[Bug 1968260] Re: [UBUNTU 20.04] genprotimg fails to process z15 host key documents after April 2022 (s390-tools)

Frank Heimes 1968260 at bugs.launchpad.net
Fri Apr 8 06:39:00 UTC 2022 

** Package changed: linux (Ubuntu) => s390-tools (Ubuntu)

** Also affects: ubuntu-z-systems
   Importance: Undecided
       Status: New

** Changed in: ubuntu-z-systems
     Assignee: (unassigned) => Skipper Bug Screeners (skipper-screen-team)

** Changed in: ubuntu-z-systems
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to s390-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1968260

Title:
  [UBUNTU 20.04] genprotimg fails to process z15 host key documents
  after April 2022 (s390-tools)

Status in Ubuntu on IBM z Systems:
  New
Status in s390-tools package in Ubuntu:
  New

Bug description:
  == Comment: #0 - Viktor Mihajlovski <MIHAJLOV at de.ibm.com> - 2022-04-07 08:55:11 ==
  DigiCert is the CA issuing the signing certificate for Secure Execution host key documents. This certificate is used for the verification of the host key document validity. Recently, DigiCert has changed the root CA certificate used for issuance of the signing certificates.
  As genprotimg is checking the CA serial, the verification of the chain of trust will fail. As a workaround, it is possible to disable certificate verification, but this is not recommended because it makes it easier to provide a fake host key document.
  Since the previously issued host key documents are expiring in April 2022, it is necessary to fix genprotimg to accept the newly issued host key documents.
   
  Contact Information = Viktor Mihajlovski <mihajlov at de.ibm.com>

  == Comment: #2 - Viktor Mihajlovski <MIHAJLOV at de.ibm.com> - 2022-04-07 08:57:47 ==
  Fixed by:

  https://github.com/ibm-s390-linux/s390-tools

  commit 78b053326c504c0535b5ec1c244ad7bb5a1df29d
  Author: Marc Hartmayer <mhartmay at linux.ibm.com>
  Date:   Thu Mar 31 14:00:31 2022 +0000

      genprotimg: remove DigiCert root CA pinning

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1968260/+subscriptions

More information about the foundations-bugs mailing list