On Fri, Feb 08, 2019 at 09:19:01PM +0000, Santiago Vila wrote: >Package: src:shim-signed >Version: 1.28+nmu1 >Severity: serious >Tags: ftbfs > >Dear maintainer: > >I tried to build this package in buster but it failed: > >-------------------------------------------------------------------------------- >[...] > debian/rules build-arch >dh build-arch > dh_update_autotools_config -a > dh_auto_configure -a > dh_auto_build -a > make -j1 >make[1]: Entering directory '/<<BUILDDIR>>/shim-signed-1.28+nmu1' >make[1]: Nothing to be done for 'all'. >make[1]: Leaving directory '/<<BUILDDIR>>/shim-signed-1.28+nmu1' > dh_auto_test -a > make -j1 check >make[1]: Entering directory '/<<BUILDDIR>>/shim-signed-1.28+nmu1' >mkdir -p build ># Verifying that the image is signed with the correct key. >sbverify --cert MicCorUEFCA2011_2011-06-27.crt shimx64.efi.signed >warning: data remaining[1044456 vs 1169528]: gaps between PE/COFF sections? >Signature verification OK ># Verifying that we have the correct binary. >sbattach --detach build/detached-sig shimx64.efi.signed >warning: data remaining[1044456 vs 1169528]: gaps between PE/COFF sections? >cp /usr/lib/shim/shimx64.efi build/shimx64.efi.signed >sbattach --attach build/detached-sig build/shimx64.efi.signed >warning: data remaining[1035776 vs 1160847]: gaps between PE/COFF sections? >warning: data remaining[1035776 vs 1160848]: gaps between PE/COFF sections? >Signing Unsigned original image >cmp shimx64.efi.signed build/shimx64.efi.signed >shimx64.efi.signed build/shimx64.efi.signed differ: char 217, line 2 >make[1]: *** [Makefile:11: check] Error 1 >make[1]: Leaving directory '/<<BUILDDIR>>/shim-signed-1.28+nmu1' >dh_auto_test: make -j1 check returned exit code 2 >make: *** [debian/rules:7: build-arch] Error 2 >dpkg-buildpackage: error: debian/rules build-arch subprocess returned exit >status 2 >-------------------------------------------------------------------------------- > >(The above is just how the build ends and not necessarily the most relevant >part) > >The build was made in my autobuilder with "dpkg-buildpackage -B" >and it also fails here: > >https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/shim-signed.html > >where you can get a full build log if you need it.
This is a known feature of the versions of the sbsigntool utilities we used. :-( We *cannot* fix this bug directly at the moment by changing the older version of shim we're using for now, as that would break the Microsoft signature. I've just uploaded a new shim which is reproducible, so that should *hopefully* cause this bug to be fixed before buster release if we get the new version signed in time. For now, I've asked a friendly local release team person to tag this so we don't get removed before then. -- Steve McIntyre, Cambridge, UK. st...@einval.com Welcome my son, welcome to the machine.
signature.asc
Description: PGP signature
