openssl 1.0.2e breaks sbsigntool

Bug #1526959 reported by Mathieu Trudel-Lapierre on 2015-12-16
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Undecided
Marc Deslauriers
sbsigntool (Ubuntu)
Undecided
Mathieu Trudel-Lapierre

Bug Description

Looks like sbsigntool now fails again to verify signed EFI binaries against a valid cert (and the signature is known to be valid). Reverting to 1.0.2d-0ubuntu2 lets it work again:

[15:40:30] mtrudel@moloch:~u/shim-signed-1.12 $ sbverify --cert MicCorUEFCA2011_2011-06-27.crt shim.efi.signed
warning: data remaining[1170360 vs 1289424]: gaps between PE/COFF sections?
PKCS7 verification failed
140048473532048:error:21075076:PKCS7 routines:PKCS7_verify:content and data present:pk7_smime.c:280:
Signature verification failed
[15:50:03] mtrudel@moloch:~u/shim-signed-1.12 $ sudo dpkg -i ../openssl_1.0.2d-0ubuntu2_amd64.deb ../libssl1.0.0_1.0.2d-0ubuntu2_amd64.deb
dpkg : avertissement : dégradation (« downgrade ») de openssl depuis 1.0.2e-1ubuntu1 vers 1.0.2d-0ubuntu2
(Lecture de la base de données... 291770 fichiers et répertoires déjà installés.)
Préparation du dépaquetage de .../openssl_1.0.2d-0ubuntu2_amd64.deb ...
Dépaquetage de openssl (1.0.2d-0ubuntu2) sur (1.0.2e-1ubuntu1) ...
dpkg : avertissement : dégradation (« downgrade ») de libssl1.0.0:amd64 depuis 1.0.2e-1ubuntu1 vers 1.0.2d-0ubuntu2
Préparation du dépaquetage de .../libssl1.0.0_1.0.2d-0ubuntu2_amd64.deb ...
Dépaquetage de libssl1.0.0:amd64 (1.0.2d-0ubuntu2) sur (1.0.2e-1ubuntu1) ...
Paramétrage de libssl1.0.0:amd64 (1.0.2d-0ubuntu2) ...
Paramétrage de openssl (1.0.2d-0ubuntu2) ...
Traitement des actions différées (« triggers ») pour man-db (2.7.5-1) ...
Traitement des actions différées (« triggers ») pour libc-bin (2.21-0ubuntu5) ...
[15:50:18] mtrudel@moloch:~u/shim-signed-1.12 $ sbverify --cert MicCorUEFCA2011_2011-06-27.crt shim.efi.signed
warning: data remaining[1170360 vs 1289424]: gaps between PE/COFF sections?
Signature verification OK

We've hit a similar issue in the past; in lieue of sbsigntool/0.6-0ubuntu8: http://launchpadlibrarian.net/211726228/sbsigntool_0.6-0ubuntu7_0.6-0ubuntu8.diff.gz

Assigning the openssl task to mdeslaur; we've discussed this issue on IRC.

Changed in openssl (Ubuntu):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in sbsigntool (Ubuntu):
assignee: nobody → Mathieu Trudel-Lapierre (mathieu-tl)
Changed in sbsigntool (Ubuntu):
status: New → In Progress
Changed in openssl (Ubuntu):
status: New → Incomplete
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sbsigntool - 0.6-0ubuntu10

---------------
sbsigntool (0.6-0ubuntu10) xenial; urgency=medium

  * debian/patches/sbverify_clear_out_cert_content.patch: clear out the
    contents part of the certificate we're building for signature verification
    from the EFI binary, in sbverify; OpenSSL 1.0.2e now enforces that there
    isn't data and content sections together. Thanks to Marc Deslauriers for
    help investigating this. (LP: #1526959)

 -- Mathieu Trudel-Lapierre <email address hidden> Thu, 17 Dec 2015 14:55:09 -0500

Changed in sbsigntool (Ubuntu):
status: In Progress → Fix Released
Changed in openssl (Ubuntu):
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers