On Tue, 05 Jul 2022 17:44:14 -0500 Matthias Maier wrote:
> I think this is an issue with the Hardware token and not with the
> userland libraries and tools.
I too tried with a YubiKey 5 (Firmware 5.4.3). The signature was fine
with those.
So it looks indeed likely that this is a firmware bug
Hi,
On Tue, 2022-07-05 at 09:00 +0200, Bastian Blank wrote:
> On Mon, Jul 04, 2022 at 10:34:39PM +0200, Ansgar wrote:
> > As a further test I tried a different PKCS#11 module:
>
> Could you try the same with "openssl cms"? Just to make sure it's
> not sign-file itself.
I replaced the
On Mon, Jul 04, 2022 at 10:34:39PM +0200, Ansgar wrote:
> As a further test I tried a different PKCS#11 module:
Could you try the same with "openssl cms"? Just to make sure it's not
sign-file itself.
The complete command line I use to create signatures for kernel modules
is:
| openssl cms
It's like déjà vu all over again:
#942881 - snd-hda-codec-hdmi signature corruption
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942881
Thank you!
Dan
Urbana, Illinois
Hi,
On Mon, 2022-07-04 at 22:00 +0200, Ansgar wrote:
> The correct signature (using OpenSSL) has:
>
> +---
> > 138 256: OCTET STRING
> > : 00 00 45 75 A8 93 B1 B1 37 0A 53 69 82 BB 1C B6
> +---[ data.ko.p7s.success ]
>
> The incorrect signature from the YK has:
>
>
Hi,
I experimented a bit more and could reproduce the problem with a local
YK (Yubikey 4, Firmware 4.3.7) and a known private key and certificate.
The correct signature (using OpenSSL) has:
+---
| 138 256: OCTET STRING
|: 00 00 45 75 A8 93 B1 B1 37 0A 53 69 82 BB
On Mon, 2022-07-04 at 14:04 +0200, Ansgar wrote:
> On Sun, 19 Jun 2022 12:59:55 +0200 Ben Hutchings wrote:
> > > I'm now looking at whether the missing bytes are recoverable (e.g. are
> > > they always zeroes).
> > [...]
> >
> > I wrote a script to try all possible byte values for 2 bytes before
On Sun, 19 Jun 2022 12:59:55 +0200 Ben Hutchings wrote:
> > I'm now looking at whether the missing bytes are recoverable (e.g. are
> > they always zeroes).
> [...]
>
> I wrote a script to try all possible byte values for 2 bytes before or
> after the short signature. For this particular file,
Ben, et al,
On Sun, 19 Jun 2022 12:59:55 +0200, Ben Hutchings wrote:
> In the mean time, we have another security update coming which might
> not hit this bug again. But there are 28,679 signed binaries across
> the three architectures, so the probability is only about 65%.
I looked at the
On Sun, 2022-06-26 at 10:30 -0500, Daniel Lewart wrote:
> Ben, et al,
>
> On Mon, 13 Jun 2022 18:23:18 +0200 Ben Hutchings wrote:
>
> > Since the truncated signatures are in the source packages, this is a
> > problem introduced by the code signing service and will need to be
> > fixed there.
>
Ben, et al,
On Mon, 13 Jun 2022 18:23:18 +0200 Ben Hutchings wrote:
> Since the truncated signatures are in the source packages, this is a
> problem introduced by the code signing service and will need to be
> fixed there.
Assuming that the code-signing service uses the kernel's
Ben, et al,
BH> I wrote a script to check for short signatures (and other unexpected
BH> things) in detached signature files:
BH>
https://salsa.debian.org/kernel-team/kernel-team/-/blob/master/scripts/benh/check-sig-params
DL> I tried running your script, but it generates an error (see below).
On Mon, 2022-06-20 at 04:38 -0500, Daniel Lewart wrote:
> Ben,
>
> > I wrote a script to check for short signatures (and other unexpected
> > things) in detached signature files:
> > https://salsa.debian.org/kernel-team/kernel-team/-/blob/master/scripts/benh/check-sig-params
>
> Thank you for
Ben,
> I wrote a script to check for short signatures (and other unexpected
> things) in detached signature files:
> https://salsa.debian.org/kernel-team/kernel-team/-/blob/master/scripts/benh/check-sig-params
Thank you for your excellent detective work!
I tried running your script, but it
On Sat, 2022-06-18 at 16:21 +0200, Ben Hutchings wrote:
> On Thu, 2022-06-16 at 01:28 +0200, Ben Hutchings wrote:
> [...]
>
> > linux-image-4.19.0-17-amd64 4.19.194-1
> > lib/modules/4.19.0-17-amd64/kernel/drivers/dma/dw/dw_dmac_core.ko
> > linux-image-4.19.0-17-amd64 4.19.194-2
> >
On Sat, 2022-06-18 at 16:21 +0200, Ben Hutchings wrote:
[...]
> Incidentally, this is a failure rate of 75 out of 4,967,591 signatures,
> or 0.0015%
[...]
Or maybe not so incidentally: 4,967,591 / 2^16 ~= 75
Ben.
--
Ben Hutchings
The Peter principle: In a hierarchy, every employee tends to
On Thu, 2022-06-16 at 01:28 +0200, Ben Hutchings wrote:
[...]
> linux-image-4.19.0-17-amd64 4.19.194-1
> lib/modules/4.19.0-17-amd64/kernel/drivers/dma/dw/dw_dmac_core.ko
> linux-image-4.19.0-17-amd64 4.19.194-2
> lib/modules/4.19.0-17-amd64/kernel/drivers/dma/dw/dw_dmac_core.ko
>
On Mon, 2022-06-13 at 18:23 +0200, Ben Hutchings wrote:
[...]
> I can confirm that this module does not load, and this means it has an
> invalid signature. The detached signature present in the source
> package seems to be truncated (408 bytes long, where for all other
> modules the detached
Control: reassign -1 src:linux-signed-i386 5.10.120+1
Control: severity -1 serious
Control: tag -1 confirmed
On Mon, 13 Jun 2022 01:18:00 -0500 Daniel Lewart wrote:
> Package: linux-image-5.10.0-15-686-pae
> Version: 5.10.120-1
> Severity: normal
>
> Debian Kernel Team,
>
> Encountered on a
Package: linux-image-5.10.0-15-686-pae
Version: 5.10.120-1
Severity: normal
Debian Kernel Team,
Encountered on a physical machine and reproduced with QEMU:
$ sudo modprobe rt61pci
modprobe: ERROR: could not insert 'rt61pci': Key was rejected by service
But it works fine on the following:
*
20 matches
Mail list logo