[Bug 1159531] New: [Build 20191218] kexec fails to verify signature (but enforces it)
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531 Bug ID: 1159531 Summary: [Build 20191218] kexec fails to verify signature (but enforces it) Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other URL: https://openqa.opensuse.org/tests/1118112/modules/welc ome/steps/5 OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-maintainers@forge.provo.novell.com Reporter: dimstar@opensuse.org QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- ## Observation openQA test in scenario opensuse-Tumbleweed-NET-x86_64-create_hdd_tumbleweed@64bit fails in [welcome](https://openqa.opensuse.org/tests/1118112/modules/welcome/steps/5) This test would kexec the kernel as published on download.o.o (so back to 5.3.x) - and fails with: [ 46.993433] PKCS7: Sig 1: X.509 chain contains auth-skid nonmatch (1->1) [ 46.994295] kexec_file: kernel signature verification failed (-129). 09:20:07 <2> util_run+0xb8 : exec: kexec -a -l /download/file_0017 --initrd=/download/file_0018 --append='initrd=initrd splash=silent install=http://download.opensuse.org/tumbleweed/repo/oss/ Y2DEBUG=1 vga=791 video=1024x768 plymouth.ignore-serial-consoles console=ttyS0 console=tty linuxrc.log=/dev/ttyS0 linuxrc.core=/dev/ttyS0 linuxrc.debug=4,trace kexec=3 kexec=0' = 255 09:20:07 <4> util_run+0x139 : stdout + stderr: kexec_file_load failed: Key was rejected by service a 2nd test (not switching kernel) is https://openqa.opensuse.org/tests/1118104#step/boot_linuxrc/19 where the same kernel is being booted, with similar unsuccessful state: 09:10:40 <2> util_run+0xb8 : exec: kexec -a -l '/mnt//boot/vmlinuz-5.4.3-1-default' --initrd='/mnt//boot/initrd-5.4.3-1-default' --append='root=/dev/vda2' = 255 09:10:40 <4> util_run+0x139 : stdout + stderr: kexec_file_load failed: Key was rejected by service ## Test suite description Maintainer: dimstar, okurz The idea of the test suite is to create an installation from the last published snapshot so that we can do the upgrade from last_published to current snapshot_under_test as a test ## Reproducible Fails since (at least) Build [20191217](https://openqa.opensuse.org/tests/1116837) ## Expected result Last good: [20191216](https://openqa.opensuse.org/tests/1115126) (or more recent) ## Further details Always latest result in this scenario: [latest](https://openqa.opensuse.org/tests/latest?arch=x86_64&distri=opensuse&flavor=NET&machine=64bit&test=create_hdd_tumbleweed&version=Tumbleweed) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531#c1
Dominique Leuenberger
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531
Fabian Vogt
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531
Takashi Iwai
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531
Max Lin
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531
Jiri Kosina
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531
Guillaume GARDET
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531#c2
--- Comment #2 from Joey Lee
## Observation [...snip] ## Reproducible
Fails since (at least) Build [20191217](https://openqa.opensuse.org/tests/1116837)
There have "auth-skid nonmatch" warning in the log: 09:20:07 <2> +0x30d0b : digest ok [ 46.993433] PKCS7: Sig 1: X.509 chain contains auth-skid nonmatch (1->1) [ 46.994295] kexec_file: kernel signature verification failed (-129). 09:20:07 <2> util_run+0xb8 : exec: kexec -a -l /download/file_0017 --initrd=/download/file_0018 --append='initrd=initrd splash=silent install=http://download.opensuse.org/tumbleweed/repo/oss/ Y2DE kexec=0' = 255 The issuer_check_skid case in pkcs7_verify_one()->pkcs7_verify_sig_chain() is in "Verify the internal certificate chain" failed. But I do not see changes in this code path between v5.3 and v5.4. The public_key_verify_signature() function should be success before kernel runs into pkcs7_verify_sig_chain(). Did our kernel be signed success? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531#c3
--- Comment #3 from Dominique Leuenberger
(In reply to Dominique Leuenberger from comment #0)
## Observation [...snip] ## Reproducible
Fails since (at least) Build [20191217](https://openqa.opensuse.org/tests/1116837)
There have "auth-skid nonmatch" warning in the log:
09:20:07 <2> +0x30d0b : digest ok [ 46.993433] PKCS7: Sig 1: X.509 chain contains auth-skid nonmatch (1->1) [ 46.994295] kexec_file: kernel signature verification failed (-129). 09:20:07 <2> util_run+0xb8 : exec: kexec -a -l /download/file_0017 --initrd=/download/file_0018 --append='initrd=initrd splash=silent install=http://download.opensuse.org/tumbleweed/repo/oss/ Y2DE kexec=0' = 255
The issuer_check_skid case in pkcs7_verify_one()->pkcs7_verify_sig_chain() is in "Verify the internal certificate chain" failed. But I do not see changes in this code path between v5.3 and v5.4.
The public_key_verify_signature() function should be success before kernel runs into pkcs7_verify_sig_chain(). Did our kernel be signed success?
As the regular uefi boot seems to be all right, I'd guess yes, the kernel signing was successful: https://openqa.opensuse.org/tests/1117864#step/bootloader_uefi/1 Max pointed out these kernel options: - Security - SECURITY_LOCKDOWN_LSM=y - SECURITY_LOCKDOWN_LSM_EARLY=y - LOCK_DOWN_KERNEL_FORCE_NONE=y - IMA_DEFAULT_HASH_SHA512=n - IMA_APPRAISE_MODSIG=y - RANDOM_TRUST_BOOTLOADER=y - KEXEC_SIG=y - KEXEC_SIG_FORCE=n - KEXEC_BZIMAGE_VERIFY_SIG=y on my 5.3 Tumbleweed install, KEXEC_SIG is not set (probably did not exist in 5.3?) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531#c5
--- Comment #5 from Joey Lee
(In reply to Joey Lee from comment #2)
(In reply to Dominique Leuenberger from comment #0)
## Observation [...snip] ## Reproducible
Fails since (at least) Build [20191217](https://openqa.opensuse.org/tests/1116837)
There have "auth-skid nonmatch" warning in the log:
09:20:07 <2> +0x30d0b : digest ok [ 46.993433] PKCS7: Sig 1: X.509 chain contains auth-skid nonmatch (1->1) [ 46.994295] kexec_file: kernel signature verification failed (-129). 09:20:07 <2> util_run+0xb8 : exec: kexec -a -l /download/file_0017 --initrd=/download/file_0018 --append='initrd=initrd splash=silent install=http://download.opensuse.org/tumbleweed/repo/oss/ Y2DE kexec=0' = 255
The issuer_check_skid case in pkcs7_verify_one()->pkcs7_verify_sig_chain() is in "Verify the internal certificate chain" failed. But I do not see changes in this code path between v5.3 and v5.4.
The public_key_verify_signature() function should be success before kernel runs into pkcs7_verify_sig_chain(). Did our kernel be signed success?
As the regular uefi boot seems to be all right, I'd guess yes, the kernel signing was successful:
When booting with UEFI secure boot, booting kernel be verified by shim boot loader. The crash kernel be verified by kexec in Linux kernel. It's different code base.
https://openqa.opensuse.org/tests/1117864#step/bootloader_uefi/1
Max pointed out these kernel options:
- Security - SECURITY_LOCKDOWN_LSM=y - SECURITY_LOCKDOWN_LSM_EARLY=y - LOCK_DOWN_KERNEL_FORCE_NONE=y - IMA_DEFAULT_HASH_SHA512=n - IMA_APPRAISE_MODSIG=y - RANDOM_TRUST_BOOTLOADER=y - KEXEC_SIG=y - KEXEC_SIG_FORCE=n - KEXEC_BZIMAGE_VERIFY_SIG=y
on my 5.3 Tumbleweed install, KEXEC_SIG is not set (probably did not exist in 5.3?)
Yes, KEXEC_SIG be introduced since v5.4 kernel. Which means that the crash kernel of TW may never be verified by kexec until v5.4. Is it possible to enable dynamic debugging? Just adding the following kernel parameter for booting, then capture dmesg: ddebug_query='file crypto/asymmetric_keys/pkcs7_verify.c +p' -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531#c6
--- Comment #6 from Dominique Leuenberger
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531#c8
--- Comment #8 from Joey Lee
(In reply to Dominique Leuenberger from comment #0)
## Observation [...snip] ## Reproducible
Fails since (at least) Build [20191217](https://openqa.opensuse.org/tests/1116837)
There have "auth-skid nonmatch" warning in the log:
09:20:07 <2> +0x30d0b : digest ok [ 46.993433] PKCS7: Sig 1: X.509 chain contains auth-skid nonmatch (1->1) [ 46.994295] kexec_file: kernel signature verification failed (-129). 09:20:07 <2> util_run+0xb8 : exec: kexec -a -l /download/file_0017 --initrd=/download/file_0018 --append='initrd=initrd splash=silent install=http://download.opensuse.org/tumbleweed/repo/oss/ Y2DE kexec=0' = 255
The issuer_check_skid case in pkcs7_verify_one()->pkcs7_verify_sig_chain() is in "Verify the internal certificate chain" failed. But I do not see changes in this code path between v5.3 and v5.4.
The public_key_verify_signature() function should be success before kernel runs into pkcs7_verify_sig_chain(). Did our kernel be signed success?
Sorry for I was wrong, the public_key_verify_signature() is success. But the pkcs7_verify_sig_chain() verification is failed. The built-in certificate be loaded success by kernel when booting: [ 2.841526] Loaded X.509 cert 'openSUSE Secure Boot Signkey: 0332fa9cbf0d88bf21924b0de82a09a54d5defc8' Base on the code in pkcs7_verify_one(), kernel found the key (I think the built-in key) that it matches with the pkcs7 signature information on crash kernel. The strange thing is that the signature pass the verification with the built-in kerenl. But the further pkcs7_verify_sig_chain() step is failed in found_issuer_check_skid case. Can anyone help to attach the certificate of "openSUSE Secure Boot Signkey" please? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531#c10
--- Comment #10 from Joey Lee
I installed 5.4.5-1.g47eef04-default on my desktop, so my kernel is now compiled with the signature verification.
I can reproduce the error easily. # wget http://download.opensuse.org/tumbleweed/repo/oss/boot/x86_64/loader/linux # echo 'file crypto/asymmetric_keys/pkcs7_verify.c +p' > /sys/kernel/debug/dynamic_debug/control # kexec -sl linux
This is the dmesg output: [ 1873.514846] PKCS7: verify openSUSE Secure Boot Signkey: 01 [ 1873.514850] PKCS7: - issuer openSUSE Secure Boot CA [ 1873.514851] PKCS7: - authkeyid.id 013120301e06035504030c176f70656e535553452053656375726520426f6f74204341310b300 90603550406130244453112301006035504070c094e7572656d [ 1873.514852] PKCS7: - authkeyid.skid 6842600de22c4c477e95be23dfea9513e5971762 [ 1873.514853] PKCS7: - want 013120301e06035504030c176f70656e535553452053656375726520426f6f74204341310b300 90603550406130244453112301006035504070c094e7572656d [ 1873.514855] PKCS7: - cmp [1] 013120301e06035504030c176f70656e535553452053656375726520426f6f74204341310b300 90603550406130244453112301006035504070c094e7572656d [ 1873.514856] PKCS7: Sig 1: X.509 chain contains auth-skid nonmatch (1->1) [ 1873.514864] kexec_file: kernel signature verification failed (-129).
Thanks! It's confirm that we filed in the following verification. Did you sign
by openSUSE key or your self-signed key?
found_issuer_check_skid:
/* We matched issuer + serialNumber, but if there's an
* authKeyId.keyId, that must match the CA subjKeyId also.
*/
if (sig->auth_ids[1] &&
!asymmetric_key_id_same(p->skid, sig->auth_ids[1])) {
pr_warn("Sig %u: X.509 chain contains auth-skid nonmatch
(%u->%u)\n",
sinfo->index, x509->index, p->index);
return -EKEYREJECTED;
}
The patch is introduced since 2015. Which means that openSUSE sign key has
something difference compared with SLE sign key. Because SLE sign key pass the
verification:
commit 4573b64a31cd8cb4cfeb1d1b95536cfe71980cf4
Author: David Howells
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531#c11
--- Comment #11 from Joey Lee
I installed 5.4.5-1.g47eef04-default on my desktop, so my kernel is now compiled with the signature verification.
