*** This bug is a security vulnerability *** Public security bug reported:
I try to boot mokmanager. It fails to boot, as it's not signed with canonical online key, chained to canonical CA, which shim tries to validate and fails. I see scary blue screen of death with validation errors. # sbverify --list /boot/efi/EFI/ubuntu/mmx64.efi warning: data remaining[1114272 vs 1269496]: gaps between PE/COFF sections? signature 1 image signature issuers: - /C=US/L=SomeCity/O=SomeOrg image signature certificates: - subject: /C=US/L=SomeCity/O=SomeOrg/CN=shim issuer: /C=US/L=SomeCity/O=SomeOrg shouldn't shim builds, submit shix64.efi mmx64.efi for Canonical online key signing? Maybe as separate shim-canonical & shim-canonical-signed packages, which chain off src:shim? (since we can't easily rebuild shim) ** Affects: shim-signed (Ubuntu) Importance: Undecided Status: New ** Tags: rls-gg-incoming ** Information type changed from Public to Public Security ** Tags added: rls-gg-incoming ** Summary changed: - fail to launch mokmanager + fail to launch mokmanager - mmx64.efi is not signed? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1880197 Title: fail to launch mokmanager - mmx64.efi is not signed? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1880197/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs