[Bug 1961864] Update Released

Thu Mar 10 17:05:02 UTC 2022

The verification of the Stable Release Update for libjcat has completed
successfully and the package is now being released to -updates.
Subsequently, the Ubuntu Stable Release Updates Team is being
unsubscribed and will not receive messages about this bug report.  In
the event that you encounter a regression using the package from
-updates please report a new bug using ubuntu-bug and tag the bug report
regression-update so we can easily find any regressions.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libjcat in Ubuntu.
https://bugs.launchpad.net/bugs/1961864

Title:
  fwupd daemon failed to verify firmware signature

Status in OEM Priority Project:
  Fix Committed
Status in fwupd package in Ubuntu:
  Invalid
Status in libjcat package in Ubuntu:
  Fix Released
Status in fwupd source package in Focal:
  Invalid
Status in libjcat source package in Focal:
  Fix Released
Status in fwupd source package in Impish:
  Invalid
Status in libjcat source package in Impish:
  Fix Released
Status in fwupd source package in Jammy:
  Invalid
Status in libjcat source package in Jammy:
  Fix Released

Bug description:
  We are going to SRU fwupd 1.7.5 to impish and focal to fix bug LP: #1949412. With update fwupd, the default config set OnlyTrusted=true
  With that, we need update libjcat.

  [Impact]

  need to update libjcat so the recent firmware from lvfs could be installed
  by fwupd.

  [Test Plan]
  Will use fwupd SRU exception test plan to do those testing.
  IHV vendor will also contribute by testing recent firmware that
  can't be install without upgrade libjcat.

  [Where problems could occur]
  fwupd will crash, signature verification will failed and the can't
  install firmware from LVFS.

  Given the test plan in the SRU exception document, plus IHV testing,
  I think those shall be fine.

  [Other Info]
  SRU exception page: https://wiki.ubuntu.com/firmware-updates
  There are several commits between 0.1.3 (current one in focal)
  and 0.1.4 (the target version for this SRU).
  Those non-trivial commits between 0.1.3 and 0.1.4 are:

  https://github.com/hughsie/libjcat/commit/109399e1f28cec84b43c355b2be77bac38943df7
  https://github.com/hughsie/libjcat/commit/583df67e3ee25201f1e1830ae6d92bf846c082a3

  Given they are clean and clear, I think SRU those shall be fine.

  Also, note per:

  https://github.com/fwupd/fwupd/commit/7157ca79e4d6b13d82b0a21f8586b86be0cbb80e

  We do need updated libjcat to support new firmware from LVFS.

  ----

  The firmware blobs in cabinet archive are presently LVFS signed with
  gpg and pkcs7, if libjcat at compilation time without one then the
  blobs signed with both can't be verified.

  The impact is fwupd daemon will fail the firmware install immediately
  because OnlyTrusted=true is defaulted (in fwupd 1.7.x) to verify the
  signature for the daemon.

  We need uprev libjcat at least 0.1.4 onward to fix this issue.

  Issue is reproducible with fwupd 1.7.4
  -> https://launchpad.net/~ycheng-twn/+archive/ubuntu/fwupd174

  $ fwupdmgr --version
  client version:	1.7.4
  compile-time dependency versions
   gusb:	0.3.4

  daemon version: 1.7.4

  $ dpkg -l | grep libjcat
  ii  libjcat1:amd64    0.1.3-2   amd64   JSON catalog library

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1961864/+subscriptions