[Bug 813110] New: shim maintenance update signed with wrong key
https://bugzilla.novell.com/show_bug.cgi?id=813110 https://bugzilla.novell.com/show_bug.cgi?id=813110#c0 Summary: shim maintenance update signed with wrong key Classification: openSUSE Product: openSUSE 12.3 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Bootloader AssignedTo: mls@suse.com ReportedBy: lnussel@suse.com QAContact: jsrain@suse.com CC: glin@suse.com, jcheung@suse.com, jlee@suse.com, mlin@suse.com, fcrozat@suse.com Found By: --- Blocker: --- +++ This bug was initially created as a clone of Bug #808594 +++ How could that happen? A mistake like that could easily result in an unbootable system.
Hmmm I found another problem with the sign key. While shim was built in the maintenance project, it was signed with openSUSE:Maintenance project key instead of openSUSE-UEFI-Sign key.
If grub2 and the kernel updated also follow this settings, I am afraid that shim would refuse to boot grub2/kernel if those two packages were updated. Looks like we need extra config in the sign server to sign EFI images in openSUSE:Maintenance with openSUSE-UEFI-Sign key.
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=813110 https://bugzilla.novell.com/show_bug.cgi?id=813110#c1 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com --- Comment #1 from Marcus Meissner <meissner@suse.com> 2013-04-03 07:43:27 UTC --- I thought Micha set this up corrcetly -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=813110 https://bugzilla.novell.com/show_bug.cgi?id=813110#c2 Michael Schröder <mls@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |lnussel@suse.com --- Comment #2 from Michael Schröder <mls@suse.com> 2013-04-04 09:07:12 UTC --- I did. Which project is that? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=813110 https://bugzilla.novell.com/show_bug.cgi?id=813110#c3 --- Comment #3 from Michael Schröder <mls@suse.com> 2013-04-04 09:14:50 UTC --- Hrm. I think it signs with the correct key but uses the wrong cert. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=813110 https://bugzilla.novell.com/show_bug.cgi?id=813110#c4 --- Comment #4 from Michael Schröder <mls@suse.com> 2013-04-04 09:27:11 UTC --- I updated the cert. WARNING: creating a new signkey will break the cert again. But it should work for now. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=813110 https://bugzilla.novell.com/show_bug.cgi?id=813110#c5 Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|lnussel@suse.com | AssignedTo|mls@suse.com |maintenance@opensuse.org --- Comment #5 from Ludwig Nussel <lnussel@suse.com> 2013-04-04 14:50:58 CEST --- It's in openSUSE:Maintenance:1510. According to offline talk with mls the project should be re-opened and rebuilt. Then the correct cert should be put on shim. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=813110 https://bugzilla.novell.com/show_bug.cgi?id=813110#c6 --- Comment #6 from Marcus Meissner <meissner@suse.com> 2013-04-04 15:42:35 UTC --- osc rdelete openSUSE:12.3:Update patchinfo.1510 osc unlock openSUSE:Maintenance:1510 -m reopen osc rebuildpac --all openSUSE:Maintenance:1510 ... waiting .. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=813110 https://bugzilla.novell.com/show_bug.cgi?id=813110#c7 Benjamin Brunner <bbrunner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #7 from Benjamin Brunner <bbrunner@suse.com> 2013-04-17 16:42:49 CEST --- I rereleased the update and it should have the correct signiture now. Feel free to reopen the bug if something is still wrong. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com