Bug#925550: grub-efi-amd64-signed: Cannot verify grubx64.efi.signed against "Debian Secure Boot CA"
Hi Are there any news regarding the signed binary verification with sbverify? It still fails when used with the provided secure boot CA from https://dsa.debian.org/secure-boot-ca. I managed to verify the certificate used to sign the binaries with the following commands - but I hope we get a version with sbverify and the root CA directly :) 1. Download CA cert from https://dsa.debian.org/secure-boot-ca 2. Convert downloaded CA cert to pem openssl x509 -inform der -outform pem -in secure-boot-ca -out debian-ca.pem 3. Extract the signature from the binary osslsigncode extract-signature -pem /boot/vmlinuz-... vmlinuz.sig 4. Show the signer cert and use it for verification openssl pkcs7 -inform pem -print_certs -text -in vmlinuz.sig 5. Verify the used signing cert against the CA from d.o openssl verify -verbose -CAfile debian-ca.pem debian-signer.pem debian-signer.pem: OK I would also add a section to https://wiki.debian.org/SecureBoot or to a subpage for how to verify signed secure boot binaries (e.g. a new subpage like https://wiki.debian.org/SecureBoot/Verification) Thanks Andreas -- OpenPGP Key AE852913B3757F790297FA2CF04BCF398957A857 @ https://keys.openpgp.org
Bug#925550: grub-efi-amd64-signed: Cannot verify grubx64.efi.signed against "Debian Secure Boot CA"
Control: reassign -1 ftp.debian.org Control: affects -1 grub-efi-amd64-bin On Tue, Mar 26, 2019 at 06:47:59PM +0100, Marc Riedel wrote: > I cannot verify grubx64.efi.signed against "Debian Secure Boot CA" > (https://dsa.debian.org/secure-boot-ca). > > Steps to reproduce: > > sbverify --list /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed > signature 1 > image signature issuers: > - /CN=Debian Secure Boot CA > image signature certificates: > - subject: /CN=Debian Secure Boot Signer >issuer: /CN=Debian Secure Boot CA > > wget -q -O - https://dsa.debian.org/secure-boot-ca | openssl x509 -inform der > -outform pem -out secure-boot-ca.pem > > openssl x509 -in secure-boot-ca.pem -text -noout > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > ed:54:a1:d5:af:87:48:94:8d:9f:89:32:ee:9c:7c:34 > Signature Algorithm: sha256WithRSAEncryption > Issuer: CN = Debian Secure Boot CA > Validity > Not Before: Aug 16 18:09:18 2016 GMT > Not After : Aug 9 18:09:18 2046 GMT > Subject: CN = Debian Secure Boot CA > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > RSA Public-Key: (2048 bit) > Modulus: > 00:9d:95:d4:8b:9b:da:10:ac:2e:ca:82:37:c1:a4: > cb:4a:c3:1b:42:93:c2:7a:29:d3:6e:dd:64:af:80: > af:ea:66:a2:1b:61:9c:83:0c:c5:6b:b9:35:25:ff: > c5:fb:e8:29:43:de:ce:4b:3d:c6:12:4d:b1:ef:26: > 43:95:68:cd:04:11:fe:c2:24:9b:de:14:d8:86:51: > e8:38:43:bd:b1:9a:15:e5:08:6b:f8:54:50:8b:b3: > 4b:5f:fc:14:e4:35:50:7c:0b:b1:e2:03:84:a8:36: > 48:e4:80:e8:ea:9f:fa:bf:c5:18:7b:5e:ce:1c:be: > 2c:80:78:49:35:15:c0:21:cf:ef:66:d5:8a:96:08: > 2b:66:2f:48:17:b1:e7:ec:82:8f:07:e6:ca:e0:5f: > 71:24:39:50:0a:8e:d1:72:28:50:a5:9d:21:f4:e3: > 