Hi Simon, On Tue, 23 Jul 2024 11:15:00 +0200, Simon Beyer <be...@hiperscan.com> wrote: > version 2.5 is apparently unable t process (some? - all my) SafeNet tokens, > with online advice being to either downgrade to 2.4 or upgrade to 2.6: > https://stackoverflow.com/a/78308879 . Unfortunately it would seem that > right now there are no other versions but 2.5 available for Bookworm and > installing those available on SID transitively requires several library > versions themselves not (yet?) available on Bookworm. > > Could you please provide a version 2.6+? > > * What led up to the situation? > > Switching to Debian 12 and > - osslsigncode 2.5-4 > - openssl 3.0.13-1~deb12u1 > - libp11-kit0 0.24.1-2 > - libengine-pkcs11-openssl 0.4.12-0.1 > > from Debian 10 and > - osslsigncode 2.0+really2.5-4+deb10u1 > - openssl 1.1.1n-0+deb10u6 > - libp11-kit0 0.23.15-2+deb10u1 > - libengine-pkcs11-openssl 0.4.9-4 > > * What exactly did you do (or not do) that was effective (or > ineffective)? > > This invocation works on Debian 10: > > osslsigncode sign -pkcs11engine > /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so \ -pkcs11module > /usr/lib/libIDPrimePKCS11.so \ -pkcs11cert <certificate uri obtained from > p11tool> \ -h sha2 \ > -n <application name> \ > -i <vendor url> \ > -t <time server> \ > -in <unsigned file> -out <signed file> > > This invocation fails on Debian 12: > > osslsigncode sign -pkcs11engine > /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so \ -pkcs11module > /usr/lib/libIDPrimePKCS11.so \ -pkcs11cert <certificate uri obtained from > p11tool> \ -h sha2 \ > -n <application name> \ > -i <vendor url> \ > -t <time server> \ > -in <unsigned file> -out <signed file> > > with error message > > $ <invocation> > bad engine id > Failed to set 'dynamic' engine > 40D912A3047F0000:error:1300006D:engine routines:dynamic_load:init > failed:../crypto/engine/eng_dyn.c:514: Failed > > To troubleshoot, I tried: > - read certificates via p11tool to ascertain lib11-kit0 is not responsible > (still works as in Debian 10) > - find > https://mta.openssl.org/pipermail/openssl-users/2024-July/017278.html , > downgrade to openssl 3.0.11 (no effect; reverted) > - downgrade to libengine-pkcs11-openssl 0.4.9-4, which had > engine-1.1/pkcs.so, that worked on Buster (failed: error was replaced with > 'Failed to init crypto'; reverted) > - find https://stackoverflow.com/a/78308879 > - add engine to openssl via > https://github.com/OpenSC/libp11#using-the-engine-from-the-command-line , > test it via https://github.com/OpenSC/libp11#testing-the-engine-operation > (fixed error "bad engine id") > - This step seems new - I checked /etc/ssl/openssl.cnf on Debian 10 and > no such lines exist there, nor are they necessary. Feels like a regression > to me, but nb. > - check for additional versions at > https://packages.debian.org/bookworm/osslsigncode (none available) > - check for additional versions using 'sudo apt list --all-versions > osslsigncode', including on bookworm-backports, bookworm-backports-sloppy > (none available) > - install osslsigncode_2.9-1_amd64.deb (failed: dependencies transitively > require newer packages than available on Bookworm, not ready to open this > can of... worms) > > * What was the outcome of this action? > > I managed to eliminate one line of error, but now I am stuck. > > * What outcome did you expect instead? > > It would be nice if some combination of Bookworm-available packages worked. > I hope that, as long as Bookworm is supported, newer already-released > versions of programs will keep arriving.
That’s not the way Debian stable releases work; once a release is published, it only gets updates to fix critical bugs. However, I will be able to provide an updated osslsigncode package through https://backports.debian.org that you can install on your Debian 12 system. I’ll take care of that in the next few days; the package will have to go through further processing by the ftp team which may take some time. It’s not clear to me whether that will actually fix your issue though — your Debian 10 system already had osslsigncode 2.5! > Another nb.: I would expect the necessary packages to be listed as / > similar to dependencies, e.g. evidently osslsigncode uses openssl and can > fail from openssl misconfiguration, but it has no mention of openssl and > only by blind internet search was I able to find whence the "bad engine id" > came. packages.debian.org has e.g. relations 'Depends', 'Recommends', > 'Suggests' to document soft dependencies like this. (Can I add to those > myself? It is presumably a thankless task to keep them up-to-date.) They are kept up-to-date... osslsigncode in Debian 12 has a strong dependency on libssl3, which is OpenSSL. Regards, Stephen
pgpEPZPhLACcF.pgp
Description: OpenPGP digital signature
