[Bug 1536871] Re: [MIR] fwupd

Thank you Richard -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1536871 Title: [MIR] fwupd To manage notifications about this bug go to:

[Bug 1536871] Re: [MIR] fwupd

> I'd very much like to see the firmware.xml.gz file using sha-256 I added support for more than just SHA1 to fwupd last week. After some more testing, I'll enable it on the metadata file from the LVFS. -- You received this bug notification because you are a member of Ubuntu Bugs, which is

Re: [Bug 1536871] Re: [MIR] fwupd

@Tim, gpgme doesn't do any underlying check on what version, it will happen on a system with gnupg 1.x as well. On Fri, Apr 1, 2016 at 12:41 AM Tim Chen <1536...@bugs.launchpad.net> wrote: > @Mario > For #23, does this affect system without gnupg2 installed ? What will > happen if system only

[Bug 1536871] Re: [MIR] fwupd

@Mario For #23, does this affect system without gnupg2 installed ? What will happen if system only has gnupg 1.x ? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1536871 Title: [MIR] fwupd To

Re: [Bug 1536871] Re: [MIR] fwupd

Richard, Can you hold off until tomorrow on the tarball release? I'm working on a fix for the test suite not working in sbuild I'll push later today that I would like part of it. On Thu, Mar 31, 2016, 13:15 Richard Hughes wrote: > I can do a new tarball release with all

[Bug 1536871] Re: [MIR] fwupd

I can do a new tarball release with all the suggested fixes if that would make things easier. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1536871 Title: [MIR] fwupd To manage notifications about

[Bug 1536871] Re: [MIR] fwupd

Override component to main fwupd 0.6.3-0ubuntu2 in xenial: universe/admin -> main fwupd 0.6.3-0ubuntu2 in xenial amd64: universe/admin/optional/100% -> main fwupd 0.6.3-0ubuntu2 in xenial arm64: universe/admin/optional/100% -> main fwupd 0.6.3-0ubuntu2 in xenial armhf: universe/admin/optional/100%

[Bug 1536871] Re: [MIR] fwupd

subscribed foundations. Override component to main npth 1.2-3 in xenial: universe/libdevel -> main libnpth-mingw-w64-dev 1.2-3 in xenial amd64: universe/libdevel/extra/100% -> main libnpth-mingw-w64-dev 1.2-3 in xenial arm64: universe/libdevel/extra/100% -> main libnpth-mingw-w64-dev 1.2-3 in

[Bug 1536871] Re: [MIR] fwupd

@mterry: I'd propose foundations bugs for both. As for the tests being disabled, you need libtool-bin in xenial (and libtool in earlier releases). This commit will handle it: http://anonscm.debian.org/cgit/uefi/fwupd.git/commit/?h=ubuntu=4ea0dfe282ba0d26bebb9d47c311c24fea16de33 -- You received

[Bug 1536871] Re: [MIR] fwupd

I went ahead and looked at npth. It seems fine, but just needs a team bug subscriber as well. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1536871 Title: [MIR] fwupd To manage notifications

[Bug 1536871] Re: [MIR] fwupd

fwupd: - Can we get a team bug subscriber for Ubuntu? Some team that promises to look after this, with a bus factor bigger than 1 :) - Tests are disabled, because of an old upstream bug (https://github.com/hughsie/fwupd/issues/14). That bug is fixed. But tests still don't work for me

[Bug 1536871] Re: [MIR] fwupd

** Changed in: fwupd (Ubuntu) Assignee: (unassigned) => Michael Terry (mterry) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1536871 Title: [MIR] fwupd To manage notifications about this bug

[Bug 1536871] Re: [MIR] fwupd

the merged gnupg2 needs a MIR for npth ** Also affects: npth (Ubuntu) Importance: Undecided Status: New ** Changed in: npth (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1536871] Re: [MIR] fwupd

Mario, excellent detective work. I was going around in circles earlier today trying to explain why Richard couldn't reproduce my failures and I couldn't reproduce his successes. Richard, thanks for describing the xtea use and md5 KDF. If this were an important part of the project I'd be far more

