ARM64 signed linux-images packages have arbitrary timestamp
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux-signed (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
ARM64 signed linux-images packages encode arbitrary timestamp
$ file /boot/vmlinuz-
/boot/vmlinuz-
Note that original filename and timestamp are encoded in the gzip content header which is not reproducible and not roundtrip safe. This make it difficult to do gymnastics to convert for linux linux-unsgined, to linux-signed, to kernel.efi, and back and preserve the same checksum or HMAC of the file, as needed by FIPS or just pure curiosity to confirm that the kernel image is the same across all image formats we ship.
The fix is to use -n (--no-name) option to gzip to compress the file without filename nor timestamp.
$ file linux-image/
/boot/vmlinuz-
https:/ /lists. ubuntu. com/archives/ kernel- team/2023- December/ 147467. html