Public bug reported: The sbsign utility generates invalid signatures, when verified on MS Windows 7. I believe the issue is that sbsign doesn't hash the image properly. Steps to reproduce:
=== GET A SUITABLE grubx64.efi FOR SIGNING === 1. Install Ubuntu 15.10. Then install latest sbsigntool package with dpkg -i: sbsigntool_0.6-0ubuntu10_amd64.deb 2. Run grub-install: (note my grub packages are version 2.02~beta2-29ubuntu0.3) sudo grub-install --no-uefi-secure-boot === GENERATE SIGNING KEY === 3. Generate db key for signing, like this. Note the extra configuration options which I found necessary to get a valid signature on Windows for HelloWorld.efi (e.g. basicConstraints). SSLCFG="$(mktemp)" cat > "$SSLCFG" << EOF [req] distinguished_name = reqdn x509_extensions = reqx509 [reqdn] [reqx509] subjectKeyIdentifier = hash # CA must be false because we are directly signing objects with this key: basicConstraints = critical,CA:false keyUsage = digitalSignature extendedKeyUsage = codeSigning EOF openssl req -new -x509 -newkey rsa:2048 -subj "/CN=My Cert db/" \ -days 3650 -nodes -sha256 -config "$SSLCFG" \ -keyout db.key -out db.crt === SIGN GRUB === 4. Sign the installed grub: sudo sbsign --key db.key --cert db.crt --output grub-signed.efi /boot/efi/EFI/ubuntu/grubx64.efi === TEST THE SIGNATURE ON WINDOWS === 5. Transfer the signed grub-signed.efi file to a Windows 7 SP1 computer. (other versions are probably fine but 7 is what I tested on.) 6. In Windows Explorer, right-click file and click Properties. Go to Digital Signatures tab. Open the signature. Notice that if we view the details it says "This digital signature is not valid" and if we view the certificate, it furthermore says "The digital signature of the object did not verify" - i.e. indicating that somebody has tampered with the EFI since it was signed (yet obviously not the case), as opposed to a cert that is untrusted for some reason. 7. We can vainly try to correct the issue by installing the cert into the root CA database: click "Install Certificate", choose "Place all certificates in the following store", and pick "Trusted Root Certification Authorities." After installing the cert, you need to completely close the file properties, and then open them again. Normally, the certificate should now be "ok". However, Windows still says the signature is bad with the same error as previous. 8. Note that if we repeat the above procedure but sign the very simple HelloWorld.efi from efitools package, the signature will check out OK on Windows once we install the cert as a trusted root in step 7. That's why I think it's a sbsigntool bug and not some mistake in my procedure. I would assume this is a potential reason why many guides online like http://www.linuxjournal.com/content/take-control-your-pc-uefi-secure- boot?page=0,1 say to use other tools like osslsigncode instead of sbsign if your system rejects the signed binary. Such a workaround indicates a malfunction in sbsign. Interestingly enough, the official Ubuntu 15.10 binaries from e.g. grub- efi-amd64-signed package have the same problem. Whereas, the Microsoft- signed binaries from shim-signed have no problems. Note I haven't tested the signed binary on an actual UEFI system yet; the fact that Canonical-signed binaries boot on many systems w/out issue suggests that many UEFIs are not as strict as Windows when verifying the signature - however, something is clearly wrong with it and in the future there could be UEFIs that reject these signatures. As confirmation that the problem is with the signature, the above error message exactly matches with this definition from WinError.h - BAD_DIGEST is a clear indication of the problem... // MessageId: TRUST_E_BAD_DIGEST // // MessageText: // // The digital signature of the object did not verify. // #define TRUST_E_BAD_DIGEST _HRESULT_TYPEDEF_(0x80096010L) ** Affects: sbsigntool (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1551629 Title: sbsign generates invalid grub signatures To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sbsigntool/+bug/1551629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