[Bug 1536871] Re: [MIR] fwupd

To address the various actions: 1) I created a bug to at least track that this is a problem in gpgme [0] 2) I uploaded a new gnupg2 to xenial-proposed. It's in unapproved. For now if you want to give this a try until it's accepted I also have it on a PPA [1] 3) I added a check to fwupd to

[Bug 1536871] Re: [MIR] fwupd

Oh and lastly per the comments in https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/1536871/comments/2 we should likely be able to turn the test suite back on once compiling with gnupg2.1 in build-depends. Seth let us know if there is anything else that needs investigation or fixing from your

[Bug 1536871] Re: [MIR] fwupd

Seth, I believe I've identified what's going on (and why Richard couldn't reproduce this on Fedora). gpgme1.0 shells out to /usr/bin/gpg2 to perform actions. If you turn on it's debug flags verbose enough you can track down the various calls it's sending around. I was noting the cert actually

[Bug 1536871] Re: [MIR] fwupd

With the gpg issue, log in as root and do: killall fwupd gpg2 --list-sigs if you see the LVFS key, "gpg2 --delete-keys 4538BAC2" -- then remove or change /etc/pki/fwupd-metadata/GPG-KEY-Linux-Vendor-Firmware-Service then restart fwupd and try a "fwupdmgr refresh" -- this should report: failed

[Bug 1536871] Re: [MIR] fwupd

Hey, - gpgme_release() is called in finalize() unless you can see where we're not deallocating an object on error - as_store_from_xml() operates on a UTF-8 string, so any embedded NULs would be invalid anyway - /etc/pki/ is a cross-distro spec, no? - /var/cache/app-info/xmls is specified in

[Bug 1536871] Re: [MIR] fwupd

Thanks again for the rapid feedback. It's nice to know that I jumped to an unreasonable conclusion. Now that I know to kill the fwupd process I've made more progress testing the failure modes but still find some lacking: - Removing /etc/pki/fwupd or /etc/pki/fwupd-metadata results in nice error

[Bug 1536871] Re: [MIR] fwupd

Here's the other miscellaneous notes I've made so far: - fu_keyring_setup() doesn't use gpgme_release() on gpg_set_protocol() failure - fu_main_daemon_update_metadata() checks signature over an entire file but uses g_strndup() to copy it in memory; a file may use an embedded ASCII NUL to

[Bug 1536871] Re: [MIR] fwupd

Yes, also further to Mario's comment (you do need to restart the daemon) you also need to clear the persistent gpg2 keyring. I perhaps wasn't clear we also using the persistent keyring store -- using commit https://github.com/hughsie/fwupd/commit/e4141f4f234d258424020069dadf8df39848a119 I see

Re: [Bug 1536871] Re: [MIR] fwupd

Seth, Just to confirm, when you replaced those files did you also restart the fwupd process? On Mon, Mar 28, 2016, 23:20 Seth Arnold <1536...@bugs.launchpad.net> wrote: > Richard, Mario, thanks for the feedback, it's been helpful. > > I'm not sure that everything's hooked up correctly though --

[Bug 1536871] Re: [MIR] fwupd

Richard, Mario, thanks for the feedback, it's been helpful. I'm not sure that everything's hooked up correctly though -- when I replace both these files with my own GPG key and run fwupdmgr refresh I get no errors: /etc/pki/fwupd-metadata/GPG-KEY-Linux-Vendor-Firmware-Service

[Bug 1536871] Re: [MIR] fwupd

Seth, anything else you're looking for to finish your assessments? Just as a friendly reminder we're blocked on turning on firmware support in gnome-software (FFe bug 1544376) from this MIR. The FFe has been approved for turning on firmware support, but it would be highly desirable to bang on

[Bug 1536871] Re: [MIR] fwupd

Hi Seth, Verification of the firmware LVFS metadata: https://github.com/hughsie/fwupd/blob/master/src/fu-main.c#L947 which then uses https://github.com/hughsie/fwupd/blob/master/src/fu- keyring.c#L340 Verification of the cab file: https://github.com/hughsie/fwupd/blob/master/src/fu-main.c#L495

