sbctl icon indicating copy to clipboard operation
sbctl copied to clipboard
verified publisher icon Foxboron

Error signing bundles: couldn't parse signature: WINCertificate revision should be 200, but is 0. Malformed or invalid: could not parse struct

Open lebeanshoe opened this issue 3 years ago • 3 comments

When updating my system with yay today I got the error couldn't parse signature: WINCertificate revision should be 200, but is 0. Malformed or invalid: could not parse struct. It had just worked yesterday with no problems

Manually signing the bundles also no longer works: sudo sbctl sign -s /efi/EFI/Linux/linux-linux.efi outputs /efi/EFI/Linux/linux-linux.efi: couldn't parse signature: WINCertificate revision should be 200, but is 0. Malformed or invalid: could not parse struct

Running sudo sbctl list-bundles returns the same error for all the bundles.

sbctl status returns Installed: ✓ sbctl is installed Owner GUID: bc9ecf4a-87eb-4b48-b099-3bd5086be7fd Setup Mode: ✓ Disabled Secure Boot: ✓ Enabled Vendor Keys: microsoft

Nothing has broken so far, Arch runs fine with secure boot enabled after a reboot, but it's still a scary issue to have as I'm quite the linux noob. I've thought about just remaking the bundles but I'm not sure if deleting the old ones would cause any issues and I'm just generally unsure how to proceed.

lebeanshoe avatar Jul 05 '22 18:07 lebeanshoe

Weird, could you upload the file somewhere?

Generally you can delete it and run mkinitcpio -P && sbctl sign-all and it should be fine.

Foxboron avatar Jul 05 '22 19:07 Foxboron

Here's the .efi files: https://drive.google.com/drive/folders/1296OlYAxqFt6sFFRORJrtpaCfrECc98t?usp=sharing

Thanks, I'll try that if it ever breaks.

lebeanshoe avatar Jul 06 '22 03:07 lebeanshoe

Does this still happen if you re-create the files? If it does happen please give me a copy of the unsigned file. Currently it seems to me that the file was never properly written, but the header telling sbctl the location of the signature somehow points to a place in the middle of the binary.

Foxboron avatar Jul 06 '22 16:07 Foxboron

Closing as there was no replies.

Foxboron avatar Dec 14 '22 22:12 Foxboron

Sry, to "reopen" the issue. Today my kernel updates ran into the same problem as above. sbctl sign /boot/EFI/Linux/arch-linux-zen.efi /boot/EFI/Linux/arch-linux-zen.efi: couldn't parse signature: WINCertificate revision should be 200, but is 4f49. Malformed or invalid: could not parse struct I don't know what exactly changed in the mkinitcpio generation process. Every regeneration via mkinitcpio -P of the efi file(s) causes the same error. Here's an example efi file: -k /boot/vmlinuz-linux-zen -c /etc/mkinitcpio.conf -U /boot/EFI/Linux/arch-linux-zen.efi -g /boot/initramfs-linux-zen.img --microcode /boot/amd-ucode.img ==> Starting build: '6.5.6-zen2-1-zen' arch-linux-zen.efi MD5: 2f5aa5f365c171007fecca0d266b5a6f

testos77 avatar Oct 08 '23 13:10 testos77

For testing purposes I switched from sbctl to sbsign using the same keys in my setup. sbsign doesn't like the generated efi files either but only gives a warning and finally signs them:

sbsign --key DB.key --cert DB.crt --output /boot/EFI/Linux/arch-linux-zen.efi /boot/EFI/Linux/arch-linux-zen.efi warning: checksum areas are greater than image size. Invalid section table? Signing Unsigned original image

testos77 avatar Oct 09 '23 13:10 testos77