A7m 24.01.22 um 13:36 schrieb Bastian Germann:
Control: retitle -1 ima-evm-utils: FTBFS because of the signature
verification unit tests
Control: severity -1 serious
On Wed, 17 Nov 2021 10:35:05 +0100 Steffen Kothe wrote:
EVM signatures can be created with the option '--portable | -o ' to
get rid of a hashing of i_version and fsuuid.
When files should be verified after a signing with '--portable' on the
host, the tooling returns with "Verification failed" unless
the signing itself is correct.
The cause for this issue is a missing implementation for the probing
and verification of portable signatures.
A patch for this issue is already available in the official git source
of the ima-evm-utils tooling:
https://git.code.sf.net/p/linux-ima/ima-evm-utils
f4b901d081ec ("Add support for verifying portable EVM signatures")
The wrong checking of the signature format results in a false-positive
error.
Note, that this bug also affects version 1.3.2-2.1 provided
by Debian/SID https://packages.debian.org/sid/ima-evm-utils.
The official release 1.4 of the ima-evm-utils contains this fixes.
Version 1.4 was imported but still fails to build from scratch on buildd
because the unit tests for
that new feature do not run without gnutls-bin and softhsm2 installed as
build dependencies.
I did not catch that building my NMU in a clean sid chroot. I do not
know why, it still
builds in that chroot and claims two of the three test to succeed with
those packages uninstalled.
I cross built the package via dpkg-buildpackage --host-arch=armhf
on an x86 Buster host:
1 test skipped, 1 passed, 1 failed.
After some research, I figured out, that the evmctl -engine pkcs11
flagging caused an error since the "libengine-pkcs11-openssl" seems not
not be referenced properly in Build-depends:
After apt install libengine-pkcs11-openssl:arm64 on my host, test
succeeded. Have to confirm this behavior on a clean native ARM64 target.
I guess somebody forgot the pkcs11 backend engine.
Same story for x86.
Mit freundlichen Grüßen / Kind Regards
--
Steffen Kothe
Linutronix GmbH | Bahnhofstrasse 3 | D-88690 Uhldingen-Mühlhofen
Phone: +49 7556 25 999 38; Fax.: +49 7556 25 999 99
Hinweise zum Datenschutz finden Sie hier (Informations on data privacy
can be found here): https://linutronix.de/kontakt/Datenschutz.php
Linutronix GmbH | Firmensitz (Registered Office): Uhldingen-Mühlhofen |
Registergericht (Registration Court): Amtsgericht Freiburg i.Br., HRB700
806 | Geschäftsführer (Managing Directors): Heinz Egger, Thomas Gleixner
