touch-packages team mailing list archive

Thread
Date

[Bug 1526959] Re: openssl 1.0.2e breaks sbsigntool

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Mathieu Trudel-Lapierre <mathieu.tl@xxxxxxxxx>
Date: Wed, 16 Dec 2015 21:32:47 -0000
Reply-to: Bug 1526959 <1526959@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Assigning the openssl task to mdeslaur; we've discussed this issue on
IRC.

** Changed in: sbsigntool (Ubuntu)
     Assignee: (unassigned) => Mathieu Trudel-Lapierre (mathieu-tl)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1526959

Title:
  openssl 1.0.2e breaks sbsigntool

Status in openssl package in Ubuntu:
  New
Status in sbsigntool package in Ubuntu:
  New

Bug description:
  Looks like sbsigntool now fails again to verify signed EFI binaries
  against a valid cert (and the signature is known to be valid).
  Reverting to 1.0.2d-0ubuntu2 lets it work again:

  [15:40:30] mtrudel@moloch:~u/shim-signed-1.12 $ sbverify --cert MicCorUEFCA2011_2011-06-27.crt shim.efi.signed
  warning: data remaining[1170360 vs 1289424]: gaps between PE/COFF sections?
  PKCS7 verification failed
  140048473532048:error:21075076:PKCS7 routines:PKCS7_verify:content and data present:pk7_smime.c:280:
  Signature verification failed
  [15:50:03] mtrudel@moloch:~u/shim-signed-1.12 $ sudo dpkg -i ../openssl_1.0.2d-0ubuntu2_amd64.deb ../libssl1.0.0_1.0.2d-0ubuntu2_amd64.deb
  dpkg : avertissement : dégradation (« downgrade ») de openssl depuis 1.0.2e-1ubuntu1 vers 1.0.2d-0ubuntu2
  (Lecture de la base de données... 291770 fichiers et répertoires déjà installés.)
  Préparation du dépaquetage de .../openssl_1.0.2d-0ubuntu2_amd64.deb ...
  Dépaquetage de openssl (1.0.2d-0ubuntu2) sur (1.0.2e-1ubuntu1) ...
  dpkg : avertissement : dégradation (« downgrade ») de libssl1.0.0:amd64 depuis 1.0.2e-1ubuntu1 vers 1.0.2d-0ubuntu2
  Préparation du dépaquetage de .../libssl1.0.0_1.0.2d-0ubuntu2_amd64.deb ...
  Dépaquetage de libssl1.0.0:amd64 (1.0.2d-0ubuntu2) sur (1.0.2e-1ubuntu1) ...
  Paramétrage de libssl1.0.0:amd64 (1.0.2d-0ubuntu2) ...
  Paramétrage de openssl (1.0.2d-0ubuntu2) ...
  Traitement des actions différées (« triggers ») pour man-db (2.7.5-1) ...
  Traitement des actions différées (« triggers ») pour libc-bin (2.21-0ubuntu5) ...
  [15:50:18] mtrudel@moloch:~u/shim-signed-1.12 $ sbverify --cert MicCorUEFCA2011_2011-06-27.crt shim.efi.signed
  warning: data remaining[1170360 vs 1289424]: gaps between PE/COFF sections?
  Signature verification OK

  We've hit a similar issue in the past; in lieue of
  sbsigntool/0.6-0ubuntu8:
  http://launchpadlibrarian.net/211726228/sbsigntool_0.6-0ubuntu7_0.6-0ubuntu8.diff.gz

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1526959/+subscriptions

References

[Bug 1526959] [NEW] openssl 1.0.2e breaks sbsigntool
From: Mathieu Trudel-Lapierre, 2015-12-16