Bug#925550: grub-efi-amd64-signed: Cannot verify grubx64.efi.signed against "Debian Secure Boot CA"
Colin Watson
cjwatson at debian.org
Fri Mar 29 21:25:11 GMT 2019
Control: reassign -1 ftp.debian.org
Control: affects -1 grub-efi-amd64-bin
On Tue, Mar 26, 2019 at 06:47:59PM +0100, Marc Riedel wrote:
> I cannot verify grubx64.efi.signed against "Debian Secure Boot CA"
> (https://dsa.debian.org/secure-boot-ca).
>
> Steps to reproduce:
>
> sbverify --list /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed
> signature 1
> image signature issuers:
> - /CN=Debian Secure Boot CA
> image signature certificates:
> - subject: /CN=Debian Secure Boot Signer
> issuer: /CN=Debian Secure Boot CA
>
> wget -q -O - https://dsa.debian.org/secure-boot-ca | openssl x509 -inform der
> -outform pem -out secure-boot-ca.pem
>
> openssl x509 -in secure-boot-ca.pem -text -noout
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> ed:54:a1:d5:af:87:48:94:8d:9f:89:32:ee:9c:7c:34
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: CN = Debian Secure Boot CA
> Validity
> Not Before: Aug 16 18:09:18 2016 GMT
> Not After : Aug 9 18:09:18 2046 GMT
> Subject: CN = Debian Secure Boot CA
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public-Key: (2048 bit)
> Modulus:
> 00:9d:95:d4:8b:9b:da:10:ac:2e:ca:82:37:c1:a4:
> cb:4a:c3:1b:42:93:c2:7a:29:d3:6e:dd:64:af:80:
> af:ea:66:a2:1b:61:9c:83:0c:c5:6b:b9:35:25:ff:
> c5:fb:e8:29:43:de:ce:4b:3d:c6:12:4d:b1:ef:26:
> 43:95:68:cd:04:11:fe:c2:24:9b:de:14:d8:86:51:
> e8:38:43:bd:b1:9a:15:e5:08:6b:f8:54:50:8b:b3:
> 4b:5f:fc:14:e4:35:50:7c:0b:b1:e2:03:84:a8:36:
> 48:e4:80:e8:ea:9f:fa:bf:c5:18:7b:5e:ce:1c:be:
> 2c:80:78:49:35:15:c0:21:cf:ef:66:d5:8a:96:08:
> 2b:66:2f:48:17:b1:e7:ec:82:8f:07:e6:ca:e0:5f:
> 71:24:39:50:0a:8e:d1:72:28:50:a5:9d:21:f4:e3:
> 61:ba:09:03:66:c8:df:4e:26:36:0b:15:0f:63:1f:
> 2b:af:ab:c4:28:a2:56:64:85:8d:a6:55:41:ae:3c:
> 88:95:dd:d0:6d:d9:29:db:d8:c4:68:b5:fc:f4:57:
> 89:6b:14:db:e0:ef:ee:40:0d:62:1f:ea:58:d4:a3:
> d8:ba:03:a6:97:2e:c5:6b:13:a4:91:77:a6:b5:ad:
> 23:a7:eb:0a:49:14:46:7c:76:e9:9e:32:b4:89:af:
> 57:79
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> Authority Information Access:
> CA Issuers - URI:https://dsa.debian.org/secure-boot-ca
>
> X509v3 Authority Key Identifier:
> keyid:6C:CE:CE:7E:4C:6C:0D:1F:61:49:F3:DD:27:DF:CC:5C:BB:41:9E:A1
>
> Netscape Cert Type: critical
> SSL Client, SSL Server, S/MIME, Object Signing, SSL CA, S/MIME
> CA, Object Signing CA
> X509v3 Extended Key Usage:
> Code Signing
> X509v3 Key Usage: critical
> Digital Signature, Certificate Sign, CRL Sign
> X509v3 Basic Constraints: critical
> CA:TRUE
> X509v3 Subject Key Identifier:
> 6C:CE:CE:7E:4C:6C:0D:1F:61:49:F3:DD:27:DF:CC:5C:BB:41:9E:A1
> Signature Algorithm: sha256WithRSAEncryption
> 77:96:3e:47:c9:ce:09:cf:8b:89:ce:59:ed:26:0e:26:0b:b9:
> ad:a9:2b:bd:a1:eb:88:79:02:ff:31:de:fe:f5:6a:07:ef:61:
> 13:11:70:1e:bf:9c:4e:66:6c:e1:62:12:97:01:57:65:47:dd:
> 4a:c6:f7:f4:de:a8:f1:13:62:cc:83:57:ac:3c:a6:91:15:af:
> 55:26:72:69:2e:14:cd:dd:4d:b3:d1:60:24:2d:32:4f:19:6c:
> 11:5e:f2:a3:f2:a1:5f:62:0f:30:ae:ad:f1:48:66:64:7d:36:
> 44:0d:06:34:3d:2e:af:8e:9d:c3:ad:c2:91:d8:37:e0:ee:7a:
> 5f:82:3b:67:8e:00:8a:c4:a4:df:35:16:c2:72:2b:4c:51:d7:
> 93:93:9e:ba:08:0d:59:97:f2:e2:29:a0:44:4d:ea:ee:f8:3e:
> 02:60:ca:15:cf:4e:9a:25:91:84:3f:b7:5a:c7:ee:bc:6b:80:
> a3:d9:fd:b2:6d:7a:1e:63:14:eb:ef:f1:b0:40:25:d5:e8:0e:
> 81:eb:6b:f7:cb:ff:e5:21:00:22:2c:2e:9a:35:60:12:4b:5b:
> 5f:38:46:84:0c:06:9c:cf:72:93:62:18:ee:5c:98:d6:b3:7d:
> 06:25:39:95:df:4e:60:76:b0:06:7b:08:b0:6e:e3:64:9f:21:
> 56:ad:39:0f
>
> sbverify --cert secure-boot-ca.pem /usr/lib/grub/x86_64-efi-
> signed/grubx64.efi.signed
> Signature verification failed
>
> Can you please point me to the right certificate?
The ftpmasters maintain the signing apparatus, so I think I need to pass
this over to them (either to update the published certificate, or to fix
the signing, or to advise on the correct verification method - I haven't
worked out which).
Thanks,
--
Colin Watson [cjwatson at debian.org]
More information about the Pkg-grub-devel
mailing list