** Description changed: + [Impact] + Validating signature using sbsigntool for EFI binaries on Precise and Trusty. + + [Test case] + 1) pull-lp-source shim-signed + 2) sbverify --cert MicCorUEFCA2011_2011-06-27.crt shim.efi.signed + + [Regression potential] + Complex signing scenarios may pass validation when they should not due to the unavailability of the issuer cert; but I can't think of a specific case where this might happen. + + --- + An upload of shim-signed with no source changes is now failing to build in wily, because sbverify fails: - sbverify --cert MicCorUEFCA2011_2011-06-27.crt shim.efi.signed - warning: data remaining[1170360 vs 1289424]: gaps between PE/COFF sections? - PKCS7 verification failed - 139919811188368:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smime.c:328:Verify error:unable to get issuer certificate - Signature verification failed + sbverify --cert MicCorUEFCA2011_2011-06-27.crt shim.efi.signed + warning: data remaining[1170360 vs 1289424]: gaps between PE/COFF sections? + PKCS7 verification failed + 139919811188368:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smime.c:328:Verify error:unable to get issuer certificate + Signature verification failed (https://launchpad.net/ubuntu/+source/shim-signed/1.10/+build/7652431) The package builds successfully on vivid but fails on wily. sbsigntool has not changed since vivid. Upgrading to the wily version of libssl1.0.0 in a vivid chroot reproduces the failure. I'm not sure if this is a regression in libssl1.0.0 or a bug in sbsigntool.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1474541 Title: sbsigntool broken by update to openssl 1.0.2c To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1474541/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs