[PATCH] Re: Grub verify module failed to verify a signed file

[Andrey Borzenkov <arvidjaar@gmail.com> (by way of Andrey Borzenkov <arvidjaar@gmail.com>)]

[-- Attachment #1: Type: text/plain, Size: 2752 bytes --]

В Sun, 31 Mar 2013 17:38:58 +0400
Andrey Borzenkov <arvidjaar@gmail.com> пишет:

> В Sun, 31 Mar 2013 14:25:35 +0200
> Vladimir 'φ-coder/phcoder' Serbinenko <phcoder@gmail.com> пишет:
> 
> > Only DSA is supported for now and your key is RSA.
> > 
> 
> I have exactly the same problem with DSA key:
> 
> bor@opensuse:~> gpg --list-keys DA5DF78C 
> pub   1024D/DA5DF78C 2002-02-07
> uid                  Andrey Borzenkov <arvidjaar@gmail.com>
> uid                  Andrey Borzenkov <arvidjaar@newmail.ru>
> uid                  Andrey Borzenkov <arvidjaar@mail.ru>
> uid                  Andrej Borsenkow <arvidjaar@mail.ru>
> sub   1024g/3C88F322 2002-02-07
> bor@opensuse:~> LC_ALL=C gpg --verify --verbose /tmp/test/myfile.txt.sig
> gpg: assuming signed data in `/tmp/test/myfile.txt'
> gpg: Signature made Sat Mar 30 17:23:57 2013 MSK using DSA key ID DA5DF78C
> gpg: using classic trust model
> gpg: Good signature from "Andrey Borzenkov <arvidjaar@gmail.com>"
> gpg:                 aka "Andrey Borzenkov <arvidjaar@newmail.ru>"
> gpg:                 aka "Andrey Borzenkov <arvidjaar@mail.ru>"
> gpg:                 aka "Andrej Borsenkow <arvidjaar@mail.ru>"
> gpg: binary signature, digest algorithm SHA1
> 
> This file and signature fail verification in grub.

Fixed with patch below. BTW, while testing I noticed that gcry_dsa is
not autoloaded when running verify_detached. Need to look into it.


From: Andrey Borzenkov <arvidjaar@gmail.com>
Subject: [PATCH] fix hash numbers in verify.c

Hash numbers start with 1, not with 0. Make numbers explicit like
the rest.

Signed-off-by: Andrey Borzenkov <arvidjaar@gmail.com>

---
 ChangeLog                   | 5 +++++
 grub-core/commands/verify.c | 4 +++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 58c2242..672aa74 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2013-03-31  Andrey Borzenkov <arvidjaar@gmail.com>
+
+	* grub-core/commands/verify.c: Fix hash algorithms values for
+	the first three hashes - they start with 1, not with 0.
+
 2013-03-26  Vladimir Serbinenko  <phcoder@gmail.com>
 
 	* grub-core/kern/efi/mm.c (grub_efi_finish_boot_services):
diff --git a/grub-core/commands/verify.c b/grub-core/commands/verify.c
index 6c0b580..b4d5e7b 100644
--- a/grub-core/commands/verify.c
+++ b/grub-core/commands/verify.c
@@ -123,7 +123,9 @@ struct signature_v4_header
 } __attribute__ ((packed));
 
 const char *hashes[] = {
-  "md5", "sha1", "ripemd160",
+  [0x01] = "md5",
+  [0x02] = "sha1",
+  [0x03] = "ripemd160",
   [0x08] = "sha256",
   [0x09] = "sha384",
   [0x0a] = "sha512",
-- 
tg: (c643afe..) u/hash-numbers (depends on: master)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]