Control: retitle -1 ima-evm-utils: FTBFS because of the signature verification
unit tests
Control: severity -1 serious
On Wed, 17 Nov 2021 10:35:05 +0100 Steffen Kothe wrote:
EVM signatures can be created with the option '--portable | -o ' to get
rid of a hashing of i_version and fsuuid.
When files should be verified after a signing with '--portable' on the
host, the tooling returns with "Verification failed" unless
the signing itself is correct.
The cause for this issue is a missing implementation for the probing
and verification of portable signatures.
A patch for this issue is already available in the official git source
of the ima-evm-utils tooling:
https://git.code.sf.net/p/linux-ima/ima-evm-utils
f4b901d081ec ("Add support for verifying portable EVM signatures")
The wrong checking of the signature format results in a false-positive
error.
Note, that this bug also affects version 1.3.2-2.1 provided
by Debian/SID https://packages.debian.org/sid/ima-evm-utils.
The official release 1.4 of the ima-evm-utils contains this fixes.
Version 1.4 was imported but still fails to build from scratch on buildd
because the unit tests for
that new feature do not run without gnutls-bin and softhsm2 installed as build
dependencies.
I did not catch that building my NMU in a clean sid chroot. I do not know why,
it still
builds in that chroot and claims two of the three test to succeed with those
packages uninstalled.
