Public bug reported: ARM64 signed linux-images packages encode arbitrary timestamp
$ file /boot/vmlinuz-6.6.0-14-generic /boot/vmlinuz-6.6.0-14-generic: gzip compressed data, was "vmlinuz-6.6.0-14-generic.efi.signed", last modified: Fri Dec 1 18:54:57 2023, max compression, from Unix, original size modulo 2^32 56127880 Note that original filename and timestamp are encoded in the gzip content header which is not reproducible and not roundtrip safe. This make it difficult to do gymnastics to convert for linux linux-unsgined, to linux-signed, to kernel.efi, and back and preserve the same checksum or HMAC of the file, as needed by FIPS or just pure curiosity to confirm that the kernel image is the same across all image formats we ship. The fix is to use -n (--no-name) option to gzip to compress the file without filename nor timestamp. $ file linux-image/boot/vmlinuz-6.6.0-14-generic.new /boot/vmlinuz-6.6.0-14-generic.new: gzip compressed data, max compression, from Unix, original size modulo 2^32 56127880 ** Affects: linux-signed (Ubuntu) Importance: Undecided Status: In Progress ** Description changed: - ARM64 signed linux-images packages have arbitrary timestamp + ARM64 signed linux-images packages encode arbitrary timestamp - $ file /boot/vmlinuz-6.6.0-14-generic + $ file /boot/vmlinuz-6.6.0-14-generic /boot/vmlinuz-6.6.0-14-generic: gzip compressed data, was "vmlinuz-6.6.0-14-generic.efi.signed", last modified: Fri Dec 1 18:54:57 2023, max compression, from Unix, original size modulo 2^32 56127880 Note that original filename and timestamp are encoded in the gzip content header which is not reproducible and not roundtrip safe. This make it difficult to do gymnastics to convert for linux linux-unsgined, to linux-signed, to kernel.efi, and back and preserve the same checksum or HMAC of the file, as needed by FIPS or just pure curiosity to confirm that the kernel image is the same across all image formats we ship. The fix is to use -n (--no-name) option to gzip to compress the file without filename nor timestamp. $ file linux-image/boot/vmlinuz-6.6.0-14-generic.new /boot/vmlinuz-6.6.0-14-generic.new: gzip compressed data, max compression, from Unix, original size modulo 2^32 56127880 ** Changed in: linux-signed (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-signed in Ubuntu. https://bugs.launchpad.net/bugs/2045684 Title: ARM64 signed linux-images packages have arbitrary timestamp Status in linux-signed package in Ubuntu: In Progress Bug description: ARM64 signed linux-images packages encode arbitrary timestamp $ file /boot/vmlinuz-6.6.0-14-generic /boot/vmlinuz-6.6.0-14-generic: gzip compressed data, was "vmlinuz-6.6.0-14-generic.efi.signed", last modified: Fri Dec 1 18:54:57 2023, max compression, from Unix, original size modulo 2^32 56127880 Note that original filename and timestamp are encoded in the gzip content header which is not reproducible and not roundtrip safe. This make it difficult to do gymnastics to convert for linux linux- unsgined, to linux-signed, to kernel.efi, and back and preserve the same checksum or HMAC of the file, as needed by FIPS or just pure curiosity to confirm that the kernel image is the same across all image formats we ship. The fix is to use -n (--no-name) option to gzip to compress the file without filename nor timestamp. $ file linux-image/boot/vmlinuz-6.6.0-14-generic.new /boot/vmlinuz-6.6.0-14-generic.new: gzip compressed data, max compression, from Unix, original size modulo 2^32 56127880 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-signed/+bug/2045684/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp