Ubuntu
linux-meta package

sbattach --detach failures with 6.18

Bug #2137746 reported by Dan Bungert
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux-meta (Ubuntu)
New
Undecided
Paolo Pisati
sbsigntool (Ubuntu)
New
Undecided
Unassigned

Bug Description

Ubuntu Resolute install ISOs are starting to fail a promotion step, due to test failures related to sbattach / sbverify. Promotion here means that we take a built ISO, see if it passes some integration tests, and if so, allow it to be considered the "current" ISO on cdimage.

The test failure is related to kernel signatures, and has regressed with the 6.18 upload.

That failing test can be found here - https://git.launchpad.net/utah/tree/utah/isotest/iso_static_validation.py#n562

I have extracted the logic from that test into a standalone script that can be used against vmlinuz files directly, without the additional challenge of needing a full UTAH setup. See attached. It needs a little configuration - see the things marked FIXME.

The last passing ISO logfile can be found here - https://ubuntu-archive-team.ubuntu.com/cd-build-logs/ubuntu-server/resolute/daily-live-20251219.log - as built on December 19th, 2025.

The first failing ISO logfile can be found here - https://ubuntu-archive-team.ubuntu.com/cd-build-logs/ubuntu-server/resolute/daily-live-20251220.log - as built on December 20th, 2025.

This dec-20th logfile is the first one to pick up kernel 6.18.

The failure in question looks like:

08:46:53 ERROR: test_efi_secure_boot_signatures (__main__.TestValidateISO)
08:46:53 ERROR: Traceback (most recent call last):
08:46:53 File "/usr/lib/python3.10/unittest/case.py", line 59, in testPartExecutor
08:46:53 yield
08:46:53 File "/usr/lib/python3.10/unittest/case.py", line 591, in run
08:46:53 self._callTestMethod(testMethod)
08:46:53 File "/usr/lib/python3.10/unittest/case.py", line 549, in _callTestMethod
08:46:53 method()
08:46:53 File "/usr/share/utah/isotest/iso_static_validation.py", line 629, in test_efi_secure_boot_signatures
08:46:53 self.assertEqual(stderr, '')
08:46:53 AssertionError: 'warning: data remaining[16721800 vs 17160[34 chars]s?\n' != ''
08:46:53 - warning: data remaining[16721800 vs 17160264]: gaps between PE/COFF sections?

If you use my attached script and point it at kernels 6.17 and 6.18, you will see the `sbattach --detach` pass for 6.17 and fail for 6.18.

Revision history for this message
Dan Bungert (dbungert) wrote :
summary: - sbattach / sbverify failures with 6.18
+ sbattach --detach failures with 6.18
Skia (skia)
tags: added: iso-testing
Ubuntu Kernel Bot (ubuntu-kernel-bot)
tags: added: kernel-daily-bug
Revision history for this message
Frank Heimes (fheimes) wrote :

fyi

Starting with kernel 6.18 I see secureboot problems (likely also due to signature) on s390x - these again do not exist on a kernel 6.17.
However, s390x is not a UEFI platforms, but the issue with the signatures can be a more general issue, not limited to UEFI platforms.

Revision history for this message
Paolo Pisati (p-pisati) wrote :

The reproduce in #1 is looking for "canonical-master-signing-public-chain.pem" in the qa-regression-testing repo, but there's no such file: what am i missing?

Revision history for this message
Skia (skia) wrote :

You need to `make` in `qa-regression-testing/notes_testing/bootloaders/keys`

Revision history for this message
Paolo Pisati (p-pisati) wrote (last edit ):

the warning is harmless:

```
ubuntu@amd64-secureboot-testing:~$ sudo sbverify --list --cert keys/canonical-master-signing-public-chain.pem /boot/vmlinuz-6.18.0-8-generic
warning: data remaining[16721800 vs 17160264]: gaps between PE/COFF sections?
signature 1
image signature issuers:
 - /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
image signature certificates:
 - subject: /C=GB/ST=Isle of Man/O=Canonical Ltd./OU=Secure Boot/CN=Canonical Ltd. Secure Boot Signing (2022 v1)
   issuer: /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority

ubuntu@amd64-secureboot-testing:~$ sudo sbverify --cert keys/canonical-master-signing-public-chain.pem /boot/vmlinuz-6.18.0-8-generic
warning: data remaining[16721800 vs 17160264]: gaps between PE/COFF sections?
Signature verification OK
```

the imporant piece is ```Signature verification OK```, and that is correct

Jose Ogando Justo (joseogando)
Changed in linux-meta (Ubuntu):
assignee: nobody → Paolo Pisati (p-pisati)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.