[Bug 1968260] Re: [UBUNTU 20.04] genprotimg fails to process z15 host key documents after April 2022 (s390-tools)

Frank Heimes 1968260 at bugs.launchpad.net
Fri Apr 8 17:14:11 UTC 2022 

** Tags removed: patch
** Tags added: jammy

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1968260

Title:
  [UBUNTU 20.04] genprotimg fails to process z15 host key documents
  after April 2022 (s390-tools)

Status in Ubuntu on IBM z Systems:
  New
Status in s390-tools package in Ubuntu:
  In Progress
Status in s390-tools-signed package in Ubuntu:
  In Progress
Status in s390-tools source package in Focal:
  New
Status in s390-tools-signed source package in Focal:
  New
Status in s390-tools source package in Impish:
  New
Status in s390-tools-signed source package in Impish:
  New
Status in s390-tools source package in Jammy:
  In Progress
Status in s390-tools-signed source package in Jammy:
  In Progress

Bug description:
  == Comment: #0 - Viktor Mihajlovski <MIHAJLOV at de.ibm.com> - 2022-04-07 08:55:11 ==
  DigiCert is the CA issuing the signing certificate for Secure Execution host key documents. This certificate is used for the verification of the host key document validity. Recently, DigiCert has changed the root CA certificate used for issuance of the signing certificates.
  As genprotimg is checking the CA serial, the verification of the chain of trust will fail. As a workaround, it is possible to disable certificate verification, but this is not recommended because it makes it easier to provide a fake host key document.
  Since the previously issued host key documents are expiring in April 2022, it is necessary to fix genprotimg to accept the newly issued host key documents.
   
  Contact Information = Viktor Mihajlovski <mihajlov at de.ibm.com>

  == Comment: #2 - Viktor Mihajlovski <MIHAJLOV at de.ibm.com> - 2022-04-07 08:57:47 ==
  Fixed by:

  https://github.com/ibm-s390-linux/s390-tools

  commit 78b053326c504c0535b5ec1c244ad7bb5a1df29d
  Author: Marc Hartmayer <mhartmay at linux.ibm.com>
  Date:   Thu Mar 31 14:00:31 2022 +0000

      genprotimg: remove DigiCert root CA pinning

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1968260/+subscriptions

More information about the Ubuntu-sponsors mailing list