Ubuntu CD Images

xenial secureboot images not signed

Bug #1525393 reported by Max Brustkern
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu CD Images
Fix Released
Undecided
Unassigned
debian-installer (Ubuntu)
Fix Released
Undecided
Adam Conrad

Bug Description

When I try to run sbverify on EFI/BOOT/BOOTx64.EFI on current xenial desktop amd64 images, I get:
No signature table present
Unable to read signature data from /home/max/mount.d/EFI/BOOT/BOOTx64.EFI
Signature verification failed

Revision history for this message
Steve Langasek (vorlon) wrote :

This has been tracked down to a mis-build of debian-installer, caused by a network blip leading to wget to fail to grab the correct grub-signed bits from the Ubuntu archive.

A simple rebuild of d-i and the image will correct the problem. But the d-i code should also be improved to treat a failing wget here as a build failure.

Changed in debian-installer (Ubuntu):
assignee: nobody → Adam Conrad (adconrad)
status: New → Triaged
Revision history for this message
Adam Conrad (adconrad) wrote :

After the new d-i rebuilds and a set of dailies are built with it, the ISOs will be fixed, but keeping the d-i bug open for the source to be fixed to be more robust.

Changed in ubuntu-cdimage:
status: New → Fix Committed
Revision history for this message
Adam Conrad (adconrad) wrote :

In build/util/efi-image:

                        if wget -q "$file" -O "$workdir/grub$efi_name.efi" 2>/dev/null

Will lead to a 0-length grubx64.efi and skipping signed shim if wget fails.

This should be fixed to download to a temp location and only copy in place if it succeeds and, probably, also be a hard failure if we can determine that we're expecting this to be a signed build.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package debian-installer - 20101020ubuntu406

---------------
debian-installer (20101020ubuntu406) xenial; urgency=medium

  * If KERNELNAME_ALT_SUFFIX is specified, require a signed grub too.
  * Fix grub-signed download code to cope with new apt (LP: #1525393)

 -- Adam Conrad <email address hidden> Fri, 11 Dec 2015 17:48:00 -0700

Changed in debian-installer (Ubuntu):
status: Triaged → Fix Released
Adam Conrad (adconrad)
Changed in ubuntu-cdimage:
status: Fix Committed → Fix Released
Revision history for this message
Max Brustkern (nuclearbob) wrote : Re: [Bug 1525393] Re: xenial secureboot images not signed

Excellent, the image I grabbed now is signed. The signature verification
with the key I'm using is still failing, but I can look into that
separately.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.