Uploaded image for project: 'CKI Project'
  1. CKI Project
  2. CKI-6512

[kernel-tests] secureboot/pesign should allow shim sign to contain Red Hat

XMLWordPrintable

      failures like: https://datawarehouse.cki-project.org/kcidb/tests/22501970

      ```

      ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
      :: shim-x64
      ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

      :: [ 09:35:18 ] :: [ LOG ] :: shim-x64 RPM version: 16.1-7.el9.x86_64
      :: [ 09:35:19 ] :: [ LOG ] :: Output of 'pesign -i /boot/efi/EFI/BOOT/BOOTX64.EFI -S | tee pesign-log':
      :: [ 09:35:19 ] :: [ LOG ] :: --------------- OUTPUT START ---------------
      :: [ 09:35:19 ] :: [ LOG ] :: ---------------------------------------------
      :: [ 09:35:19 ] :: [ LOG ] :: certificate address is 0x7f6391f607b8
      :: [ 09:35:19 ] :: [ LOG ] :: Content was not encrypted.
      :: [ 09:35:19 ] :: [ LOG ] :: Content is detached; signature cannot be verified.
      :: [ 09:35:19 ] :: [ LOG ] :: The signer's common name is Microsoft Windows UEFI Driver Publisher
      :: [ 09:35:19 ] :: [ LOG ] :: No signer email address.
      :: [ 09:35:19 ] :: [ LOG ] :: No signing time included.
      :: [ 09:35:19 ] :: [ LOG ] :: There were certs or crls included.
      :: [ 09:35:19 ] :: [ LOG ] :: ---------------------------------------------
      :: [ 09:35:19 ] :: [ LOG ] :: certificate address is 0x7f6391f62da8
      :: [ 09:35:19 ] :: [ LOG ] :: Content was not encrypted.
      :: [ 09:35:19 ] :: [ LOG ] :: Content is detached; signature cannot be verified.
      :: [ 09:35:19 ] :: [ LOG ] :: The signer's common name is Microsoft UEFI CA 2023 signer
      :: [ 09:35:19 ] :: [ LOG ] :: No signer email address.
      :: [ 09:35:19 ] :: [ LOG ] :: No signing time included.
      :: [ 09:35:19 ] :: [ LOG ] :: There were certs or crls included.
      :: [ 09:35:19 ] :: [ LOG ] :: ---------------------------------------------
      :: [ 09:35:19 ] :: [ LOG ] :: certificate address is 0x7f6391f652c8
      :: [ 09:35:19 ] :: [ LOG ] :: Content was not encrypted.
      :: [ 09:35:19 ] :: [ LOG ] :: Content is detached; signature cannot be verified.
      :: [ 09:35:19 ] :: [ LOG ] :: The signer's common name is Red Hat UEFI Publisher 2024
      :: [ 09:35:19 ] :: [ LOG ] :: The signer's email address is secalert@redhat.com
      :: [ 09:35:19 ] :: [ LOG ] :: Signing time: Fri Feb 06, 2026
      :: [ 09:35:19 ] :: [ LOG ] :: There were certs or crls included.
      :: [ 09:35:19 ] :: [ LOG ] :: ---------------------------------------------
      :: [ 09:35:19 ] :: [ LOG ] :: --------------- OUTPUT END ---------------
      :: [ 09:35:19 ] :: [ PASS ] :: Command 'pesign -i /boot/efi/EFI/BOOT/BOOTX64.EFI -S | tee pesign-log' (Expected 0, got 0)
      :: [ 09:35:19 ] :: [ PASS ] :: File 'pesign-signer' should contain 'Microsoft'
      :: [ 09:35:19 ] :: [ FAIL ] :: File 'pesign-signer' should not contain 'Red Hat|Fedora|CentOS'
      :: [ 09:35:19 ] :: [ PASS ] :: File 'pesign-log' should not contain 'No signatures found'
      ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
      :: Duration: 1s
      :: Assertions: 3 good, 1 bad
      :: RESULT: FAIL (shim-x64)
      ```

      Red Hat now is included on rhel-9.8 and 10.2. see https://issues.redhat.com/browse/RHEL-144030

      Jira: CKI-6512

              Unassigned Unassigned
              rh-ee-tdaapare Tales Lelo da Aparecida
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: