Ubuntu
fwupd package

fwupd daemon failed to verify firmware signature

Bug #1961864 reported by Crag Wang
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OEM Priority Project
Fix Released
Critical
Yuan-Chen Cheng
fwupd (Ubuntu)
Invalid
Undecided
Unassigned
Focal
Invalid
Undecided
Unassigned
Impish
Invalid
Undecided
Unassigned
Jammy
Invalid
Undecided
Unassigned
libjcat (Ubuntu)
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Impish
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned

Bug Description

We are going to SRU fwupd 1.7.5 to impish and focal to fix bug LP: #1949412. With update fwupd, the default config set OnlyTrusted=true
With that, we need update libjcat.

[Impact]

need to update libjcat so the recent firmware from lvfs could be installed
by fwupd.

[Test Plan]
Will use fwupd SRU exception test plan to do those testing.
IHV vendor will also contribute by testing recent firmware that
can't be install without upgrade libjcat.

[Where problems could occur]
fwupd will crash, signature verification will failed and the can't
install firmware from LVFS.

Given the test plan in the SRU exception document, plus IHV testing,
I think those shall be fine.

[Other Info]
SRU exception page: https://wiki.ubuntu.com/firmware-updates
There are several commits between 0.1.3 (current one in focal)
and 0.1.4 (the target version for this SRU).
Those non-trivial commits between 0.1.3 and 0.1.4 are:

https://github.com/hughsie/libjcat/commit/109399e1f28cec84b43c355b2be77bac38943df7
https://github.com/hughsie/libjcat/commit/583df67e3ee25201f1e1830ae6d92bf846c082a3

Given they are clean and clear, I think SRU those shall be fine.

Also, note per:

https://github.com/fwupd/fwupd/commit/7157ca79e4d6b13d82b0a21f8586b86be0cbb80e

We do need updated libjcat to support new firmware from LVFS.

----

The firmware blobs in cabinet archive are presently LVFS signed with gpg and pkcs7, if libjcat at compilation time without one then the blobs signed with both can't be verified.

The impact is fwupd daemon will fail the firmware install immediately because OnlyTrusted=true is defaulted (in fwupd 1.7.x) to verify the signature for the daemon.

We need uprev libjcat at least 0.1.4 onward to fix this issue.

Issue is reproducible with fwupd 1.7.4
-> https://launchpad.net/~ycheng-twn/+archive/ubuntu/fwupd174

$ fwupdmgr --version
client version: 1.7.4
compile-time dependency versions
 gusb: 0.3.4

daemon version: 1.7.4

$ dpkg -l | grep libjcat
ii libjcat1:amd64 0.1.3-2 amd64 JSON catalog library

See original description
Yuan-Chen Cheng (ycheng-twn)
tags: added: oem-priority
Yuan-Chen Cheng (ycheng-twn)
description: updated
Yuan-Chen Cheng (ycheng-twn)
Changed in oem-priority:
assignee: nobody → Yuan-Chen Cheng (ycheng-twn)
importance: Undecided → Critical
Yuan-Chen Cheng (ycheng-twn)
tags: added: focal
Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :

I use WD19SC to upgrade its firmware, and it works fine.

I use fwupd 1.7.5 from this ppa: https://launchpad.net/~ycheng-twn/+archive/ubuntu/fwupd175-3-2
I didn't upgrade libjcat and it also works fine.

Use get-releases, the cab used is https://fwupd.org/downloads/4e3f12fc1901c05790ab17ff2223a79631477aa87979498874c4c262cfafc144-WD19FirmwareUpdateLinux_01.00.21.cab

use gcab -x XXX.cab, there is firmware.jcat inside.

Changed in oem-priority:
status: New → Triaged
Revision history for this message
Crag Wang (crag-wang) wrote :
Download full text (3.3 KiB)

Can you please paste your output from running below?
$ gcab -x 4e3f12fc1901c05790ab17ff2223a79631477aa87979498874c4c262cfafc144-WD19FirmwareUpdateLinux_01.00.21.cab
$ jcat-tool verify ./firmware.jcat --public-keys /etc/pki/fwupd

package.bin:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
ec.bin:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
vmm5331.bin:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
rts5413.bin:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
rts5487.bin:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
titanridge.bin:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
package.metainfo.xml:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
ec.metainfo.xml:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
vmm5331.metainfo.xml:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
rts5413.metainfo.xml:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
rts5487.metainfo.xml:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
titanridge.metainfo.xml:
    FAILED sha1: verifying data is n...

Read more...

Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :
Download full text (3.3 KiB)

On the machine that test passed for WD19, the output is:

# jcat-tool verify ./firmware.jcat --public-keys /etc/pki/fwupd
package.bin:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
ec.bin:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
vmm5331.bin:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
rts5413.bin:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
rts5487.bin:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
titanridge.bin:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
package.metainfo.xml:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
ec.metainfo.xml:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
vmm5331.metainfo.xml:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
rts5413.metainfo.xml:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
rts5487.metainfo.xml:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
    FAILED: Validation failed
titanridge.metainfo.xml:
    FAILED sha1: verifying data is not supported
    FAILED sha256: verifying data is not supported
    PASSED pkcs7: O=Linux Vendor Firmware Pr...

Read more...

