sbsigntool broken by update to openssl 1.0.2c
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sbsigntool (Ubuntu) |
Fix Released
|
High
|
Steve Langasek | ||
Precise |
Fix Released
|
High
|
Mathieu Trudel-Lapierre | ||
Trusty |
Fix Released
|
High
|
Mathieu Trudel-Lapierre | ||
Wily |
Fix Released
|
High
|
Steve Langasek |
Bug Description
[Impact]
Validating signature using sbsigntool for EFI binaries on Precise and Trusty.
[Test case]
1) pull-lp-source shim-signed
2) sbverify --cert MicCorUEFCA2011
[Regression potential]
Complex signing scenarios may pass validation when they should not due to the unavailability of the issuer cert; but I can't think of a specific case where this might happen.
---
An upload of shim-signed with no source changes is now failing to build in wily, because sbverify fails:
sbverify --cert MicCorUEFCA2011
warning: data remaining[1170360 vs 1289424]: gaps between PE/COFF sections?
PKCS7 verification failed
1399198111883
Signature verification failed
(https:/
The package builds successfully on vivid but fails on wily. sbsigntool has not changed since vivid. Upgrading to the wily version of libssl1.0.0 in a vivid chroot reproduces the failure.
I'm not sure if this is a regression in libssl1.0.0 or a bug in sbsigntool.
Related branches
Changed in openssl (Ubuntu Wily): | |
status: | New → Invalid |
Changed in sbsigntool (Ubuntu Wily): | |
status: | New → In Progress |
assignee: | nobody → Steve Langasek (vorlon) |
tags: | added: patch |
Changed in sbsigntool (Ubuntu Trusty): | |
status: | New → In Progress |
Changed in sbsigntool (Ubuntu Precise): | |
status: | New → In Progress |
description: | updated |
Changed in openssl (Ubuntu Precise): | |
status: | New → Invalid |
Changed in openssl (Ubuntu Trusty): | |
status: | New → Invalid |
Changed in sbsigntool (Ubuntu Precise): | |
assignee: | nobody → Mathieu Trudel-Lapierre (cyphermox) |
Changed in sbsigntool (Ubuntu Trusty): | |
assignee: | nobody → Mathieu Trudel-Lapierre (cyphermox) |
Changed in sbsigntool (Ubuntu Precise): | |
importance: | Undecided → High |
Changed in sbsigntool (Ubuntu Trusty): | |
importance: | Undecided → High |
no longer affects: | openssl (Ubuntu) |
no longer affects: | openssl (Ubuntu Wily) |
no longer affects: | openssl (Ubuntu Trusty) |
no longer affects: | openssl (Ubuntu Precise) |
tags: | added: verification-done-precise |
The last successful build in wily was with 1.0.2a-1ubuntu1 (https:/ /launchpad. net/ubuntu/ +source/ shim-signed/ 1.9/+build/ 7518442).