Sorry for I didn't see that you reproduced issue by openSUSE signed kernel. Then we must compare issuer+serialNumber and the keyIdentifier of the certificate of openSUSE Secure Boot Signkey and also the openSUSE CA. Because in 4573b64a31cd8cb patch description: If the latter doesn't match the subjectKeyIdentifier of the parent certificate, EKEYREJECTED is returned. Can anyone attached openSUSE secure boot sign key certificate and also openSUSE CA please? Then we can use openssl to compare them: openssl x509 -in xxx.crt -inform DER -noout -text | less I reassigned this issue to me. I will look at it tomorrow. Thanks a lot! -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531
Joey Lee
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531#c12
--- Comment #12 from Dominique Leuenberger
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531#c13
--- Comment #13 from Dominique Leuenberger
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531#c14
--- Comment #14 from Dominique Leuenberger
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531#c16
--- Comment #16 from Joey Lee
I installed 5.4.5-1.g47eef04-default on my desktop, so my kernel is now compiled with the signature verification.
I can reproduce the error easily. # wget http://download.opensuse.org/tumbleweed/repo/oss/boot/x86_64/loader/linux # echo 'file crypto/asymmetric_keys/pkcs7_verify.c +p' > /sys/kernel/debug/dynamic_debug/control # kexec -sl linux
Run: kexec -sl /boot/vmlinuz-5.4.5-1.g47eef04-default Success. Which means that the kernel RPM form kernel-stable repo has no problem.
This is the dmesg output: [ 1873.514846] PKCS7: verify openSUSE Secure Boot Signkey: 01 [ 1873.514850] PKCS7: - issuer openSUSE Secure Boot CA [ 1873.514851] PKCS7: - authkeyid.id 013120301e06035504030c176f70656e535553452053656375726520426f6f74204341310b300 90603550406130244453112301006035504070c094e7572656d [ 1873.514852] PKCS7: - authkeyid.skid 6842600de22c4c477e95be23dfea9513e5971762 [ 1873.514853] PKCS7: - want 013120301e06035504030c176f70656e535553452053656375726520426f6f74204341310b300 90603550406130244453112301006035504070c094e7572656d [ 1873.514855] PKCS7: - cmp [1] 013120301e06035504030c176f70656e535553452053656375726520426f6f74204341310b300 90603550406130244453112301006035504070c094e7572656d [ 1873.514856] PKCS7: Sig 1: X.509 chain contains auth-skid nonmatch (1->1) [ 1873.514864] kexec_file: kernel signature verification failed (-129).
I have tried kernel RPM from kernel-stable repo. And I also tried SLE15-SP1/SLE15-SP2 kernel. All of them can not reproduced issue. Only loading openSUSE kernel can reproduce issue. No matter which is the booting kernel. The PKCS#7 signature carries a certificate list that it can be used to verify signature before kernel finds appropriate certificate from keyring. Looks that only openSUSE kernel's certificate list in PKCS#7 signature can not pass the verification. I must extract the PKCS#7 package from kernel binary for parsing by openSSL. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531#c17
--- Comment #17 from Joey Lee
Created attachment 826493 [details] Subject: CN = openSUSE Secure Boot Signkey
OK! I know what's happened now. The serial number of "openSUSE Secure Boot Signkey" should does _NOT_ equal to the serial number his parent CA, "openSUSE Secure Boot CA". Otherwise the kernel will confused with signkey and CA, then runs into the verification of Authority Key Identifier/Subject Key Identifier that it causes verification failed. Base on rfc5280 (X.509) spec, the "Serial Number" must be unique: -------------------------- 4.1.2.2. Serial Number The serial number MUST be a positive integer assigned by the CA to each certificate. It MUST be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate). CAs MUST force the serialNumber to be a non-negative integer. ------------------------- openSUSE Secure Boot CA 4659838C.crt Serial Number: 1 (0x1) openSUSE Secure Boot Signkey 188EA6FA.crt Serial Number: 1 (0x1) <=== should not duplicate with CA or another other certificate which signed by the same CA. It must be 2 or 3 or even more... SLE keys: SUSE Linux Enterprise Secure Boot CA BCA4E38E.crt Serial Number: 1 (0x1) SUSE Linux Enterprise Secure Boot Signkey 91A3B0B5.crt Serial Number: 2 (0x2) We need security team's help to update the openSUSE sign key for increasing the Serial Number. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531#c18
Joey Lee
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531
Marcus Meissner
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531#c21
--- Comment #21 from Dominique Leuenberger
OK! I know what's happened now. The serial number of "openSUSE Secure Boot Signkey" should does _NOT_ equal to the serial number his parent CA, "openSUSE Secure Boot CA". Otherwise the kernel will confused with signkey and CA, then runs into the verification of Authority Key Identifier/Subject Key Identifier that it causes verification failed.
