[Bug 1474541] Please test proposed package

Steve Langasek steve.langasek at canonical.com
Wed Jun 8 05:04:44 UTC 2016 

Hello Steve, or anyone else affected,

Accepted sbsigntool into precise-proposed. The package will build now
and be available at
https://launchpad.net/ubuntu/+source/sbsigntool/0.6-0ubuntu4~12.04.2 in
a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1474541

Title:
  sbsigntool broken by update to openssl 1.0.2c

Status in openssl package in Ubuntu:
  Invalid
Status in sbsigntool package in Ubuntu:
  Fix Released
Status in openssl source package in Precise:
  Invalid
Status in sbsigntool source package in Precise:
  Fix Committed
Status in openssl source package in Trusty:
  Invalid
Status in sbsigntool source package in Trusty:
  Fix Committed
Status in openssl source package in Wily:
  Invalid
Status in sbsigntool source package in Wily:
  Fix Released

Bug description:
  [Impact]
  Validating signature using sbsigntool for EFI binaries on Precise and Trusty.

  [Test case]
  1) pull-lp-source shim-signed
  2) sbverify --cert MicCorUEFCA2011_2011-06-27.crt shim.efi.signed

  [Regression potential]
  Complex signing scenarios may pass validation when they should not due to the unavailability of the issuer cert; but I can't think of a specific case where this might happen.

  ---

  An upload of shim-signed with no source changes is now failing to
  build in wily, because sbverify fails:

    sbverify --cert MicCorUEFCA2011_2011-06-27.crt shim.efi.signed
    warning: data remaining[1170360 vs 1289424]: gaps between PE/COFF sections?
    PKCS7 verification failed
    139919811188368:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smime.c:328:Verify error:unable to get issuer certificate
    Signature verification failed

  (https://launchpad.net/ubuntu/+source/shim-signed/1.10/+build/7652431)

  The package builds successfully on vivid but fails on wily.
  sbsigntool has not changed since vivid.  Upgrading to the wily version
  of libssl1.0.0 in a vivid chroot reproduces the failure.

  I'm not sure if this is a regression in libssl1.0.0 or a bug in
  sbsigntool.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1474541/+subscriptions

More information about the foundations-bugs mailing list