fwupd daemon failed to verify firmware signature
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OEM Priority Project |
Fix Released
|
Critical
|
Yuan-Chen Cheng | ||
fwupd (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Focal |
Invalid
|
Undecided
|
Unassigned | ||
Impish |
Invalid
|
Undecided
|
Unassigned | ||
Jammy |
Invalid
|
Undecided
|
Unassigned | ||
libjcat (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Impish |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
We are going to SRU fwupd 1.7.5 to impish and focal to fix bug LP: #1949412. With update fwupd, the default config set OnlyTrusted=true
With that, we need update libjcat.
[Impact]
need to update libjcat so the recent firmware from lvfs could be installed
by fwupd.
[Test Plan]
Will use fwupd SRU exception test plan to do those testing.
IHV vendor will also contribute by testing recent firmware that
can't be install without upgrade libjcat.
[Where problems could occur]
fwupd will crash, signature verification will failed and the can't
install firmware from LVFS.
Given the test plan in the SRU exception document, plus IHV testing,
I think those shall be fine.
[Other Info]
SRU exception page: https:/
There are several commits between 0.1.3 (current one in focal)
and 0.1.4 (the target version for this SRU).
Those non-trivial commits between 0.1.3 and 0.1.4 are:
https:/
https:/
Given they are clean and clear, I think SRU those shall be fine.
Also, note per:
https:/
We do need updated libjcat to support new firmware from LVFS.
----
The firmware blobs in cabinet archive are presently LVFS signed with gpg and pkcs7, if libjcat at compilation time without one then the blobs signed with both can't be verified.
The impact is fwupd daemon will fail the firmware install immediately because OnlyTrusted=true is defaulted (in fwupd 1.7.x) to verify the signature for the daemon.
We need uprev libjcat at least 0.1.4 onward to fix this issue.
Issue is reproducible with fwupd 1.7.4
-> https:/
$ fwupdmgr --version
client version: 1.7.4
compile-time dependency versions
gusb: 0.3.4
daemon version: 1.7.4
$ dpkg -l | grep libjcat
ii libjcat1:amd64 0.1.3-2 amd64 JSON catalog library
tags: | added: oem-priority |
description: | updated |
Changed in oem-priority: | |
assignee: | nobody → Yuan-Chen Cheng (ycheng-twn) |
importance: | Undecided → Critical |
tags: | added: focal |
Changed in fwupd (Ubuntu Jammy): | |
status: | New → Fix Released |
Changed in libjcat (Ubuntu Jammy): | |
status: | New → Fix Released |
Changed in libjcat (Ubuntu Impish): | |
status: | New → Triaged |
Changed in libjcat (Ubuntu Focal): | |
status: | New → Triaged |
Changed in fwupd (Ubuntu Impish): | |
status: | New → Triaged |
Changed in fwupd (Ubuntu Focal): | |
status: | New → Triaged |
Changed in fwupd (Ubuntu Focal): | |
status: | Triaged → Invalid |
Changed in fwupd (Ubuntu Impish): | |
status: | Triaged → Invalid |
Changed in fwupd (Ubuntu Jammy): | |
status: | Fix Released → Invalid |
description: | updated |
description: | updated |
description: | updated |
Changed in oem-priority: | |
status: | Triaged → In Progress |
description: | updated |
description: | updated |
summary: |
- fwupd daemon failed verifying firmware signature + fwupd daemon failed to verify firmware signature |
description: | updated |
Changed in oem-priority: | |
status: | In Progress → Fix Committed |
Changed in oem-priority: | |
status: | Fix Committed → Fix Released |
I use WD19SC to upgrade its firmware, and it works fine.
I use fwupd 1.7.5 from this ppa: https:/ /launchpad. net/~ycheng- twn/+archive/ ubuntu/ fwupd175- 3-2
I didn't upgrade libjcat and it also works fine.
Use get-releases, the cab used is https:/ /fwupd. org/downloads/ 4e3f12fc1901c05 790ab17ff2223a7 9631477aa879794 98874c4c262cfaf c144-WD19Firmwa reUpdateLinux_ 01.00.21. cab
use gcab -x XXX.cab, there is firmware.jcat inside.