I am pretty sure that this is due to the jq patch for https://ubuntu.com/security/CVE-2026-33948 [1].
systemd is padding the /usr/share/*.verity.sig files with null bytes and passing it directly to jq in mkosi.postinst.chroot. I would say the proper fix here is to either 1. Strip the trailing NULL bytes in mkosi.postinst.chroot before passing it to jq 2. Or to patch jq to ignore trailing (and only trailing to not reintroduce the vulnerability) NULL bytes to restore some of the previous behavior I would argue that the first solution is a lot simpler considering that jq parses in chunks which makes the second option a lot more difficult and invasive. [1] https://git.launchpad.net/ubuntu/+source/jq/tree/debian/patches/CVE-2026-33948.patch?h=ubuntu/resolute- devel ** CVE added: https://cve.org/CVERecord?id=CVE-2026-33948 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2155132 Title: systemd upstream test falling apart in resolute (maybe due to jq) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/jq/+bug/2155132/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
