From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1UMIsQ-00013B-Ok for mharc-grub-devel@gnu.org; Sun, 31 Mar 2013 10:04:54 -0400 Received: from eggs.gnu.org ([208.118.235.92]:42651) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UMIsO-000135-5i for grub-devel@gnu.org; Sun, 31 Mar 2013 10:04:53 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1UMIsM-0003U7-An for grub-devel@gnu.org; Sun, 31 Mar 2013 10:04:52 -0400 Received: from mail-la0-x236.google.com ([2a00:1450:4010:c03::236]:40983) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UMIsM-0003Tv-3Z for grub-devel@gnu.org; Sun, 31 Mar 2013 10:04:50 -0400 Received: by mail-la0-f54.google.com with SMTP id gw10so1500851lab.41 for ; Sun, 31 Mar 2013 07:04:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:date:from:to:message-id:in-reply-to:references:x-mailer :mime-version:content-type:resent-date:resent-from:subject :resent-message-id:resent-to; bh=ES42OrM8Na+wgzVtilBtQ3j4AxmgZEjj+uALwD4Iqho=; b=cVIYsOTlPDUXQjdV+a0onoDU77ZmE3xsp/565mtVrUJl3P6DDIUvUfp94sVgz7Y9De tukCWgMV94ldb32+PjEXoYLdeuMJ2YqGgaEwdm0TBocMLIeuVh8KvoCRFONpMfXx4ycC fGKLFPbaBFXcYjsrwtnpfH8ITYmjZxTQFV9hg6e9IUjnS6WV/ePVonY5Uqk6JYi+whCw U4FLV59yOe3vvE9jOkdf7GE9+dlqQZl9fCYGSIR1U63NvWj8TOpLeVAne3259yvvsu0F Qu6kNwgCdxHo7yqAs4UN/xtbkHuSRo6q/a5qYFaZcMsfDWo9i0iPq0rr0bPdeZSWlxYR 0IRA== X-Received: by 10.112.28.101 with SMTP id a5mr4331588lbh.0.1364738688776; Sun, 31 Mar 2013 07:04:48 -0700 (PDT) Received: from opensuse.site ([94.29.72.160]) by mx.google.com with ESMTPS id z1sm4033135lbk.2.2013.03.31.07.04.48 (version=SSLv3 cipher=RC4-SHA bits=128/128); Sun, 31 Mar 2013 07:04:48 -0700 (PDT) Date: Sun, 31 Mar 2013 18:02:45 +0400 From: Andrey Borzenkov (by way of Andrey Borzenkov ) To: Andrey Borzenkov Message-ID: <20130331180245.676883b1@opensuse.site> In-Reply-To: <20130331173858.45811454@opensuse.site> References: <5BA5293F2AE26249A73BD98C735FBBD0043E8F1358@sxnghq01-v> <51582B3F.5030004@gmail.com> <20130331173858.45811454@opensuse.site> X-Mailer: Claws Mail 3.9.0 (GTK+ 2.24.14; x86_64-suse-linux-gnu) Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/tgpuV0hpDw_xGk.ZfOM+Mhb"; protocol="application/pgp-signature" Resent-Date: Sun, 31 Mar 2013 18:04:47 +0400 Resent-From: Andrey Borzenkov Subject: [PATCH] Re: Grub verify module failed to verify a signed file Resent-Message-ID: <20130331180447.52be17f3@opensuse.site> Resent-To: grub-devel@gnu.org X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2a00:1450:4010:c03::236 X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: The development of GNU GRUB List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Mar 2013 14:04:53 -0000 --Sig_/tgpuV0hpDw_xGk.ZfOM+Mhb Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable =D0=92 Sun, 31 Mar 2013 17:38:58 +0400 Andrey Borzenkov =D0=BF=D0=B8=D1=88=D0=B5=D1=82: > =D0=92 Sun, 31 Mar 2013 14:25:35 +0200 > Vladimir '=CF=86-coder/phcoder' Serbinenko =D0=BF=D0= =B8=D1=88=D0=B5=D1=82: >=20 > > Only DSA is supported for now and your key is RSA. > >=20 >=20 > I have exactly the same problem with DSA key: >=20 > bor@opensuse:~> gpg --list-keys DA5DF78C=20 > pub 1024D/DA5DF78C 2002-02-07 > uid Andrey Borzenkov > uid Andrey Borzenkov > uid Andrey Borzenkov > uid Andrej Borsenkow > sub 1024g/3C88F322 2002-02-07 > bor@opensuse:~> LC_ALL=3DC gpg --verify --verbose /tmp/test/myfile.txt.sig > gpg: assuming signed data in `/tmp/test/myfile.txt' > gpg: Signature made Sat Mar 30 17:23:57 2013 MSK using DSA key ID DA5DF78C > gpg: using classic trust model > gpg: Good signature from "Andrey Borzenkov " > gpg: aka "Andrey Borzenkov " > gpg: aka "Andrey Borzenkov " > gpg: aka "Andrej Borsenkow " > gpg: binary signature, digest algorithm SHA1 >=20 > This file and signature fail verification in grub. Fixed with patch below. BTW, while testing I noticed that gcry_dsa is not autoloaded when running verify_detached. Need to look into it. From: Andrey Borzenkov Subject: [PATCH] fix hash numbers in verify.c Hash numbers start with 1, not with 0. Make numbers explicit like the rest. Signed-off-by: Andrey Borzenkov --- ChangeLog | 5 +++++ grub-core/commands/verify.c | 4 +++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 58c2242..672aa74 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2013-03-31 Andrey Borzenkov + + * grub-core/commands/verify.c: Fix hash algorithms values for + the first three hashes - they start with 1, not with 0. + 2013-03-26 Vladimir Serbinenko =20 * grub-core/kern/efi/mm.c (grub_efi_finish_boot_services): diff --git a/grub-core/commands/verify.c b/grub-core/commands/verify.c index 6c0b580..b4d5e7b 100644 --- a/grub-core/commands/verify.c +++ b/grub-core/commands/verify.c @@ -123,7 +123,9 @@ struct signature_v4_header } __attribute__ ((packed)); =20 const char *hashes[] =3D { - "md5", "sha1", "ripemd160", + [0x01] =3D "md5", + [0x02] =3D "sha1", + [0x03] =3D "ripemd160", [0x08] =3D "sha256", [0x09] =3D "sha384", [0x0a] =3D "sha512", --=20 tg: (c643afe..) u/hash-numbers (depends on: master) --Sig_/tgpuV0hpDw_xGk.ZfOM+Mhb Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlFYQgUACgkQR6LMutpd94xLqACgvxrQfUftFWRsV0PdWTqU0q2D YVAAn1hDYo4tL3xc58/mi0Dd+GwwZEAJ =xoIR -----END PGP SIGNATURE----- --Sig_/tgpuV0hpDw_xGk.ZfOM+Mhb--