[opensuse-buildservice] Issue with RSA signing in openSUSE:Factory:RISCV
At least since 2020-08-09 RSA signing of kernel modules is broken in openSUSE:Factory:RISCV, producing bad signatures that cannot be verified against the included certificate: $ modsign-verify -v -v --cert-dir etc/uefi/certs sunrpc.ko Signature type: pkcs#7 Signed by: cn=openSUSE Secure Boot CA,serial=1 Hash algorithm: sha256 Trying etc/uefi/certs/188EA6FA.crt Found matching certificate etc/uefi/certs/188EA6FA.crt RSA operation error 140060768991040:error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding:crypto/rsa/rsa_pk1.c:67: 140060768991040:error:04067072:rsa routines:rsa_ossl_public_decrypt:padding check failed:crypto/rsa/rsa_ossl.c:648: sunrpc.ko: signature validation failed for etc/uefi/certs/188EA6FA.crt sunrpc.ko: bad signature IIUC the signature appears to be created with a private key that doesn't match the public key in etc/uefi/certs/188EA6FA.crt. Since the problem does not occur if the same kernel is built in a different project, there is no fundamental problem with signature creation or verification. The last working kernel was built on 2020-08-01 in o:F:RISCV (which verifies properly using the same certificate). I note that the certificate has a serial number of 1. Isn't that serial number supposed to be unique? Andreas. -- Andreas Schwab, SUSE Labs, schwab@suse.de GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7 "And now for something completely different." -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
On Aug 27 2020, Andreas Schwab wrote:
At least since 2020-08-09 RSA signing of kernel modules is broken in openSUSE:Factory:RISCV, producing bad signatures that cannot be verified against the included certificate:
Still broken. Andreas. -- Andreas Schwab, SUSE Labs, schwab@suse.de GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7 "And now for something completely different." -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
On Sep 10 2020, Andreas Schwab wrote:
On Aug 27 2020, Andreas Schwab wrote:
At least since 2020-08-09 RSA signing of kernel modules is broken in openSUSE:Factory:RISCV, producing bad signatures that cannot be verified against the included certificate:
Still broken.
Still broken, unfortunately. Andreas. -- Andreas Schwab, SUSE Labs, schwab@suse.de GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7 "And now for something completely different." -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
On Mittwoch, 23. September 2020, 12:29:12 CEST Andreas Schwab wrote:
On Sep 10 2020, Andreas Schwab wrote:
On Aug 27 2020, Andreas Schwab wrote:
At least since 2020-08-09 RSA signing of kernel modules is broken in openSUSE:Factory:RISCV, producing bad signatures that cannot be verified against the included certificate:
Still broken.
Still broken, unfortunately.
and it remains that way until the internal discussion about the official openSUSE project governance has been finished. But I will push again... -- Adrian Schroeter <adrian@suse.de> Build Infrastructure Project Manager SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany (HRB 247165, AG München), Geschäftsführer: Felix Imendörffer -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
On Sep 23 2020, Adrian Schröter wrote:
and it remains that way until the internal discussion about the official openSUSE project governance has been finished.
But I will push again...
Any news? Andreas. -- Andreas Schwab, SUSE Labs, schwab@suse.de GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7 "And now for something completely different." -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
On Dienstag, 6. Oktober 2020, 15:46:17 CEST Andreas Schwab wrote:
On Sep 23 2020, Adrian Schröter wrote:
and it remains that way until the internal discussion about the official openSUSE project governance has been finished.
But I will push again...
Any news?
Next builds will use openSUSE signatures and ssl cert now. -- Adrian Schroeter <adrian@suse.de> Build Infrastructure Project Manager SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany (HRB 247165, AG München), Geschäftsführer: Felix Imendörffer -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
On Okt 07 2020, Adrian Schröter wrote:
Next builds will use openSUSE signatures and ssl cert now.
Thanks, I can confirm that the kernel is no longer broken. Andreas. -- Andreas Schwab, SUSE Labs, schwab@suse.de GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7 "And now for something completely different." -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
participants (2)
-
Adrian Schröter -
Andreas Schwab