This bug was fixed in the package sbsigntool - 0.9.2-2ubuntu1~18.04.1
---
sbsigntool (0.9.2-2ubuntu1~18.04.1) bionic; urgency=medium
* No-change backport to bionic:
- fix alignment of binaries and thus correct hash calculation LP:
#1921387
sbsigntool (0.9.2-2ubuntu1) eoan;
So shim upstream has changed how sections are ordered now, such that in
shim 15.4 can now be signed by either old or new sbsigntool, and it
verifies correctly in either case.
However, I still think it is a good idea to upgrade to the better
sbsigntool to correctly sign even the odd looking binarie
Do we need to do anything in Launchpad other than making sure that the
relevant machines are upgraded to the latest sbsigntool?
** Project changed: launchpad => lp-signing
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.l
Verifying existing binaries with new sbsigntool:
# wget
http://archive.ubuntu.com/ubuntu/dists/bionic/main/uefi/fwupdate-amd64/current/fwupx64.efi.signed
# wget
http://archive.ubuntu.com/ubuntu/dists/bionic/main/uefi/fwupdate-amd64/current/control/uefi.crt
# sbverify --cert ./uefi.crt ./fwupx64.
# wget
https://launchpad.net/ubuntu/+source/sbsigntool/0.9.2-2ubuntu1~18.04.1/+build/21207939/+files/sbsigntool_0.9.2-2ubuntu1~18.04.1_amd64.deb
# apt install ./sbsigntool_0.9.2-2ubuntu1~18.04.1_amd64.deb
# dpkg-query -W sbsigntool
sbsigntool 0.9.2-2ubuntu1~18.04.1
# sbverify --cert 15.3-0u
# dpkg-query -W sbsigntool
sbsigntool 0.6-3.2ubuntu2
# sbverify --cert 15.3-0ubuntu1~ppa1/control/uefi.crt
15.3-0ubuntu1~ppa1/shimaa64.efi.signed
warning: gap in section table:
.data : 0x0007f000 - 0x000b3800,
.sbat : 0x000b4000 - 0x000b5000,
gaps in the section table may result
Hello Dimitri, or anyone else affected,
Accepted sbsigntool into bionic-proposed. The package will build now and
be available at
https://launchpad.net/ubuntu/+source/sbsigntool/0.9.2-2ubuntu1~18.04.1
in a few hours, and then in the -proposed repository.
Please help us by testing this new package.
Also good to check that existing bionic x64 binaries still verify
correctly. I.e. grub / kernel.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921387
Title:
launchpad signing shimaa64.efi fails to
** Description changed:
[Impact]
* Calculating the hash of the binary is ill defined if there are gaps
in sections, or sections are not aligned to ensure that signature table
is aligned.
* This results in sbsign/sbverify to calculate incorrect hash when
there are gaps, such as
** Description changed:
[Impact]
* Calculating the hash of the binary is ill defined if there are gaps
in sections, or sections are not aligned to ensure that signature table
is aligned.
* This results in sbsign/sbverify to calculate incorrect hash when
there are gaps, such as
** Description changed:
- launchpad signing shimaa64.efi fails to validate
+ [Impact]
+
+ * Calculating the hash of the binary is ill defined if there are gaps
+ in sections, or sections are not aligned to ensure that signature table
+ is aligned.
+
+ * This results in sbsign/sbverify to calcu
11 matches
Mail list logo