[Bug 1536871] Re: [MIR] fwupd

Hi Richard, thanks for the reply. This is quite unusual but the demands on our time are growing and it'd help me immensely if you could aim me towards the methods that: - verifies the firmware.xml.gz file - verifies the contents of firmware.inf and firmware.metainfo.xml files within the cab

[Bug 1536871] Re: [MIR] fwupd

Seth, Thanks for raising that early concern. I don't believe there is currently any enforcement of sha256. The LVFS metadata source that is configured by default (https://secure-lvfs.rhcloud.com/downloads/firmware.xml.gz) is also set to use sha1. I'll talk to upstream about sorting out

[Bug 1536871] Re: [MIR] fwupd

Thanks Mario, very helpful. I've found something else that worries me: The Linux Vendor Firmware Service re-packs a cab with a firmware, a detached signature, and some metadata. An example is at [1]. I haven't yet been able to find any chain of trust from a key to the cabfile to download. If the

[Bug 1536871] Re: [MIR] fwupd

Mario, this review is in progress. One point that worries me greatly is that fwupd appears to allow any hash to authenticate firmware files that are served over appstream and our appstream package appears to allow MD5 and SHA-1, neither of which are acceptable to authenticate firmware updates. If

[Bug 1536871] Re: [MIR] fwupd

Hi Seth, I'm the upstream of both fwupd and the LVFS. I wanted to point out a few things: * We use a GPG detached signature of the firmware file itself to avoid being able to just C the signature between cab files * I've reviewed (and fixed critical warning bugs) in libgcab, and have also fuzz

[Bug 1536871] Re: [MIR] fwupd

Any more updates on this? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1536871 Title: [MIR] fwupd To manage notifications about this bug go to:

[Bug 1536871] Re: [MIR] fwupd

Also, if anyone wants a quick (well, 45 minute) overview of the whole thing my DevConf presentation was recorded: https://www.youtube.com/watch?v=7s2NhxEvwE0 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1536871] Re: [MIR] fwupd

Seth has been working on this security review. ** Changed in: fwupd (Ubuntu) Status: Confirmed => In Progress ** Changed in: fwupd (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => Seth Arnold (seth-arnold) -- You received this bug notification because you are a member

Re: [Bug 1536871] Re: [MIR] fwupd

On 2016-03-02 17:53:17, Mario Limonciello wrote: > Just wanted to check in on this security review for MIR. Is it still > going to be done? It is scheduled to start after the fwupdate MIR security review, which should begin today. -- You received this bug notification because you are a member

[Bug 1536871] Re: [MIR] fwupd

Just wanted to check in on this security review for MIR. Is it still going to be done? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1536871 Title: [MIR] fwupd To manage notifications about this

[Bug 1536871] Re: [MIR] fwupd

Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: fwupd (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1536871 Title:

[Bug 1536871] Re: [MIR] fwupd

There is still fwupdate and gcab not in universe. There is no team subscribed to the bugs for the package on Launchpad. There also appears to be some important bugs that could be fixed with the next upload for fwupd; in the Debian BTS. Also, tests currently don't appear to be run, although an

[Bug 1536871] Re: [MIR] fwupd

I'll review this MIR. ** Changed in: fwupd (Ubuntu) Assignee: (unassigned) => Mathieu Trudel-Lapierre (mathieu-tl) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1536871 Title: [MIR] fwupd To

[Bug 1536871] Re: [MIR] fwupd

** Description changed: [Availability] In Universe [Rationale] Required for GNOME Software (MIR in bug 1536870). Firmware updating functionality is very desirable for OEMs / users. [Security] [Quality assurance] [Dependencies] - All dependencies in main. + All

[Bug 1536871] Re: [MIR] fwupd

** Description changed: [Availability] In Universe [Rationale] Required for GNOME Software (MIR in bug 1536870). Firmware updating functionality is very desirable for OEMs / users. [Security] [Quality assurance] [Dependencies] + All dependencies in main. [Standards