** Description changed: + We are going to SRU fwupd 1.7.5 to impish and focal to fix bug LP: #1949412. With update fwupd, the default config set OnlyTrusted=true + With that, we need update libjcat. + + + The firmware blobs in cabinet archive are presently LVFS signed with gpg and pkcs7, if libjcat at compilation time without one then the blobs signed with both can't be verified. Impact is fwupd daemon will fail the firmware install immediately because OnlyTrusted=true is defaulted (in fwupd 1.7.x) to verifying the signature for daemon. We need uprev libjcat at least 0.1.4 onward to fix this issue. Issue is reproducible with fwupd 1.7.4 -> https://launchpad.net/~ycheng-twn/+archive/ubuntu/fwupd174 $ fwupdmgr --version client version: 1.7.4 compile-time dependency versions gusb: 0.3.4 daemon version: 1.7.4 $ dpkg -l | grep libjcat ii libjcat1:amd64 0.1.3-2 amd64 JSON catalog library
** Description changed: We are going to SRU fwupd 1.7.5 to impish and focal to fix bug LP: #1949412. With update fwupd, the default config set OnlyTrusted=true With that, we need update libjcat. + [Impact] + need to update libjcat so the recent firmware from lvfs could be installed + by fwupd. + + [Test Plan] + Will use fwupd SRU exception test plan to do those testing. + IHV vendor will also contribute by testing recent firmware that + can't be install without upgrade libjcat. + + [] The firmware blobs in cabinet archive are presently LVFS signed with gpg and pkcs7, if libjcat at compilation time without one then the blobs signed with both can't be verified. Impact is fwupd daemon will fail the firmware install immediately because OnlyTrusted=true is defaulted (in fwupd 1.7.x) to verifying the signature for daemon. We need uprev libjcat at least 0.1.4 onward to fix this issue. Issue is reproducible with fwupd 1.7.4 -> https://launchpad.net/~ycheng-twn/+archive/ubuntu/fwupd174 $ fwupdmgr --version client version: 1.7.4 compile-time dependency versions gusb: 0.3.4 daemon version: 1.7.4 $ dpkg -l | grep libjcat ii libjcat1:amd64 0.1.3-2 amd64 JSON catalog library ** Description changed: We are going to SRU fwupd 1.7.5 to impish and focal to fix bug LP: #1949412. With update fwupd, the default config set OnlyTrusted=true With that, we need update libjcat. [Impact] need to update libjcat so the recent firmware from lvfs could be installed by fwupd. [Test Plan] Will use fwupd SRU exception test plan to do those testing. IHV vendor will also contribute by testing recent firmware that can't be install without upgrade libjcat. - [] + [Where problems could occur] + fwupd will crash, signature verification will failed and the can't + install firmware from LVFS. + + Given the test plan in the SRU exception document, plus IHV testing, + I think those shall be fine. + + [Other Info] + SRU exception page: https://wiki.ubuntu.com/firmware-updates + + ---- The firmware blobs in cabinet archive are presently LVFS signed with gpg and pkcs7, if libjcat at compilation time without one then the blobs signed with both can't be verified. Impact is fwupd daemon will fail the firmware install immediately because OnlyTrusted=true is defaulted (in fwupd 1.7.x) to verifying the signature for daemon. We need uprev libjcat at least 0.1.4 onward to fix this issue. Issue is reproducible with fwupd 1.7.4 -> https://launchpad.net/~ycheng-twn/+archive/ubuntu/fwupd174 $ fwupdmgr --version client version: 1.7.4 compile-time dependency versions gusb: 0.3.4 daemon version: 1.7.4 $ dpkg -l | grep libjcat ii libjcat1:amd64 0.1.3-2 amd64 JSON catalog library -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961864 Title: fwupd daemon failed verifying firmware signature To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1961864/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs