Description of problem: When using mokutil to import a new certificate, it calculates the wrong size for the cert. According to the UEFI spec, it should be: "...16 (size of the SignatureOwner component) + the size of the certificate itself." However, mokutil is calculating this as: CertList->SignatureSize = sizes[i] + sizeof(EFI_SIGNATURE_DATA) + 16; The sizeof(EFI_SIGNATURE_DATA) there is not necessary. This happens to throw the kernel into a fit and it fails to parse certs stored in MokListRT. Version-Release number of selected component (if applicable): shim-unsigned-0.2-2.fc18.1.x86_64 How reproducible: Always Steps to Reproduce: 1. import a cert with mokutil 2. reboot and do the MokManager thing 3. watch the kernel hate the result. Actual results: cert imported with wrong size in the efi_signature_list structure. Expected results: Things work. Additional info: I've sent a patch to Peter and Matthew, and a pull request upstream for mokutil to fix this.
Proposing as F18 Blocker.
Discussed at 2012-12-12 blocker review meeting: http://meetbot.fedoraproject.org/fedora-bugzappers/2012-12-12/f18final-blocker-review-4.2012-12-12-17.01.log.txt . Rejected as a blocker on the understanding this only affects generation/installation of personal signatures, not use of the MS key. Accepted as NTH - pjones thinks it could go in as 0-day but isn't 100% sure and thinks it's safer to take it now, and the fix is isolated and only affects SB stuff, can't break anything else.
shim-0.2-3.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/shim-0.2-3.fc18
Package shim-0.2-3.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing shim-0.2-3.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-20316/shim-0.2-3.fc18 then log in and leave karma (feedback).
shim-0.2-3.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
Josh, can you confirm the issue is fixed with the new build?
(In reply to comment #6) > Josh, can you confirm the issue is fixed with the new build? You mean like the big long comment and +1 karma I left in the update that is linked to in comment #4? Sure. It fixes the issue.
Sorry, I overlooked that. Thanks.