61:ba:09:03:66:c8:df:4e:26:36:0b:15:0f:63:1f: > 2b:af:ab:c4:28:a2:56:64:85:8d:a6:55:41:ae:3c: > 88:95:dd:d0:6d:d9:29:db:d8:c4:68:b5:fc:f4:57: > 89:6b:14:db:e0:ef:ee:40:0d:62:1f:ea:58:d4:a3: > d8:ba:03:a6:97:2e:c5:6b:13:a4:91:77:a6:b5:ad: > 23:a7:eb:0a:49:14:46:7c:76:e9:9e:32:b4:89:af: > 57:79 > Exponent: 65537 (0x10001) > X509v3 extensions: > Authority Information Access: > CA Issuers - URI:https://dsa.debian.org/secure-boot-ca > > X509v3 Authority Key Identifier: > keyid:6C:CE:CE:7E:4C:6C:0D:1F:61:49:F3:DD:27:DF:CC:5C:BB:41:9E:A1 > > Netscape Cert Type: critical > SSL Client, SSL Server, S/MIME, Object Signing, SSL CA, S/MIME > CA, Object Signing CA > X509v3 Extended Key Usage: > Code Signing > X509v3 Key Usage: critical > Digital Signature, Certificate Sign, CRL Sign > X509v3 Basic Constraints: critical > CA:TRUE > X509v3 Subject Key Identifier: > 6C:CE:CE:7E:4C:6C:0D:1F:61:49:F3:DD:27:DF:CC:5C:BB:41:9E:A1 > Signature Algorithm: sha256WithRSAEncryption > 77:96:3e:47:c9:ce:09:cf:8b:89:ce:59:ed:26:0e:26:0b:b9: > ad:a9:2b:bd:a1:eb:88:79:02:ff:31:de:fe:f5:6a:07:ef:61: > 13:11:70:1e:bf:9c:4e:66:6c:e1:62:12:97:01:57:65:47:dd: > 4a:c6:f7:f4:de:a8:f1:13:62:cc:83:57:ac:3c:a6:91:15:af: > 55:26:72:69:2e:14:cd:dd:4d:b3:d1:60:24:2d:32:4f:19:6c: > 11:5e:f2:a3:f2:a1:5f:62:0f:30:ae:ad:f1:48:66:64:7d:36: > 44:0d:06:34:3d:2e:af:8e:9d:c3:ad:c2:91:d8:37:e0:ee:7a: > 5f:82:3b:67:8e:00:8a:c4:a4:df:35:16:c2:72:2b:4c:51:d7: > 93:93:9e:ba:08:0d:59:97:f2:e2:29:a0:44:4d:ea:ee:f8:3e: > 02:60:ca:15:cf:4e:9a:25:91:84:3f:b7:5a:c7:ee:bc:6b:80: > a3:d9:fd:b2:6d:7a:1e:63:14:eb:ef:f1:b0:40:25:d5:e8:0e: > 81:eb:6b:f7:cb:ff:e5:21:00:22:2c:2e:9a:35:60:12:4b:5b: > 5f:38:46:84:0c:06:9c:cf:72:93:62:18:ee:5c:98:d6:b3:7d: > 06:25:39:95:df:4e:60:76:b0:06:7b:08:b0:6e:e3:64:9f:21: > 56:ad:39:0f > > sbverify --cert secure-boot-ca.pem /usr/lib/grub/x86_64-efi- > signed/grubx64.efi.signed > Signature verification failed > > Can you please point me to the right certificate? The ftpmasters maintain the signing apparatus, so I think I need to pass this over to them (either to update the published certificate, or to fix the signing, or to advise on the correct verification method - I haven't worked out which). Thanks, -- Colin Watson [cjwat...@debian.org]
Bug#925550: grub-efi-amd64-signed: Cannot verify grubx64.efi.signed against "Debian Secure Boot CA"
Package: grub-efi-amd64-bin Version: 1+2.02+dfsg1+16 Severity: important Tags: upstream I cannot verify grubx64.efi.signed against "Debian Secure Boot CA" (https://dsa.debian.org/secure-boot-ca). Steps to reproduce: sbverify --list /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed signature 1 image signature issuers: - /CN=Debian Secure Boot CA image signature certificates: - subject: /CN=Debian Secure Boot Signer issuer: /CN=Debian Secure Boot CA wget -q -O - https://dsa.debian.org/secure-boot-ca | openssl x509 -inform der -outform pem -out secure-boot-ca.pem openssl x509 -in secure-boot-ca.