[Bug 1941888] Re: FFe: sbsigntools 0.9.4

Thomas Ward 1941888 at bugs.launchpad.net
Fri Aug 27 15:21:05 UTC 2021 

Diff in bug 1938438 (duplicate of this bug) is okay...ish.  It has some
things that're incorrect or incomplete and need addressed for future
uploads and merges.

(1) Version string should be -2ubuntu1 - this is the FIRST package
revision that is Ubuntu specific based on 0.9.4-2 from Debian.  Refer to
https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Preparing_a_patch
which has VERY good tables for version string formatting, this is pretty
much the defacto standard across Ubuntu for version strings.

(2) Incomplete string details in changelog - the sbkeysync patch should
still be referenced with full paths - and descriptor lines ARE allowed
to be multiline so you didn't need to fit it into a single line.

Because I am *obscenely* thorough, I'm building this now currently in my
'junk drawer' PPA which is RISC-enabled just to make sure nothing blows
up there.  Said PPA also inherits -proposed from all releases, which
emulates fairly closely the build environments that'll be present
when/if this gets uploaded.

More to come after that runs, standby...

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sbsigntool in Ubuntu.
https://bugs.launchpad.net/bugs/1941888

Title:
  FFe: sbsigntools 0.9.4

Status in sbsigntool package in Ubuntu:
  Triaged

Bug description:
  FFe: sbsigntools 0.9.4

  The current sbsigntool-0.9.2-2ubuntu4 package lacks support for the riscv64
  architecture.

  For developing UEFI booting on RISC-V we need these tools.

  Since release 0.9.2 several bugs have been resolved. A major one leads
  to incorrect signatures for EFI binaries.

  0.9.4 brought one additional feature:

  The command sbsign received an additional optional parameter --addcert for
  specifying intermediate certificates.

  I have prepared an upload in my PPA, which builds on all EFI enabled
  architectures including riscv64 and I have tested the package locally
  on riscv64 and amd64 and it works for me. There are no autopackage tests
  available and device certification should test on all relevant
  architectures.

  Please consider a feature freeze exception for sbsigntools 0.9.4.

  sbsigntool 0.9.4-2ubuntu2 is availabe in ppa:xypron/gnu-efi

  Changelog:

  Version 0.9.4

  * sbsign: allow for adding intermediate certificates
  * sbverify: fix verification with intermediate certificates
  * Tests: Add intermediate certificate tests to the sign-verify cases
  * Fix some openssl 1.1.0 deprecated functions
  * sbvarsign: remove unused global variable
  * sbverify: refer to unused function
  * Fix errors on 32 bit
  * Enable -Werror for builds
  * docs: add man page for sbkeysync

  Version 0.9.3

  * README: update git location and add mailing list information
  * sbvarsign: fix "EFI_VARIABLE_AUTHENTICATION_2.TimeStamp.Year" assignment
  * Fix PE/COFF checksum calculation

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sbsigntool/+bug/1941888/+subscriptions

More information about the foundations-bugs mailing list