Bug#826959: linux-signed is not yet suitable for testing

To: Ben Hutchings <ben@decadent.org.uk>
Cc: 826959@bugs.debian.org
Subject: Bug#826959: linux-signed is not yet suitable for testing
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Mon, 23 Jan 2017 15:55:35 +0000
Message-id: <[🔎] 1485186935.10577.10.camel@gmail.com>
Reply-to: Luca Boccassi <luca.boccassi@gmail.com>, 826959@bugs.debian.org
In-reply-to: <[🔎] 1485183746.2998.109.camel@decadent.org.uk>
References: <146557414388.22845.8753753334649503352.reportbug@deadeye.wl.decadent.org.uk> <1472831650.25374.63.camel@decadent.org.uk> <[🔎] 1485172924.32307.51.camel@gmail.com> <[🔎] 1485180742.32307.54.camel@brocade.com> <[🔎] 1485183746.2998.109.camel@decadent.org.uk>

On Mon, 2017-01-23 at 15:02 +0000, Ben Hutchings wrote:
> On Mon, 2017-01-23 at 14:12 +0000, Luca Boccassi wrote:
> > On Mon, 23 Jan 2017 12:02:04 +0000 Luca Boccassi <luca.boccassi@gmail.com> wrote:
> > > On Fri, 02 Sep 2016 16:54:10 +0100 Ben Hutchings <ben@decadent.org.uk> wrote:
> > > > Control: severity -1 important
> > > > 
> > > > On Fri, 10 Jun 2016 16:55:43 +0100 Ben Hutchings <ben@decadent.org.uk>
> > > > wrote:
> > > > > Package: src:linux-signed
> > > > > Version: 1.1
> > > > > Severity: serious
> > > > > 
> > > > > Several changes are needed before it's ready for release:
> > > > > 
> > > > > 1. Building signed udebs
> > > > > 2. Removing the -signed suffix from signed image packages
> > > > 
> > > > These are now done as of version 2.2.
> > > > 
> > > > > 3. Signing with an HSM
> > > > 
> > > > This is not, and it really should be, but I think we can't treat this
> > > > as a blocker for testing propagation.
> > > > 
> > > > Ben.
> > > 
> > > Hello Ben,
> > > 
> > > I've done some minor changes to add flags to use pesign which supports
> > > hardware tokens via PKCS11. Inline patch for review.
> > > 
> > > Fortunately kbuild's sign-file already supports just passing a PKCS11
> > > URI, which makes it so much simpler. On the other hand as you most
> > > likely have found out already pesign needs an NSS DB and cert nicknames
> > > and tokens, and all in all it's a really awkward API to use, but that's
> > > what we have to work with I suppose.
> > > 
> > > What do you think?
> > > 
> > > Thanks!
> > > 
> > > Kind regards,
> > > Luca Boccassi
> > 
> > And as a followup, the build-time change to attach using pesign. The
> > build-dependency is generated based on rules.defs.
> [...]
> 
> This doesn't make sense to me.  It shouldn't matter which tool was used
> to generate the detached signature.  If pesign and sbsigntool use
> different file formats for detached signatures (WTF?) then sign.py
> should convert to a single format.
> 
> Ben.

I'm using this because I've seen sbattach barf at least once with a
pesign detached .sig (unfortunately in a build worker with ephemeral
chroot so don't have logs/files).
Might have been something as silly as padding, which IIRC sbsigntool
adds by default but pesign doesn't (there's a very helpfully not
documented --padding option). Or it might have been gremlins.

Kind regards,
Luca Boccassi

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

References:
- Bug#826959: linux-signed is not yet suitable for testing
  - From: Luca Boccassi <luca.boccassi@gmail.com>
- Bug#826959: linux-signed is not yet suitable for testing
  - From: Luca Boccassi <lboccass@Brocade.com>
- Bug#826959: linux-signed is not yet suitable for testing
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Bug#826959: linux-signed is not yet suitable for testing
Next by Date: Bug#808038: linux-image-4.4.0-rc4-amd64: Fails to boot on kernel 4.4rc4
Previous by thread: Bug#826959: linux-signed is not yet suitable for testing
Next by thread: Bug#826959: linux-signed is not yet suitable for testing
Index(es):
- Date
- Thread