Skip to content

pesign fails to sign kernel modules using a self-signed certificate#130

Draft
gordonmessmer wants to merge 4 commits into
rhboot:mainfrom
gordonmessmer:functional-tests
Draft

pesign fails to sign kernel modules using a self-signed certificate#130
gordonmessmer wants to merge 4 commits into
rhboot:mainfrom
gordonmessmer:functional-tests

Conversation

@gordonmessmer

Copy link
Copy Markdown

When signing kernel modules, using a self-signed certificate, pesign will fail with an error:

failed to create signed data: Peer's Certificate issuer is not recognized. (SEC_ERROR_UNKNOWN_ISSUER)

This PR attempts to resolve that error.

It also adds a set of functional tests to ensure These tests cannot be merged as-is because they expect a kernel image and a kernel module in tests/data.I hate committing binary blobs to git repos, so I'd like your opinion on whether the tests are useful and how you'd like to handle test data.

It's probably also not sufficient to accept the exit code of pesign, alone, as a test result. Would you like to see any specific tests on the signed objects?

Assisted-by: Claude
Replace SEC_PKCS7CreateSignedData() with generate_spc_signed_data() to
avoid strict certificate chain validation that fails for self-signed
certificates even when trust flags are properly set.

SEC_PKCS7CreateSignedData() performs internal chain validation that
cannot be bypassed with trust flags alone, causing SEC_ERROR_UNKNOWN_ISSUER
errors when signing kernel modules with self-signed certificates.

The PE signing code already uses generate_spc_signed_data() which manually
constructs PKCS7 signatures without strict chain validation. Using the same
approach for kernel module signing allows self-signed module and kernel
certificates to work correctly.

Assisted-by: Claude
efikeygen in 116 fails with the error:
cms_common.c:find_certificate_by_callback:884: Could not find
 certificate:SEC_ERROR_EXTENSION_NOT_FOUND:Certificate extension not found.
efikeygen.c:add_trust:100: Could not find certificate

This change exits on such a failure so that the functional tests
can detect the error and prevent similar bugs, in the future.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant