| psivaa | cjwatson: apw: UEFI shim signature verification (?) fails with todays images.. | 10:50 |
|---|---|---|
| psivaa | reported bug against linux-signed: bug #1234649 | 10:51 |
| ubot2 | Launchpad bug 1234649 in linux-signed (Ubuntu) "UEFI shim verification against microsoft-uefica-public.pem fails with 20131003 images" [Undecided,New] https://launchpad.net/bugs/1234649 | 10:51 |
| psivaa | not sure if that's the right package tough | 10:51 |
| cjwatson | Nothing I can help with | 10:52 |
| cjwatson | Reassigned to shim-signed - you want slangasek | 10:53 |
| psivaa | cjwatson: ack, thanks | 10:53 |
| cjwatson | (Though could also be the fault of sbsigntool or utah itself) | 10:54 |
| cjwatson | What release are you running this on? | 10:54 |
| cjwatson | I mean, utah itself | 10:54 |
| psivaa | this is saucy | 10:55 |
| cjwatson | OK, no idea why anything would've changed recently then | 10:55 |
| * xnox ponders if this is my check failing. I've written tests to verify sb signatures, statically. | 10:57 | |
| apw | sbsigntool changed, but a month back, and (cjwatson) isn't the sbsigntool we use on the backend at least separatly manually upgraded | 10:58 |
| apw | xnox, you added a new test ? | 10:59 |
| cjwatson | apw: Dunno | 10:59 |
| xnox | apw: i added the test, way back when, to utah static tests to extract signed things from the .iso and execute sbverify on them. | 11:00 |
| psivaa | apw: 0.6-0ubuntu1~12.04.1 is the version of sbsigntool that's being used for this test | 11:04 |
| xnox | $ sbverify --cert microsoft-uefica-public.pem /mnt/EFI/BOOT/BOOTx64.EFI | 11:05 |
| xnox | warning: data remaining[1230256 vs 1355656]: gaps between PE/COFF sections? | 11:05 |
| xnox | PKCS7 verification failed | 11:05 |
| xnox | 139756278539968:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smime.c:342:Verify error:certificate has expired | 11:05 |
| xnox | Signature verification failed | 11:05 |
| xnox | has microsoft certificate got updated?! /me goes to poke slangasek / jdstrand / et al | 11:06 |
| * apw would expect the public ones to change over time, like they do on websites | 11:07 | |
| xnox | apw: well, the microsoft cert is listed as valid for 15 years, until 2026 | 11:10 |
| apw | well doh | 11:10 |
| apw | xnox, but they may use an intermediate cert from that master one | 11:15 |
| apw | i would expect them to get the master out yearly and make a cert for that year | 11:15 |
| xnox | psivaa: raring iso also failing verification. | 11:51 |
| xnox | apw: did microsoft sign us for 2 years only =/ O_o | 11:51 |
| === psivaa is now known as psivaa-afk | ||
| === psivaa-afk is now known as psivaa | ||
| xnox | apw: extracted certs from the signature, there is intermediate cert which expired today, and it only lasts 15months, vs all other certs last for 15 years. | 15:10 |
| === mpt_ is now known as mpt | ||
| apw | hmmm i wonder if they missed | 15:16 |
| apw | xnox, ^^ | 15:16 |
| apw | xnox, is that one ours or one of m$'s | 15:16 |
| xnox | apw: m$'s | 15:16 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!