2018456 – sbverify fails on grubx64.efi with fedora-ca-20200709 certificate

Bug 2018456 - sbverify fails on grubx64.efi with fedora-ca-20200709 certificate

Summary: sbverify fails on grubx64.efi with fedora-ca-20200709 certificate

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	shim-unsigned-x64
Sub Component:
Version:	35
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Peter Jones
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-10-29 11:23 UTC by Jan Pazdziora
Modified:	2022-12-13 15:43 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-12-13 15:43:43 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jan Pazdziora 2021-10-29 11:23:44 UTC

Description of problem:

Attempt to verify signature on grubx64.efi with the fedora-ca-20200709.cer certificate built into shim fails. The likely reason is CA:TRUE missing on that CA certificate.

Version-Release number of selected component (if applicable):

sbsigntools-0.9.4-4.fc34.x86_64
grub2-efi-x64-2.06-6.fc34b.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Download fedora-ca-20200709.cer from https://src.fedoraproject.org/rpms/shim-unsigned-x64/tree/rawhide:
   curl -O https://src.fedoraproject.org/rpms/shim-unsigned-x64/blob/rawhide/f/fedora-ca-20200709.cer
2. Convert it to PEM as that's what sbverify seems to like:
   openssl x509 -inform DER -in fedora-ca-20200709.cer -out fedora-ca-20200709.pem
3. Verify signature on grubx64.efi:
   sbverify -v /boot/efi/EFI/fedora/grubx64.efi --cert fedora-ca-20200709.pem

Actual results:

signature 1
image signature issuers:
 - /CN=Fedora Secure Boot CA
image signature certificates:
 - subject: /CN=Fedora Secure Boot Signer
   issuer:  /CN=Fedora Secure Boot CA
 - subject: /CN=Fedora Secure Boot CA
   issuer:  /CN=Fedora Secure Boot CA
PKCS7 verification failed
139874372052096:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:crypto/pkcs7/pk7_smime.c:284:Verify error:invalid CA certificate
signature 2
image signature issuers:
 - /C=US/ST=Massachusetts/L=Cambridge/O=Red Hat, Inc./OU=Fedora Secure Boot CA 20200709/CN=fedoraca
image signature certificates:
 - subject: /C=US/ST=Massachusetts/L=Cambridge/O=Red Hat, Inc./OU=Fedora Secure Boot Signer/OU=bkernel01 grub2/CN=grub2-signer
   issuer:  /C=US/ST=Massachusetts/L=Cambridge/O=Red Hat, Inc./OU=Fedora Secure Boot CA 20200709/CN=fedoraca
 - subject: /C=US/ST=Massachusetts/L=Cambridge/O=Red Hat, Inc./OU=Fedora Secure Boot CA 20200709/CN=fedoraca
   issuer:  /C=US/ST=Massachusetts/L=Cambridge/O=Red Hat, Inc./OU=Fedora Secure Boot CA 20200709/CN=fedoraca
PKCS7 verification failed
139874372052096:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:crypto/pkcs7/pk7_smime.c:284:Verify error:self signed certificate in certificate chain
Signature verification failed

Expected results:

Signature verification OK

Additional info:

Filing against shim because I assume any change needs to be initiated from here.

Comment 1 Ben Cotton 2022-05-12 16:23:53 UTC

This message is a reminder that Fedora Linux 34 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 34 on 2022-06-07.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '34'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 34 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.

Comment 2 Jan Pazdziora 2022-05-16 13:44:22 UTC

The issue is still present on Fedora 35 with

sbsigntools-0.9.4-5.fc35.x86_64
grub2-efi-x64-2.06-10.fc35.x86_64

Comment 3 Ben Cotton 2022-11-29 17:11:57 UTC

This message is a reminder that Fedora Linux 35 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 35 on 2022-12-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '35'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 35 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.

Comment 4 Ben Cotton 2022-12-13 15:43:43 UTC

Fedora Linux 35 entered end-of-life (EOL) status on 2022-12-13.

Fedora Linux 35 is no longer maintained, which means that it
will not receive any further security or bug fix updates. As a result we
are closing this bug.

If you can reproduce this bug against a currently maintained version of Fedora Linux
please feel free to reopen this bug against that version. Note that the version
field may be hidden. Click the "Show advanced fields" button if you do not see
the version field.

If you are unable to reopen this bug, please file a new report against an
active release.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.