Mario Limonciello (superm1)
Changed in fwupd (Ubuntu Jammy):
status: New → Fix Released
Changed in libjcat (Ubuntu Jammy):
status: New → Fix Released
Changed in libjcat (Ubuntu Impish):
status: New → Triaged
Changed in libjcat (Ubuntu Focal):
status: New → Triaged
Changed in fwupd (Ubuntu Impish):
status: New → Triaged
Changed in fwupd (Ubuntu Focal):
status: New → Triaged
Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :

I don't have enough knowledge on if this is a bug or not. If this is and we should upgrade libjcat, I've build it in ppa and please kindly sponsor to upload it to focal and impish, so we can SRU those with fwupd.

https://launchpad.net/~ycheng-twn/+archive/ubuntu/fwupd175-3-2-jcat

Revision history for this message
Crag Wang (crag-wang) wrote (last edit ):

With newer libjcat installed from given ppa in comment #4, and restarted the daemon now I can update firmware successfully. Thanks.

$ fwupdmgr --version
runtime org.freedesktop.fwupd 1.7.5
runtime com.dell.libsmbios 2.4
compile org.freedesktop.gusb 0.3.4
runtime org.kernel 5.11.0-49-generic
compile org.freedesktop.fwupd 1.7.5
runtime org.freedesktop.gusb 0.3.5

$ dpkg -l | grep libjcat
ii gir1.2-jcat-1.0:amd64 0.1.9-1~20.04.1
ii libjcat-dev:amd64 0.1.9-1~20.04.1
ii libjcat1:amd64 0.1.9-1~20.04.1

Revision history for this message
Mario Limonciello (superm1) wrote :

IMO ideally you don't want this coupled with the fwupd SRU with certain ordering since Jammy already has 0.1.3. 0.1.4 just fixes a bug in 0.1.3.

So I don't think there is a strong requirement on the order of compilation here, is there? I'd expect just updating libjcat will be enough: https://github.com/fwupd/fwupd/blob/1.7.5/src/fu-engine.c#L4122

In which case the fwupd task should be invalid for this bug and fwupd 1.7.5 SRU can go independently of libjcat SRU.

Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :

https://launchpad.net/~ycheng-twn/+archive/ubuntu/libjcat014/+packages

Jcat 0.1.4 focal ppa for testing

Revision history for this message
Crag Wang (crag-wang) wrote :

It works well with libjcat 0.1.4 from comment #7, we need uprev libjcat as mentioned in the bug description to fulfilling the runtime dependency.

0.1.4 as a minimum version of libjcat is now required by upstream fwupd, details at https://github.com/fwupd/fwupd/commit/7157ca79e4d6b13d82b0a21f8586b86be0cbb80e

Mario Limonciello (superm1)
Changed in fwupd (Ubuntu Focal):
status: Triaged → Invalid
Changed in fwupd (Ubuntu Impish):
status: Triaged → Invalid
Changed in fwupd (Ubuntu Jammy):
status: Fix Released → Invalid
Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :

libjcat can be de-couple with fwupd SRU. However with the new fwupd, we need libjcat also to be upgraded, or it will fail with new firmware from LVFS.

Yuan-Chen Cheng (ycheng-twn)
description: updated
description: updated
description: updated
Yuan-Chen Cheng (ycheng-twn)
Changed in oem-priority:
status: Triaged → In Progress
description: updated
description: updated
Yuan-Chen Cheng (ycheng-twn)
summary: - fwupd daemon failed verifying firmware signature
+ fwupd daemon failed to verify firmware signature
Yuan-Chen Cheng (ycheng-twn)
description: updated
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Crag, or anyone else affected,

Accepted libjcat into impish-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libjcat/0.1.4-0ubuntu0.21.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-impish to verification-done-impish. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-impish. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in libjcat (Ubuntu Impish):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-impish
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Crag, or anyone else affected,

Accepted libjcat into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libjcat/0.1.4-0ubuntu0.20.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in libjcat (Ubuntu Focal):
status: Triaged → Fix Committed
tags: added: verification-needed-focal
Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :

per Crag, he install the libjcat and fwupd from the focal-proposed channel and verified that installing fw from lvfs works (which previously failed). Given so, mark verification-done-focal

tags: added: verification-done-focal
removed: verification-needed-focal
Revision history for this message
Kai-Chuan Hsieh (kchsieh) wrote (last edit ):

Can update firmware successfully with firmware in dell test channel on impish.

https://bugs.launchpad.net/oem-priority/+bug/1949412/comments/44

tags: added: verification-done verification-done-impish
removed: verification-needed verification-needed-impish
Yuan-Chen Cheng (ycheng-twn)
Changed in oem-priority:
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libjcat - 0.1.4-0ubuntu0.21.10.1

---------------
libjcat (0.1.4-0ubuntu0.21.10.1) impish; urgency=medium

  * Don't fail verification if compiled without an engine (LP: #1961864)

 -- Yuan-Chen Cheng <email address hidden> Thu, 24 Feb 2022 08:20:23 +0800

Changed in libjcat (Ubuntu Impish):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for libjcat has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libjcat - 0.1.4-0ubuntu0.20.04.1

---------------
libjcat (0.1.4-0ubuntu0.20.04.1) focal; urgency=medium

  * Don't fail verification if compiled without an engine (LP: #1961864)

 -- Yuan-Chen Cheng <email address hidden> Thu, 24 Feb 2022 08:20:23 +0800

Changed in libjcat (Ubuntu Focal):
status: Fix Committed → Fix Released
Yuan-Chen Cheng (ycheng-twn)
Changed in oem-priority:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.