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: ed:54:a1:d5:af:87:48:94:8d:9f:89:32:ee:9c:7c:34 Signature Algorithm: sha256WithRSAEncryption Issuer: CN = Debian Secure Boot CA Validity Not Before: Aug 16 18:09:18 2016 GMT Not After : Aug 9 18:09:18 2046 GMT Subject: CN = Debian Secure Boot CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:9d:95:d4:8b:9b:da:10:ac:2e:ca:82:37:c1:a4: cb:4a:c3:1b:42:93:c2:7a:29:d3:6e:dd:64:af:80: af:ea:66:a2:1b:61:9c:83:0c:c5:6b:b9:35:25:ff: c5:fb:e8:29:43:de:ce:4b:3d:c6:12:4d:b1:ef:26: 43:95:68:cd:04:11:fe:c2:24:9b:de:14:d8:86:51: e8:38:43:bd:b1:9a:15:e5:08:6b:f8:54:50:8b:b3: 4b:5f:fc:14:e4:35:50:7c:0b:b1:e2:03:84:a8:36: 48:e4:80:e8:ea:9f:fa:bf:c5:18:7b:5e:ce:1c:be: 2c:80:78:49:35:15:c0:21:cf:ef:66:d5:8a:96:08: 2b:66:2f:48:17:b1:e7:ec:82:8f:07:e6:ca:e0:5f: 71:24:39:50:0a:8e:d1:72:28:50:a5:9d:21:f4:e3: 61:ba:09:03:66:c8:df:4e:26:36:0b:15:0f:63:1f: 2b:af:ab:c4:28:a2:56:64:85:8d:a6:55:41:ae:3c: 88:95:dd:d0:6d:d9:29:db:d8:c4:68:b5:fc:f4:57: 89:6b:14:db:e0:ef:ee:40:0d:62:1f:ea:58:d4:a3: d8:ba:03:a6:97:2e:c5:6b:13:a4:91:77:a6:b5:ad: 23:a7:eb:0a:49:14:46:7c:76:e9:9e:32:b4:89:af: 57:79 Exponent: 65537 (0x10001) X509v3 extensions: Authority Information Access: CA Issuers - URI:https://dsa.debian.org/secure-boot-ca X509v3 Authority Key Identifier: keyid:6C:CE:CE:7E:4C:6C:0D:1F:61:49:F3:DD:27:DF:CC:5C:BB:41:9E:A1 Netscape Cert Type: critical SSL Client, SSL Server, S/MIME, Object Signing, SSL CA, S/MIME CA, Object Signing CA X509v3 Extended Key Usage: Code Signing X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 6C:CE:CE:7E:4C:6C:0D:1F:61:49:F3:DD:27:DF:CC:5C:BB:41:9E:A1 Signature Algorithm: sha256WithRSAEncryption 77:96:3e:47:c9:ce:09:cf:8b:89:ce:59:ed:26:0e:26:0b:b9: ad:a9:2b:bd:a1:eb:88:79:02:ff:31:de:fe:f5:6a:07:ef:61: 13:11:70:1e:bf:9c:4e:66:6c:e1:62:12:97:01:57:65:47:dd: 4a:c6:f7:f4:de:a8:f1:13:62:cc:83:57:ac:3c:a6:91:15:af: 55:26:72:69:2e:14:cd:dd:4d:b3:d1:60:24:2d:32:4f:19:6c: 11:5e:f2:a3:f2:a1:5f:62:0f:30:ae:ad:f1:48:66:64:7d:36: 44:0d:06:34:3d:2e:af:8e:9d:c3:ad:c2:91:d8:37:e0:ee:7a: 5f:82:3b:67:8e:00:8a:c4:a4:df:35:16:c2:72:2b:4c:51:d7: 93:93:9e:ba:08:0d:59:97:f2:e2:29:a0:44:4d:ea:ee:f8:3e: 02:60:ca:15:cf:4e:9a:25:91:84:3f:b7:5a:c7:ee:bc:6b:80: a3:d9:fd:b2:6d:7a:1e:63:14:eb:ef:f1:b0:40:25:d5:e8:0e: 81:eb:6b:f7:cb:ff:e5:21:00:22:2c:2e:9a:35:60:12:4b:5b: 5f:38:46:84:0c:06:9c:cf:72:93:62:18:ee:5c:98:d6:b3:7d: 06:25:39:95:df:4e:60:76:b0:06:7b:08:b0:6e:e3:64:9f:21: 56:ad:39:0f sbverify --cert secure-boot-ca.pem /usr/lib/grub/x86_64-efi- signed/grubx64.efi.signed Signature verification failed Can you please point me to the right certificate? Best Regards Marc Riedel -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.0.0-2.slh.1-aptosid-amd64 (SMP w/12 CPU cores; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_USER, TAINT_OOT_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages grub-efi-amd64-signed depends on: ii grub-common 2.02+dfsg1-16 Versions of packages grub-efi-amd64-signed recommends: ii shim-signed 1.28+nmu3+0.9+1474479173.6c180c6-1 grub-efi-amd64-signed suggests no packages. Versions of