[Bug 1961864] Re: fwupd daemon failed verifying firmware signature
Yuan-Chen Cheng
1961864 at bugs.launchpad.net
Thu Feb 24 09:14:56 UTC 2022
** Description changed:
+ We are going to SRU fwupd 1.7.5 to impish and focal to fix bug LP: #1949412. With update fwupd, the default config set OnlyTrusted=true
+ With that, we need update libjcat.
+
+
+
The firmware blobs in cabinet archive are presently LVFS signed with gpg
and pkcs7, if libjcat at compilation time without one then the blobs
signed with both can't be verified.
Impact is fwupd daemon will fail the firmware install immediately
because OnlyTrusted=true is defaulted (in fwupd 1.7.x) to verifying the
signature for daemon.
We need uprev libjcat at least 0.1.4 onward to fix this issue.
Issue is reproducible with fwupd 1.7.4
-> https://launchpad.net/~ycheng-twn/+archive/ubuntu/fwupd174
$ fwupdmgr --version
client version: 1.7.4
compile-time dependency versions
gusb: 0.3.4
daemon version: 1.7.4
$ dpkg -l | grep libjcat
ii libjcat1:amd64 0.1.3-2 amd64 JSON catalog library
** Description changed:
We are going to SRU fwupd 1.7.5 to impish and focal to fix bug LP: #1949412. With update fwupd, the default config set OnlyTrusted=true
With that, we need update libjcat.
+ [Impact]
+ need to update libjcat so the recent firmware from lvfs could be installed
+ by fwupd.
+
+ [Test Plan]
+ Will use fwupd SRU exception test plan to do those testing.
+ IHV vendor will also contribute by testing recent firmware that
+ can't be install without upgrade libjcat.
+
+ []
The firmware blobs in cabinet archive are presently LVFS signed with gpg
and pkcs7, if libjcat at compilation time without one then the blobs
signed with both can't be verified.
Impact is fwupd daemon will fail the firmware install immediately
because OnlyTrusted=true is defaulted (in fwupd 1.7.x) to verifying the
signature for daemon.
We need uprev libjcat at least 0.1.4 onward to fix this issue.
Issue is reproducible with fwupd 1.7.4
-> https://launchpad.net/~ycheng-twn/+archive/ubuntu/fwupd174
$ fwupdmgr --version
client version: 1.7.4
compile-time dependency versions
gusb: 0.3.4
daemon version: 1.7.4
$ dpkg -l | grep libjcat
ii libjcat1:amd64 0.1.3-2 amd64 JSON catalog library
** Description changed:
We are going to SRU fwupd 1.7.5 to impish and focal to fix bug LP: #1949412. With update fwupd, the default config set OnlyTrusted=true
With that, we need update libjcat.
[Impact]
need to update libjcat so the recent firmware from lvfs could be installed
by fwupd.
[Test Plan]
Will use fwupd SRU exception test plan to do those testing.
IHV vendor will also contribute by testing recent firmware that
can't be install without upgrade libjcat.
- []
+ [Where problems could occur]
+ fwupd will crash, signature verification will failed and the can't
+ install firmware from LVFS.
+
+ Given the test plan in the SRU exception document, plus IHV testing,
+ I think those shall be fine.
+
+ [Other Info]
+ SRU exception page: https://wiki.ubuntu.com/firmware-updates
+
+ ----
The firmware blobs in cabinet archive are presently LVFS signed with gpg
and pkcs7, if libjcat at compilation time without one then the blobs
signed with both can't be verified.
Impact is fwupd daemon will fail the firmware install immediately
because OnlyTrusted=true is defaulted (in fwupd 1.7.x) to verifying the
signature for daemon.
We need uprev libjcat at least 0.1.4 onward to fix this issue.
Issue is reproducible with fwupd 1.7.4
-> https://launchpad.net/~ycheng-twn/+archive/ubuntu/fwupd174
$ fwupdmgr --version
client version: 1.7.4
compile-time dependency versions
gusb: 0.3.4
daemon version: 1.7.4
$ dpkg -l | grep libjcat
ii libjcat1:amd64 0.1.3-2 amd64 JSON catalog library
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libjcat in Ubuntu.
https://bugs.launchpad.net/bugs/1961864
Title:
fwupd daemon failed verifying firmware signature
Status in OEM Priority Project:
Triaged
Status in fwupd package in Ubuntu:
Invalid
Status in libjcat package in Ubuntu:
Fix Released
Status in fwupd source package in Focal:
Invalid
Status in libjcat source package in Focal:
Triaged
Status in fwupd source package in Impish:
Invalid
Status in libjcat source package in Impish:
Triaged
Status in fwupd source package in Jammy:
Invalid
Status in libjcat source package in Jammy:
Fix Released
Bug description:
We are going to SRU fwupd 1.7.5 to impish and focal to fix bug LP: #1949412. With update fwupd, the default config set OnlyTrusted=true
With that, we need update libjcat.
[Impact]
need to update libjcat so the recent firmware from lvfs could be installed
by fwupd.
[Test Plan]
Will use fwupd SRU exception test plan to do those testing.
IHV vendor will also contribute by testing recent firmware that
can't be install without upgrade libjcat.
[Where problems could occur]
fwupd will crash, signature verification will failed and the can't
install firmware from LVFS.
Given the test plan in the SRU exception document, plus IHV testing,
I think those shall be fine.
[Other Info]
SRU exception page: https://wiki.ubuntu.com/firmware-updates
----
The firmware blobs in cabinet archive are presently LVFS signed with
gpg and pkcs7, if libjcat at compilation time without one then the
blobs signed with both can't be verified.
Impact is fwupd daemon will fail the firmware install immediately
because OnlyTrusted=true is defaulted (in fwupd 1.7.x) to verifying
the signature for daemon.
We need uprev libjcat at least 0.1.4 onward to fix this issue.
Issue is reproducible with fwupd 1.7.4
-> https://launchpad.net/~ycheng-twn/+archive/ubuntu/fwupd174
$ fwupdmgr --version
client version: 1.7.4
compile-time dependency versions
gusb: 0.3.4
daemon version: 1.7.4
$ dpkg -l | grep libjcat
ii libjcat1:amd64 0.1.3-2 amd64 JSON catalog library
To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1961864/+subscriptions
More information about the foundations-bugs
mailing list