[Bug 1113225] New: shim build failed with hash is unmatched
http://bugzilla.suse.com/show_bug.cgi?id=1113225 Bug ID: 1113225 Summary: shim build failed with hash is unmatched Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.1 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: bnc-team-screening@forge.provo.novell.com Reporter: mlin@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- shim in Leap 15.1 build failed recently, the error log: [ 60s] + chmod 755 /home/abuild/rpmbuild/SOURCES/timestamp.pl [ 60s] + test -n /home/abuild/rpmbuild/SOURCES/signature-opensuse.asc [ 60s] + head -1 /home/abuild/rpmbuild/SOURCES/signature-opensuse.asc [ 60s] + cp shim.efi shim.efi.bak [ 60s] + /home/abuild/rpmbuild/SOURCES/timestamp.pl --set-from-file /home/abuild/rpmbuild/SOURCES/signature-opensuse.asc shim.efi [ 60s] + pesign -h -P -i shim.efi [ 60s] + cat hash1 hash2 [ 60s] hash: 3be8e7eb348d35c1928f19c769846788991641d1f6cf09514ca10269934f7359 [ 60s] hash: 162c2814c4319dad606e51b9bb5041a5e7ba126ce183794a5ddf439798973bca [ 60s] + cmp -s hash1 hash2 [ 60s] + echo 'ERROR: opensuse binary changed, need to request new signature!' [ 60s] ERROR: opensuse binary changed, need to request new signature! [ 60s] + false This is not caught in staging project period because shim_enforce_ms_signature is not set. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1113225 Zejin Xu <jxu@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jxu@suse.com, mlin@suse.com Assignee|bnc-team-screening@forge.pr |glin@suse.com |ovo.novell.com | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1113225 http://bugzilla.suse.com/show_bug.cgi?id=1113225#c1 --- Comment #1 from Gary Ching-Pang Lin <glin@suse.com> --- The update of binutils caused the change. objdump -x shim-opensuse.efi (15.0): Magic 020b (PE32+) MajorLinkerVersion 2 MinorLinkerVersion 29 SizeOfCode 00097400 SizeOfInitializedData 0006d800 SizeOfUninitializedData 00000000 objdump -x shim-opensuse.efi (15.1): Magic 020b (PE32+) MajorLinkerVersion 2 MinorLinkerVersion 31 SizeOfCode 00097400 SizeOfInitializedData 0006d800 SizeOfUninitializedData 00000000 The linker version was changed from 29 to 31. Besides, "objdump -S" also shows that the machine code of several functions are changed. The only way to fix the build is to request a new signature :-\ -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1113225 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jsegitz@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1113225 http://bugzilla.suse.com/show_bug.cgi?id=1113225#c2 --- Comment #2 from Gary Ching-Pang Lin <glin@suse.com> --- We got the new signature. However, some program updated during the lengthy signing process so we have to package the binary directly now... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1113225 http://bugzilla.suse.com/show_bug.cgi?id=1113225#c3 --- Comment #3 from Swamp Workflow Management <swamp@suse.de> --- This is an autogenerated message for OBS integration: This bug (1113225) was mentioned in https://build.opensuse.org/request/show/695025 15.1 / shim -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1113225 http://bugzilla.suse.com/show_bug.cgi?id=1113225#c4 --- Comment #4 from Swamp Workflow Management <swamp@suse.de> --- This is an autogenerated message for OBS integration: This bug (1113225) was mentioned in https://build.opensuse.org/request/show/702795 Factory / shim -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1113225 http://bugzilla.suse.com/show_bug.cgi?id=1113225#c5 Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P1 - Urgent --- Comment #5 from Ludwig Nussel <lnussel@suse.com> --- I missed this one. Please revert this ASAP. The shim package is meant to build properly and MUST NOT contain a binary. The shim-leap package is meant to repackage the binary. And even that one MUST come from a properly built rpm. To avoid breaking the binary rebuild we can implement other means, like blocking binutils updates until we have a new signature. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1113225 http://bugzilla.suse.com/show_bug.cgi?id=1113225#c6 --- Comment #6 from Gary Ching-Pang Lin <glin@suse.com> --- (In reply to Ludwig Nussel from comment #5)
I missed this one. Please revert this ASAP. The shim package is meant to build properly and MUST NOT contain a binary. The shim-leap package is meant to repackage the binary. And even that one MUST come from a properly built rpm.
To avoid breaking the binary rebuild we can implement other means, like blocking binutils updates until we have a new signature.
The change wasn't merged into Leap 15.1 actually. Tumbleweed and Leap 15.1 still uses shim 14 which is from Leap 15.0. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1113225 https://bugzilla.suse.com/show_bug.cgi?id=1113225#c7 --- Comment #7 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1113225) was mentioned in https://build.opensuse.org/request/show/824278 15.2 / shim -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1113225 https://bugzilla.suse.com/show_bug.cgi?id=1113225#c10 --- Comment #10 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1113225) was mentioned in https://build.opensuse.org/request/show/828869 15.2 / shim -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1113225 https://bugzilla.suse.com/show_bug.cgi?id=1113225#c12 --- Comment #12 from Swamp Workflow Management <swamp@suse.de> --- openSUSE-RU-2020:1274-1: An update that has 9 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1113225,1121268,1153953,1168104,1168994,1173411,1174320,1175626,1175656 CVE References: JIRA References: Sources used: openSUSE Leap 15.2 (src): shim-15+git47-lp152.4.5.1 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1113225 https://bugzilla.suse.com/show_bug.cgi?id=1113225#c13 --- Comment #13 from Swamp Workflow Management <swamp@suse.de> --- SUSE-SU-2020:2629-1: An update that solves one vulnerability and has 8 fixes is now available. Category: security (moderate) Bug References: 1113225,1121268,1153953,1168104,1168994,1173411,1174320,1175626,1175656 CVE References: CVE-2020-10713 JIRA References: Sources used: SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): shim-15+git47-3.8.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): shim-15+git47-3.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. -- You are receiving this mail because: You are on the CC list for the bug.
participants (2)
-
bugzilla_noreply@novell.com -
bugzilla_noreply@suse.com