[Touch-packages] [Bug 1526959] Re: openssl 1.0.2e breaks sbsigntool

[Launchpad Bug Tracker]

This bug was fixed in the package sbsigntool - 0.6-0ubuntu10

---------------
sbsigntool (0.6-0ubuntu10) xenial; urgency=medium

  * debian/patches/sbverify_clear_out_cert_content.patch: clear out the
    contents part of the certificate we're building for signature verification
    from the EFI binary, in sbverify; OpenSSL 1.0.2e now enforces that there
    isn't data and content sections together. Thanks to Marc Deslauriers for
    help investigating this. (LP: #1526959)

 -- Mathieu Trudel-Lapierre <mathieu...@ubuntu.com>  Thu, 17 Dec 2015
14:55:09 -0500

** Changed in: sbsigntool (Ubuntu)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1526959

Title:
  openssl 1.0.2e breaks sbsigntool

Status in openssl package in Ubuntu:
  Incomplete
Status in sbsigntool package in Ubuntu:
  Fix Released

Bug description:
  Looks like sbsigntool now fails again to verify signed EFI binaries
  against a valid cert (and the signature is known to be valid).
  Reverting to 1.0.2d-0ubuntu2 lets it work again:

  [15:40:30] mtrudel@moloch:~u/shim-signed-1.12 $ sbverify --cert 
MicCorUEFCA2011_2011-06-27.crt shim.efi.signed
  warning: data remaining[1170360 vs 1289424]: gaps between PE/COFF sections?
  PKCS7 verification failed
  140048473532048:error:21075076:PKCS7 routines:PKCS7_verify:content and data 
present:pk7_smime.c:280:
  Signature verification failed
  [15:50:03] mtrudel@moloch:~u/shim-signed-1.12 $ sudo dpkg -i 
../openssl_1.0.2d-0ubuntu2_amd64.deb ../libssl1.0.0_1.0.2d-0ubuntu2_amd64.deb
  dpkg : avertissement : dégradation (« downgrade ») de openssl depuis 
1.0.2e-1ubuntu1 vers 1.0.2d-0ubuntu2
  (Lecture de la base de données... 291770 fichiers et répertoires déjà 
installés.)
  Préparation du dépaquetage de .../openssl_1.0.2d-0ubuntu2_amd64.deb ...
  Dépaquetage de openssl (1.0.2d-0ubuntu2) sur (1.0.2e-1ubuntu1) ...
  dpkg : avertissement : dégradation (« downgrade ») de libssl1.0.0:amd64 
depuis 1.0.2e-1ubuntu1 vers 1.0.2d-0ubuntu2
  Préparation du dépaquetage de .../libssl1.0.0_1.0.2d-0ubuntu2_amd64.deb ...
  Dépaquetage de libssl1.0.0:amd64 (1.0.2d-0ubuntu2) sur (1.0.2e-1ubuntu1) ...
  Paramétrage de libssl1.0.0:amd64 (1.0.2d-0ubuntu2) ...
  Paramétrage de openssl (1.0.2d-0ubuntu2) ...
  Traitement des actions différées (« triggers ») pour man-db (2.7.5-1) ...
  Traitement des actions différées (« triggers ») pour libc-bin (2.21-0ubuntu5) 
...
  [15:50:18] mtrudel@moloch:~u/shim-signed-1.12 $ sbverify --cert 
MicCorUEFCA2011_2011-06-27.crt shim.efi.signed
  warning: data remaining[1170360 vs 1289424]: gaps between PE/COFF sections?
  Signature verification OK

  We've hit a similar issue in the past; in lieue of
  sbsigntool/0.6-0ubuntu8:
  
http://launchpadlibrarian.net/211726228/sbsigntool_0.6-0ubuntu7_0.6-0ubuntu8.diff.gz

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1526959/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp