Broken signing files for secureboot [SOLVED]

[ololoshwin]

I'm using secureboot with own keys.

Portage is not able to sign files.

$ sudo emerge -1av sys-apps/memtest86+
...
[ebuild R ] sys-apps/memtest86+-7.20::gentoo USE="boot secureboot uefi64 -bios32 -bios64 -iso32 -iso64 -uefi32" 0 KiB
...
* Signing /var/tmp/portage/sys-apps/memtest86+-7.20/image/boot/memtest86plus/memtest.efi64 ...
Signing Unsigned original image
...

1. Installation without warnings.

2. sbverify --cert=/var/lib/sbctl/keys/PK/PK.pem /boot/memtest86plus/memtest.efi64
Signature verification OK

3. sbctl verify /boot/memtest86plus/memtest.efi64
✗ /boot/memtest86plus/memtest.efi64 is not signed


Why sbctl can not verify signature created by portage and sbsign ?

[justguy]

dont use secure boot

[Hu]

dont use secure boot

This is not helpful, and is particularly undesirable in a thread that previously had 0 responses. Some users run a canned search for threads with zero replies as a way of finding posts to answer. When you replied, you removed this thread from the list, even though you were neither offering a solution nor soliciting information that we could use to help the poster. Thus, they would no longer see your thread on the list of unanswered threads.

OP: would you like for me to split off justguy's post and my post, to return this thread to the unanswered posts list?

[justguy]

secure boot makes installation harder, if dont wanna get malware while installing, i recommend troubleshoot instead of making secure boot

[Hu]

Yes, Secure Boot adds complications. OP chose to accept those complications, and has a specific problem that he wants help solving. From my limited knowledge of Secure Boot, I think OP's question looks reasonable.

[Nowa]

Why sbctl can not verify signature created by portage and sbsign ?

It's probably attempting verification with the wrong key/certificate (possibly the portage certificate you used is not registered with UEFI/shim yet). Try listing all signatures with "sbverify --list".

[ololoshwin]

It's probably attempting verification with the wrong key/certificate (possibly the portage certificate you used is not registered with UEFI/shim yet). Try listing all signatures with "sbverify --list".

Code: Select all

# sbverify  --list /boot/memtest86plus/memtest.efi64
signature 1
image signature issuers:
 - /C=Platform Key/CN=Platform Key
image signature certificates:
 - subject: /C=Platform Key/CN=Platform Key
   issuer:  /C=Platform Key/CN=Platform Key

Platform key was created by sbctl create-keys

Code: Select all

# openssl x509  -text -noout < /var/lib/sbctl/keys/PK/PK.pem 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ***STRIPPED***
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=Platform Key, CN=Platform Key
        Validity
            Not Before: ***STRIPPED*** 2025 GMT
            Not After : ***STRIPPED*** 2030 GMT
        Subject: C=Platform Key, CN=Platform Key
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:...

[ololoshwin]

After fixing by sbctl sign result is:

Code: Select all

# sbverify  --list /boot/memtest86plus/memtest.efi64
signature 1
image signature issuers:
 - /C=Platform Key/CN=Platform Key
image signature certificates:
 - subject: /C=Platform Key/CN=Platform Key
   issuer:  /C=Platform Key/CN=Platform Key
signature 2
image signature issuers:
 - /C=Database Key/CN=Database Key
image signature certificates:
 - subject: /C=Database Key/CN=Database Key
   issuer:  /C=Database Key/CN=Database Key

[Nowa]

You configured Portage to use the Platform Key, but that should be the Database key. Note that portage will use that key automatically if none are specified.

[ololoshwin]

portage will use that key automatically if none are specified.

Thanks. Some time ago portage require to set SECUREBOOT_SIGN_KEY and SECUREBOOT_SIGN_KEY variables to build secureboot packages.

I've removed these variables and signing works.