Base on rfc5280 (X.509) spec, the "Serial Number" must be unique:
-------------------------- 4.1.2.2. Serial Number
The serial number MUST be a positive integer assigned by the CA to each certificate. It MUST be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate). CAs MUST force the serialNumber to be a non-negative integer. -------------------------
That's frankly not how I interpret this RFC. IMHO, the RFC claims that the CN/Serial COMBO must be unique, but not that none of the CAs signees can have a serial number of the same value (that would be even close to impossible to guarantee, since the serial number of the CA can change and could in the future conflict with any of the sigs it ever signed) What must not happen though is that a CA creates a new certificate with the same CN AND the same serial number as it already did in the past. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531#c22
--- Comment #22 from Joey Lee
(In reply to Joey Lee from comment #17)
OK! I know what's happened now. The serial number of "openSUSE Secure Boot Signkey" should does _NOT_ equal to the serial number his parent CA, "openSUSE Secure Boot CA". Otherwise the kernel will confused with signkey and CA, then runs into the verification of Authority Key Identifier/Subject Key Identifier that it causes verification failed.
Base on rfc5280 (X.509) spec, the "Serial Number" must be unique:
-------------------------- 4.1.2.2. Serial Number
The serial number MUST be a positive integer assigned by the CA to each certificate. It MUST be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate). CAs MUST force the serialNumber to be a non-negative integer. -------------------------
That's frankly not how I interpret this RFC. IMHO, the RFC claims that the CN/Serial COMBO must be unique, but not that none of the CAs signees can have a serial number of the same value (that would be even close to impossible to guarantee, since the serial number of the CA can change and could in the future conflict with any of the sigs it ever signed)
What must not happen though is that a CA creates a new certificate with the same CN AND the same serial number as it already did in the past.
Practically I still suggest that serial number should be unique. It's better for more strict checking on some tools. e.g. The mozilla NSS database also rejected for enrolling openSUSE CA/signkey : # create a NSS database $ mkdir db $ certutil -N -d db --empty-password $ ls 188EA6FA-opensuse-signkey.crt 4659838C-opensuse-ca.crt db # add openSUSE CA $ certutil -A -i 4659838C-opensuse-ca.crt -d db -n "CN=openSUSE CA" -t "u,u,u"Notice: Trust flag u is set automatically if the private key is present. # add openSUSE Signkey $ certutil -A -i 188EA6FA-opensuse-signkey.crt -d db -n "CN=openSUSE Signkey" -t "u,u,u" Notice: Trust flag u is set automatically if the private key is present. certutil: could not decode certificate: SEC_ERROR_REUSED_ISSUER_AND_SERIAL: You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. The NSS also confused for openSUSE CA and signkey. Gary Lin found this situation before the SLE signkey's serial number be changed. So, a unique serial number is better for decoding by different tools. It's not hard to us (SUSE) for assigning unique serial number because we should not update/create certificates often. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531#c23
--- Comment #23 from Dominique Leuenberger
certutil: could not decode certificate: SEC_ERROR_REUSED_ISSUER_AND_SERIAL: You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. Ah, now I see it - it's ISSUER/Serial, not CN/Serial; and since we have a self-signed root CA it's serial matters Thanks for the clarifiction - I somehow overread that in the original startements -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531
Mircea Kitsune
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531
Manu Maier
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531#c24
Dominique Leuenberger
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531
Hans-Peter Jansen
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531#c27
Anony Mous
it now uses a random serial number. Does that solve this issue?
Is it possible to randomly generate serial number = 1 though? Which would fail, if I understand correctly. You need to make sure the random value doesn't conflict. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531
Frank Kruger
participants (1)
-
bugzilla_noreply@novell.com