Verifying signatures on our -signed binaries
Hi!
I've written a trivial script locally to walk through the archive and
verify the signatures on our signed binaries using sbverify. I'll
publish it if there's any interest - just ask.
I've just run it now and it's *mostly* showing what I'd expect:
----------------------------
jack:~$ ~/bin/efi-verify-sigs
Checking fwupd-i386-signed_1.1.4+1_i386.deb:
Valid signature on ./usr/lib/fwupd/efi/fwupdia32.efi.signed
Signed by TEST-debian-lfaraone-key.crt
Checking fwupdate-amd64-signed_12+3_amd64.deb:
Valid signature on ./usr/lib/fwupdate/fwupx64.efi.signed
Signed by TEST-debian-lfaraone-key.crt
Checking fwupd-arm64-signed_1.1.4+1_arm64.deb:
Valid signature on ./usr/lib/fwupd/efi/fwupdaa64.efi.signed
Signed by TEST-debian-lfaraone-key.crt
Checking fwupdate-i386-signed_12+3_i386.deb:
Valid signature on ./usr/lib/fwupdate/fwupia32.efi.signed
Signed by TEST-debian-lfaraone-key.crt
Checking fwupd-amd64-signed_1.1.4+1_amd64.deb:
Valid signature on ./usr/lib/fwupd/efi/fwupdx64.efi.signed
Signed by TEST-debian-lfaraone-key.crt
Checking fwupdate-arm64-signed_12+3_arm64.deb:
Valid signature on ./usr/lib/fwupdate/fwupaa64.efi.signed
Signed by TEST-debian-lfaraone-key.crt
Checking fwupdate-armhf-signed_12+3_armhf.deb:
ERROR: Can't verify any signature on ./usr/lib/fwupdate/fwuparm.efi.signed
Checking fwupd-armhf-signed_1.1.4+1_armhf.deb:
Valid signature on ./usr/lib/fwupd/efi/fwupdarm.efi.signed
Signed by TEST-debian-lfaraone-key.crt
Checking shim-signed_1.28+nmu1+0.9+1474479173.6c180c6-1_amd64.deb:
Valid signature on ./usr/lib/shim/shimx64.efi.signed
Signed by microsoft-uefica-public.crt
Checking grub-efi-ia32-signed_1+2.02+dfsg1+10_i386.deb:
Valid signature on ./usr/lib/grub/i386-efi-signed/grubia32.efi.signed
Signed by TEST-debian-lfaraone-key.crt
Valid signature on ./usr/lib/grub/i386-efi-signed/gcdia32.efi.signed
Signed by TEST-debian-lfaraone-key.crt
Valid signature on ./usr/lib/grub/i386-efi-signed/grubnetia32.efi.signed
Signed by TEST-debian-lfaraone-key.crt
Checking grub-efi-arm64-signed_1+2.02+dfsg1+10_arm64.deb:
Valid signature on ./usr/lib/grub/arm64-efi-signed/grubaa64.efi.signed
Signed by TEST-debian-lfaraone-key.crt
Valid signature on ./usr/lib/grub/arm64-efi-signed/grubnetaa64.efi.signed
Signed by TEST-debian-lfaraone-key.crt
Valid signature on ./usr/lib/grub/arm64-efi-signed/gcdaa64.efi.signed
Signed by TEST-debian-lfaraone-key.crt
Checking grub-efi-amd64-signed_1+2.02+dfsg1+10_amd64.deb:
Valid signature on ./usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed
Signed by TEST-debian-lfaraone-key.crt
Valid signature on ./usr/lib/grub/x86_64-efi-signed/grubnetx64.efi.signed
Signed by TEST-debian-lfaraone-key.crt
Valid signature on ./usr/lib/grub/x86_64-efi-signed/gcdx64.efi.signed
Signed by TEST-debian-lfaraone-key.crt
----------------------------
Clearly, we want to shift from using Luke's test key to our proper
key. That's expected and not a problem.
HOWEVER, there is a real problem here with the fwupdate-armhf-signed
package. I've extracted it and looked in more detail and I'm seeing:
jack:~/tmp/efi-fwupdate$ sbverify --no-verify usr/lib/fwupdate/fwuparm.efi.signed
warning: data remaining[45512 vs 46768]: gaps between PE/COFF sections?
Hash doesn't match image
got: bff3131aa61a29fc9b1f6c237f83701ee7f175b5532b4101d174bf8b17ad3eca
expecting: 5604ebf4b0b68ce9be1dfa5fb991cdf14670cb63b60e034baf18620588fe198d
Signature verification failed
What's happened here?
--
Steve McIntyre, Cambridge, UK. steve@einval.com
"We're the technical experts. We were hired so that management could
ignore our recommendations and tell us how to do our jobs." -- Mike Andrews
Reply to: