# wget http://archive.ubuntu.com/ubuntu/dists/bionic/main/signed/linux-amd64/current/signed.tar.gz -O linux-signed.tar.gz
# tar xvf linux-signed.tar.gz
# sbverify --cert uefi.crt 4.15.0-20.21/vmlinuz-4.15.0-20-generic.efi.signed
warning: data remaining[8249064 vs 8249080]: gaps between PE/COFF sections?
Signature verification OK
# sbverify --cert uefi.crt 4.15.0-20.21/vmlinuz-4.15.0-20-lowlatency.efi.signed
warning: data remaining[8298216 vs 8298232]: gaps between PE/COFF sections?
Signature verification OK
All existing bionic signatures validate correctly. Thus the problem is really induced by gaps/ordering of the .sbat & .data sections, on arm64 with the very new sbat-capable binaries.
Verifying existing binaries with new sbsigntool:
# wget http:// archive. ubuntu. com/ubuntu/ dists/bionic/ main/uefi/ fwupdate- amd64/current/ fwupx64. efi.signed archive. ubuntu. com/ubuntu/ dists/bionic/ main/uefi/ fwupdate- amd64/current/ control/ uefi.crt efi.signed
# wget http://
# sbverify --cert ./uefi.crt ./fwupx64.
warning: data remaining[63352 vs 71400]: gaps between PE/COFF sections?
Signature verification OK
# wget http:// archive. ubuntu. com/ubuntu/ dists/bionic/ main/uefi/ fwupdate- i386/current/ fwupia32. efi.signed efi.signed
# sbverify --cert ./uefi.crt ./fwupia32.
warning: data remaining[54648 vs 63512]: gaps between PE/COFF sections?
Signature verification OK
# wget http:// archive. ubuntu. com/ubuntu/ dists/bionic/ main/signed/ linux-amd64/ current/ signed. tar.gz -O linux-signed.tar.gz 20.21/vmlinuz- 4.15.0- 20-generic. efi.signed 20.21/vmlinuz- 4.15.0- 20-lowlatency. efi.signed
# tar xvf linux-signed.tar.gz
# sbverify --cert uefi.crt 4.15.0-
warning: data remaining[8249064 vs 8249080]: gaps between PE/COFF sections?
Signature verification OK
# sbverify --cert uefi.crt 4.15.0-
warning: data remaining[8298216 vs 8298232]: gaps between PE/COFF sections?
Signature verification OK
# wget http:// archive. ubuntu. com/ubuntu/ dists/bionic/ main/uefi/ grub2-amd64/ current/ grubx64. efi.signed
# sbverify --cert uefi.crt grubx64.efi.signed
Signature verification OK
# wget http:// ports.ubuntu. com/dists/ bionic/ main/uefi/ grub2-arm64/ current/ grubaa64. efi.signed efi.signed
# sbverify --cert uefi.crt ./grubaa64.
Signature verification OK
All existing bionic signatures validate correctly. Thus the problem is really induced by gaps/ordering of the .sbat & .data sections, on arm64 with the very new sbat-capable binaries.