sbctl icon indicating copy to clipboard operation
sbctl copied to clipboard
verified publisher icon Foxboron

Checksum mismatch

Open playday3008 opened this issue 3 years ago • 3 comments

Using SetNull.efi for testing purpose When signed with osslsigncode (sudo osslsigncode sign -certs secureboot/keys/db/db.pem -key secureboot/keys/db/db.key -h sha256 -in SetNull.efi -out SetNull.efi.osslsigncode): image When signed with sbctl (sudo sbctl sign -s SetNull.efi): image Unsigned: image

I think your implementation does not change the PE checksum

In my case, any binary works only when signed with osslsigncode. When signed with sbctl, UEFI drops secure boot violation: Invalid signature, blah blah blah

playday3008 avatar Nov 23 '22 10:11 playday3008

Maybe something else causing secure boot violation, but anyway, in my case it's not works when using sbctl, only when using osslsigncode

playday3008 avatar Nov 23 '22 10:11 playday3008

The calculated PE checksum unsigned seems to be wrong, so it's not unlikely that osslsigncode is handling an edge case where the starting binary is malformed.

Where did you download this binary from?

Foxboron avatar Nov 23 '22 10:11 Foxboron

From efitools package, form /usr/share/efitools/efi/SetNull.efi

playday3008 avatar Nov 23 '22 10:11 playday3008