This bug was fixed in the package linux-signed - 6.8.0-11.11
---
linux-signed (6.8.0-11.11) noble; urgency=medium
* Main version: 6.8.0-11.11
* Miscellaneous Ubuntu changes
- debian/tracking-bug -- update from main
-- Paolo Pisati Wed, 14 Feb 2024 00:04:58
+0100
** Changed in: linux-signed (Ubuntu)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-signed in Ubuntu.
https://bugs.launchpad.net/bugs/2045684
Title:
ARM64 signed linux-images packages have arbitrary timestamp
Status in linux-signed package in Ubuntu:
Fix Released
Bug description:
ARM64 signed linux-images packages encode arbitrary timestamp
$ file /boot/vmlinuz-6.6.0-14-generic
/boot/vmlinuz-6.6.0-14-generic: gzip compressed data, was
"vmlinuz-6.6.0-14-generic.efi.signed", last modified: Fri Dec 1 18:54:57 2023,
max compression, from Unix, original size modulo 2^32 56127880
Note that original filename and timestamp are encoded in the gzip
content header which is not reproducible and not roundtrip safe. This
make it difficult to do gymnastics to convert for linux linux-
unsgined, to linux-signed, to kernel.efi, and back and preserve the
same checksum or HMAC of the file, as needed by FIPS or just pure
curiosity to confirm that the kernel image is the same across all
image formats we ship.
The fix is to use -n (--no-name) option to gzip to compress the file
without filename nor timestamp.
$ file linux-image/boot/vmlinuz-6.6.0-14-generic.new
/boot/vmlinuz-6.6.0-14-generic.new: gzip compressed data, max compression,
from Unix, original size modulo 2^32 56127880
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-signed/+bug/2045684/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp