_KO}
# Re-compress and overwrite the original
sudo zstd ${MODULE_KO} -o ${NVIDIA_DIR}/${MODULE_ZST}
sudo rm ${MODULE_KO}
done
```
#### 3\. Failure to Import Key due to Format Mismatch
After successful signing, `mokutil --import` fails if the key is in PEM
format (which `openssl req` defaults to) but is named `.der`. The error
is misleading, suggesting the key is invalid.
**Workaround:** Explicitly convert the key from PEM to DER format (which
`mokutil` requires) before importing:
```bash
# Assuming the file is named MOK.pem:
TS=$(date +%Y%m%d_%H%M)
sudo openssl x509 -in /etc/ssl/MOK.pem -inform PEM -out /etc/ssl/MOK_$TS.der
-outform DER
# Import the correct DER file
sudo mokutil --import /etc/ssl/MOK_$TS.der
```
**Conclusion:** The maintainers should address the broken passphrase
handling in the `sign-file` script to prevent requiring users to unlock
their private keys, and should ensure DKMS or the kernel tools handle
ZSTD compression transparently.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2119337
Title:
VirtualBox can 't load signed virtualbox kernel modul vboxdrv.ko
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/virtualbox/+bug/2119337/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
