Ubuntu
sbsigntool package

sbsigntool broken by update to openssl 1.0.2c

Bug #1474541 reported by Steve Langasek
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sbsigntool (Ubuntu)
Fix Released
High
Steve Langasek
Precise
Fix Released
High
Mathieu Trudel-Lapierre
Trusty
Fix Released
High
Mathieu Trudel-Lapierre
Wily
Fix Released
High
Steve Langasek

Bug Description

[Impact]
Validating signature using sbsigntool for EFI binaries on Precise and Trusty.

[Test case]
1) pull-lp-source shim-signed
2) sbverify --cert MicCorUEFCA2011_2011-06-27.crt shim.efi.signed

[Regression potential]
Complex signing scenarios may pass validation when they should not due to the unavailability of the issuer cert; but I can't think of a specific case where this might happen.

---

An upload of shim-signed with no source changes is now failing to build in wily, because sbverify fails:

  sbverify --cert MicCorUEFCA2011_2011-06-27.crt shim.efi.signed
  warning: data remaining[1170360 vs 1289424]: gaps between PE/COFF sections?
  PKCS7 verification failed
  139919811188368:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smime.c:328:Verify error:unable to get issuer certificate
  Signature verification failed

(https://launchpad.net/ubuntu/+source/shim-signed/1.10/+build/7652431)

The package builds successfully on vivid but fails on wily. sbsigntool has not changed since vivid. Upgrading to the wily version of libssl1.0.0 in a vivid chroot reproduces the failure.

I'm not sure if this is a regression in libssl1.0.0 or a bug in sbsigntool.

See original description
Revision history for this message
Steve Langasek (vorlon) wrote :

The last successful build in wily was with 1.0.2a-1ubuntu1 (https://launchpad.net/ubuntu/+source/shim-signed/1.9/+build/7518442).

Changed in openssl (Ubuntu):
importance: Undecided → High
Changed in sbsigntool (Ubuntu):
importance: Undecided → High
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Issue is caused by alternate certificate chains support introduced in 1.0.2b returning a slightly different error.

Steve Langasek (vorlon)
Changed in openssl (Ubuntu Wily):
status: New → Invalid
Changed in sbsigntool (Ubuntu Wily):
status: New → In Progress
assignee: nobody → Steve Langasek (vorlon)
Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sbsigntool - 0.6-0ubuntu8

---------------
sbsigntool (0.6-0ubuntu8) wily; urgency=medium

  * debian/patches/0001-Support-openssl-1.0.2b-and-above.patch: [PATCH]
    Support openssl 1.0.2b and above. Thanks to Marc Deslauriers
    <email address hidden>. LP: #1474541.

 -- Steve Langasek <email address hidden> Wed, 15 Jul 2015 08:57:46 -0700

Changed in sbsigntool (Ubuntu Wily):
status: In Progress → Fix Released
Mathieu Trudel-Lapierre (cyphermox)
Changed in sbsigntool (Ubuntu Trusty):
status: New → In Progress
Changed in sbsigntool (Ubuntu Precise):
status: New → In Progress
Mathieu Trudel-Lapierre (cyphermox)
description: updated
Mathieu Trudel-Lapierre (cyphermox)
Changed in openssl (Ubuntu Precise):
status: New → Invalid
Changed in openssl (Ubuntu Trusty):
status: New → Invalid
Changed in sbsigntool (Ubuntu Precise):
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
Changed in sbsigntool (Ubuntu Trusty):
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
Changed in sbsigntool (Ubuntu Precise):
importance: Undecided → High
Changed in sbsigntool (Ubuntu Trusty):
importance: Undecided → High
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Steve, or anyone else affected,

Accepted sbsigntool into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sbsigntool/0.6-0ubuntu7.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in sbsigntool (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed
Changed in sbsigntool (Ubuntu Precise):
status: In Progress → Fix Committed
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Steve, or anyone else affected,

Accepted sbsigntool into precise-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sbsigntool/0.6-0ubuntu4~12.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Mathew Hodson (mhodson)
no longer affects: openssl (Ubuntu)
no longer affects: openssl (Ubuntu Wily)
no longer affects: openssl (Ubuntu Trusty)
no longer affects: openssl (Ubuntu Precise)
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Verified sbsigntool on *precise*; sbsigntool builds and the utilities work correctly.

Mathieu Trudel-Lapierre (cyphermox)
tags: added: verification-done-precise
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Verified sbsigntool for *trusty* as well; all looks good.

tags: added: verification-done verification-done-trusty
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sbsigntool - 0.6-0ubuntu4~12.04.2

---------------
sbsigntool (0.6-0ubuntu4~12.04.2) precise; urgency=medium

  * debian/patches/0001-Support-openssl-1.0.2b-and-above.patch: handle the
    case where we can't get the issuer certificate, which typically happens
    after 1.0.2b; but it appears that 1.0.1f includes that check too, which
    fails in sbsigntool. (LP: #1474541)
  * debian/patches/ignore-certificate-expiries.patch: ignore certificate
    expiries when verifying signatures. (LP: #1234649)

 -- Mathieu Trudel-Lapierre <email address hidden> Tue, 24 May 2016 14:41:24 -0400

Changed in sbsigntool (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote : Update Released

The verification of the Stable Release Update for sbsigntool has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sbsigntool - 0.6-0ubuntu7.2

---------------
sbsigntool (0.6-0ubuntu7.2) trusty; urgency=medium

  * debian/patches/0001-Support-openssl-1.0.2b-and-above.patch: handle the
    case where we can't get the issuer certificate, which typically happens
    after 1.0.2b; but it appears that 1.0.1f includes that check too, which
    fails in sbsigntool. (LP: #1474541)

 -- Mathieu Trudel-Lapierre <email address hidden> Tue, 24 May 2016 14:24:45 -0400

Changed in sbsigntool (Ubuntu Trusty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.