Hi,It seems that there is a regression in sbsign. It crashes while signing an (EFI) image using YubikeyReproduction:
Try signing a file using sbsign where key is stored on a Yubikey, it will crash:
```
sbsign --engine pkcs11 --key 'pkcs11:manufacturer= piv_II; id=%02' --cert ./sb/db.crt --output ./sb/secboot- linux-latest. efi.signed ./sb/secboot- linux-latest. efi
```gdb shows this backtrace:
```
Thread 1 "sbsign" received signal SIGSEGV, Segmentation fault.
0x00007ffff7faf1fe in ?? () from /usr/lib/x86_64- linux-gnu/ engines- 3/pkcs11. so
(gdb) bt
#0 0x00007ffff7faf1fe in ?? () from /usr/lib/x86_64- linux-gnu/ engines- 3/pkcs11. so
#1 0x00007ffff7faf962 in ?? () from /usr/lib/x86_64- linux-gnu/ engines- 3/pkcs11. so
#2 0x00007ffff7fb5567 in ?? () from /usr/lib/x86_64- linux-gnu/ engines- 3/pkcs11. so
#3 0x00007ffff7fb58b0 in ?? () from /usr/lib/x86_64- linux-gnu/ engines- 3/pkcs11. so
#4 0x00007ffff7fb3731 in ?? () from /usr/lib/x86_64- linux-gnu/ engines- 3/pkcs11. so
#5 0x00007ffff7fb37bb in ?? () from /usr/lib/x86_64- linux-gnu/ engines- 3/pkcs11. so
#6 0x00007ffff7d1eed6 in RSA_sign (type=<optimised out>, m=m@entry=0x7fffffffdb80 "\224t& n\257>Y$ \377... ", m_len=m_ len@entry= 32,
sigret=sigret@ entry=0x5555555 f89a0 "\330\322\n", siglen= siglen@ entry=0x7ffffff fdb14, rsa=rsa@ entry=0x5555555 f4270) at ../crypto/ rsa/rsa_ sign.c: 309
#7 0x00007ffff7d1d5a2 in pkey_rsa_sign (ctx=0x5555555eb5d0, sig=0x5555555f89a0 "\330\322\n", siglen= 0x7fffffffdc30,
tbs=0x7fffffffdb80 "\224t& n\257>Y$ \377... ", tbslen=32) at ../crypto/ rsa/rsa_ pmeth.c: 180
#8 0x00007ffff7c06817 in EVP_DigestSignFinal (ctx=ctx@entry=0x5555555 d8c50, sigret= 0x5555555f89a0 "\330\322\n", siglen= siglen@ entry=0x7ffffff fdc30) at ../crypto/ evp/m_sigver. c:560
#9 0x00007ffff7cfdcbc in PKCS7_SIGNER_INFO_sign (si=si@ entry=0x5555555 a85f0) at ../crypto/ pkcs7/pk7_ doit.c: 952
#10 0x00007ffff7cfdf9d in do_pkcs7_signed_ attrib (mctx=<optimised out>, si=0x5555555a85f0) at ../crypto/ pkcs7/pk7_ doit.c: 728
#11 PKCS7_dataFinal (p7=p7@entry=0x5555555 f3520, bio=bio@ entry=0x5555555 a8640) at ../crypto/ pkcs7/pk7_ doit.c: 850
#12 0x0000555555557c40 in IDC_set (image=<optimised out>, si=0x5555555a85f0, p7=0x5555555f3520) at /usr/src/sbsigntool- 0.9.4-3. 1ubuntu7/ src/idc. c:216
#13 main (argc=<optimised out>, argv=<optimised out>) at /usr/src/sbsigntool- 0.9.4-3. 1ubuntu7/ src/sbsign. c:274
(gdb)
```It is likely that pkcs11.so is a "red herring" because I tried replacing the library with an older library from a docker image (`docker cp old_image /usr/lib/
x86_64- linux-gnu/ engines- 3/pkcs11. so`) and it did NOT fix the issue. These are logs just before crash:
```
P:169928; T:0x133947370026816 16:44:23.956 [opensc-pkcs11] slot.c:501:slot_ token_removed: slot_token_ removed( 0x4)
P:169928; T:0x133947370026816 16:44:23.956 [opensc-pkcs11] pkcs11-session. c:145:sc_ pkcs11_ close_all_ sessions: real C_CloseAllSessi ons(0x4) 0
P:169928; T:0x133947370026816 16:44:23.956 [opensc-pkcs11] slot.c:501:slot_ token_removed: slot_token_ removed( 0x5)
P:169928; T:0x133947370026816 16:44:23.956 [opensc-pkcs11] pkcs11-session. c:145:sc_ pkcs11_ close_all_ sessions: real C_CloseAllSessi ons(0x5) 0
P:169928; T:0x133947370026816 16:44:23.957 [opensc-pkcs11] slot.c:501:slot_ token_removed: slot_token_ removed( 0x6)
P:169928; T:0x133947370026816 16:44:23.957 [opensc-pkcs11] pkcs11-session. c:145:sc_ pkcs11_ close_all_ sessions: real C_CloseAllSessi ons(0x6) 0
P:169928; T:0x133947370026816 16:44:23.957 [opensc-pkcs11] slot.c:501:slot_ token_removed: slot_token_ removed( 0x7)
P:169928; T:0x133947370026816 16:44:23.957 [opensc-pkcs11] pkcs11-session. c:145:sc_ pkcs11_ close_all_ sessions: real C_CloseAllSessi ons(0x7) 0
P:169928; T:0x133947370026816 16:44:23.957 [opensc-pkcs11] ctx.c:1066:sc_release_ context: called
P:169928; T:0x133947370026816 16:44:23.957 [opensc-pkcs11] reader-pcsc.c: 978:pcsc_ finish: called
fish: Job 1, 'sbsign --engine pkcs11 --key 'p…' terminated by signal SIGSEGV (Address boundary error)
```Logs were collected with `set -x OPENSC_DEBUG 9`, See more logs here: https:/
/0bin.net/ paste/4- TdVHy4# f8e68wCZrtty55t jhLKAFpA2YeSQ2j l9AopYJXf3J5-
PS I filed a bug here (https://bugs.launchpad.net/ubuntu/+source/sbsigntool/+bug/2067163), but it seems it is ignored by Ubuntu maintainers