[Bug 1234649] Re: UEFI shim verification against microsoft-uefica-public.pem fails with 20131003 saucy images
Launchpad Bug Tracker
1234649 at bugs.launchpad.net
Tue Jul 12 06:32:09 UTC 2016
This bug was fixed in the package sbsigntool - 0.6-0ubuntu4~12.04.2
---------------
sbsigntool (0.6-0ubuntu4~12.04.2) precise; urgency=medium
* debian/patches/0001-Support-openssl-1.0.2b-and-above.patch: handle the
case where we can't get the issuer certificate, which typically happens
after 1.0.2b; but it appears that 1.0.1f includes that check too, which
fails in sbsigntool. (LP: #1474541)
* debian/patches/ignore-certificate-expiries.patch: ignore certificate
expiries when verifying signatures. (LP: #1234649)
-- Mathieu Trudel-Lapierre <cyphermox at ubuntu.com> Tue, 24 May 2016
14:41:24 -0400
** Changed in: sbsigntool (Ubuntu Precise)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sbsigntool in Ubuntu.
https://bugs.launchpad.net/bugs/1234649
Title:
UEFI shim verification against microsoft-uefica-public.pem fails with
20131003 saucy images
Status in sbsigntool package in Ubuntu:
Fix Released
Status in sbsigntool source package in Precise:
Fix Released
Status in sbsigntool source package in Quantal:
Won't Fix
Status in sbsigntool source package in Raring:
Won't Fix
Bug description:
[Impact]
Validating signature using sbsigntool for EFI binaries on Precise.
[Test case]
1) pull-lp-source shim-signed
2) sbverify --cert MicCorUEFCA2011_2011-06-27.crt shim.efi.signed
[Regression potential]
This is dependent on the date of the system being correct -- wrong date may cause an unexpected success or failure of the test case.
---
UEFI shim verification fails (PKCS7 verification failed) with the images of 20131003 against the microsoft-uefica-public. keys present in
http://bazaar.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master/files/head:/notes_testing/secure-boot/keys/
The following is the failure results (http://bazaar.launchpad.net/~utah/utah/dev/view/head:/utah/isotest/iso_static_validation.py)
DEBUG: Using iso at: /tmp/utah-saucy-server-amd64.iso
INFO: Preparing image: /tmp/utah-saucy-server-amd64.iso
INFO: /tmp/utah-saucy-server-amd64.iso is locally available as /tmp/utah-saucy-server-amd64.iso
INFO: Getting image type of /tmp/utah-saucy-server-amd64.iso
DEBUG: bsdtar list command: bsdtar -t -f /tmp/utah-saucy-server-amd64.iso
INFO: Image type is: server
DEBUG: Using normal image
DEBUG: bsdtar list command: bsdtar -t -v -f /tmp/utah-saucy-server-amd64.iso ./.disk/info
DEBUG: bsdtar extract command: bsdtar -x -f /tmp/utah-saucy-server-amd64.iso -O .disk/info
INFO: Arch is: amd64
INFO: Series is saucy
DEBUG: Standard name for this iso is: saucy-server-amd64.iso
DEBUG: Generating verification certificates
DEBUG: Extracting UEFI boot and kernel images
DEBUG: bsdtar list command: bsdtar -t -v -f /tmp/utah-saucy-server-amd64.iso ./EFI/BOOT/BOOTx64.EFI
DEBUG: bsdtar extract command: bsdtar -x -f /tmp/utah-saucy-server-amd64.iso -O EFI/BOOT/BOOTx64.EFI
DEBUG: bsdtar list command: bsdtar -t -v -f /tmp/utah-saucy-server-amd64.iso ./EFI/BOOT/grubx64.efi
DEBUG: bsdtar extract command: bsdtar -x -f /tmp/utah-saucy-server-amd64.iso -O EFI/BOOT/grubx64.efi
DEBUG: bsdtar list command: bsdtar -t -v -f /tmp/utah-saucy-server-amd64.iso ./install/vmlinuz
DEBUG: bsdtar extract command: bsdtar -x -f /tmp/utah-saucy-server-amd64.iso -O install/vmlinuz
DEBUG: Verifying UEFI shim
ERROR: test_efi_secure_boot_signatures (__main__.TestValidateISO)
ERROR: Traceback (most recent call last):
File "/usr/lib/python2.7/unittest/case.py", line 327, in run
testMethod()
File "/usr/share/utah/isotest/iso_static_validation.py", line 481, in test_efi_secure_boot_signatures
self.assertEqual(stdout, 'Signature verification OK\n')
File "/usr/lib/python2.7/unittest/case.py", line 511, in assertEqual
assertion_func(first, second, msg=msg)
File "/usr/lib/python2.7/unittest/case.py", line 504, in _baseAssertEqual
raise self.failureException(msg)
AssertionError: 'PKCS7 verification failed\nSignature verification failed\n' != 'Signature verification OK\n'
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sbsigntool/+bug/1234649/+subscriptions
More information about the foundations-bugs
mailing list