sbsigntool broken by update to openssl 1.0.2c

Bug #1474541 reported by Steve Langasek on 2015-07-14
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sbsigntool (Ubuntu)
High
Steve Langasek
Precise
High
Mathieu Trudel-Lapierre
Trusty
High
Mathieu Trudel-Lapierre
Wily
High
Steve Langasek

Bug Description

[Impact]
Validating signature using sbsigntool for EFI binaries on Precise and Trusty.

[Test case]
1) pull-lp-source shim-signed
2) sbverify --cert MicCorUEFCA2011_2011-06-27.crt shim.efi.signed

[Regression potential]
Complex signing scenarios may pass validation when they should not due to the unavailability of the issuer cert; but I can't think of a specific case where this might happen.

---

An upload of shim-signed with no source changes is now failing to build in wily, because sbverify fails:

  sbverify --cert MicCorUEFCA2011_2011-06-27.crt shim.efi.signed
  warning: data remaining[1170360 vs 1289424]: gaps between PE/COFF sections?
  PKCS7 verification failed
  139919811188368:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smime.c:328:Verify error:unable to get issuer certificate
  Signature verification failed

(https://launchpad.net/ubuntu/+source/shim-signed/1.10/+build/7652431)

The package builds successfully on vivid but fails on wily. sbsigntool has not changed since vivid. Upgrading to the wily version of libssl1.0.0 in a vivid chroot reproduces the failure.

I'm not sure if this is a regression in libssl1.0.0 or a bug in sbsigntool.

Steve Langasek (vorlon) wrote :

The last successful build in wily was with 1.0.2a-1ubuntu1 (https://launchpad.net/ubuntu/+source/shim-signed/1.9/+build/7518442).

Changed in openssl (Ubuntu):
importance: Undecided → High
Changed in sbsigntool (Ubuntu):
importance: Undecided → High
Marc Deslauriers (mdeslaur) wrote :

Issue is caused by alternate certificate chains support introduced in 1.0.2b returning a slightly different error.

Steve Langasek (vorlon) on 2015-07-15
Changed in openssl (Ubuntu Wily):
status: New → Invalid
Changed in sbsigntool (Ubuntu Wily):
status: New → In Progress
assignee: nobody → Steve Langasek (vorlon)
tags: added: patch
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sbsigntool - 0.6-0ubuntu8

---------------
sbsigntool (0.6-0ubuntu8) wily; urgency=medium

  * debian/patches/0001-Support-openssl-1.0.2b-and-above.patch: [PATCH]
    Support openssl 1.0.2b and above. Thanks to Marc Deslauriers
    <email address hidden>. LP: #1474541.

 -- Steve Langasek <email address hidden> Wed, 15 Jul 2015 08:57:46 -0700

Changed in sbsigntool (Ubuntu Wily):
status: In Progress → Fix Released
Changed in sbsigntool (Ubuntu Trusty):
status: New → In Progress
Changed in sbsigntool (Ubuntu Precise):
status: New → In Progress
description: updated
Changed in openssl (Ubuntu Precise):
status: New → Invalid
Changed in openssl (Ubuntu Trusty):
status: New → Invalid
Changed in sbsigntool (Ubuntu Precise):
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
Changed in sbsigntool (Ubuntu Trusty):
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
Changed in sbsigntool (Ubuntu Precise):
importance: Undecided → High
Changed in sbsigntool (Ubuntu Trusty):
importance: Undecided → High

Hello Steve, or anyone else affected,

Accepted sbsigntool into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sbsigntool/0.6-0ubuntu7.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in sbsigntool (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed
Changed in sbsigntool (Ubuntu Precise):
status: In Progress → Fix Committed
Steve Langasek (vorlon) wrote :

Hello Steve, or anyone else affected,

Accepted sbsigntool into precise-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sbsigntool/0.6-0ubuntu4~12.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

no longer affects: openssl (Ubuntu)
no longer affects: openssl (Ubuntu Wily)
no longer affects: openssl (Ubuntu Trusty)
no longer affects: openssl (Ubuntu Precise)

Verified sbsigntool on *precise*; sbsigntool builds and the utilities work correctly.

tags: added: verification-done-precise

Verified sbsigntool for *trusty* as well; all looks good.

tags: added: verification-done verification-done-trusty
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sbsigntool - 0.6-0ubuntu4~12.04.2

---------------
sbsigntool (0.6-0ubuntu4~12.04.2) precise; urgency=medium

  * debian/patches/0001-Support-openssl-1.0.2b-and-above.patch: handle the
    case where we can't get the issuer certificate, which typically happens
    after 1.0.2b; but it appears that 1.0.1f includes that check too, which
    fails in sbsigntool. (LP: #1474541)
  * debian/patches/ignore-certificate-expiries.patch: ignore certificate
    expiries when verifying signatures. (LP: #1234649)

 -- Mathieu Trudel-Lapierre <email address hidden> Tue, 24 May 2016 14:41:24 -0400

Changed in sbsigntool (Ubuntu Precise):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for sbsigntool has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sbsigntool - 0.6-0ubuntu7.2

---------------
sbsigntool (0.6-0ubuntu7.2) trusty; urgency=medium

  * debian/patches/0001-Support-openssl-1.0.2b-and-above.patch: handle the
    case where we can't get the issuer certificate, which typically happens
    after 1.0.2b; but it appears that 1.0.1f includes that check too, which
    fails in sbsigntool. (LP: #1474541)

 -- Mathieu Trudel-Lapierre <email address hidden> Tue, 24 May 2016 14:24:45 -0400

Changed in sbsigntool (Ubuntu Trusty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers