Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1024434: osslsigncode: Fails to sign code with pkcs12
234 views
Skip to first unread message
Stefan Weil
Nov 19, 2022, 7:10:04 AM11/19/22
to
Package: osslsigncode
Version: 2.5-2
Severity: normal
Code signing no longer works with the package from Debian bookworm,
while Debian bullseye and a local build based on
https://github.com/mtrojnar/osslsigncode works fine.
Error with bookworm:
stefan@qemu:~$ osslsigncode sign -pkcs12 PATH/sw.p12 -pass PASS -n 'QEMU Setup' -i https://qemu.weilnetz.de/ -in qemu-io.exe -out qemu-io.exe.signed -ts http://timestamp.digicert.com -h sha256 -verbose -ts http://timestamp.comodoca.com
Failed to parse PKCS#12 file: PATH/sw.p12 (Wrong password?)
40493DCA727F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
Failed
-- System Information:
Debian Release: bookworm/sid
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable'), (499, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.0.0-4-cloud-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages osslsigncode depends on:
ii libc6 2.36-5
ii libcurl3-gnutls 7.86.0-1
ii libssl3 3.0.7-1
osslsigncode recommends no packages.
osslsigncode suggests no packages.
-- no debconf information
Version: 2.5-2
Severity: normal
Code signing no longer works with the package from Debian bookworm,
while Debian bullseye and a local build based on
https://github.com/mtrojnar/osslsigncode works fine.
Error with bookworm:
stefan@qemu:~$ osslsigncode sign -pkcs12 PATH/sw.p12 -pass PASS -n 'QEMU Setup' -i https://qemu.weilnetz.de/ -in qemu-io.exe -out qemu-io.exe.signed -ts http://timestamp.digicert.com -h sha256 -verbose -ts http://timestamp.comodoca.com
Failed to parse PKCS#12 file: PATH/sw.p12 (Wrong password?)
40493DCA727F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
Failed
-- System Information:
Debian Release: bookworm/sid
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable'), (499, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.0.0-4-cloud-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages osslsigncode depends on:
ii libc6 2.36-5
ii libcurl3-gnutls 7.86.0-1
ii libssl3 3.0.7-1
osslsigncode recommends no packages.
osslsigncode suggests no packages.
-- no debconf information
Stephen Kitt
Nov 19, 2022, 8:11:29 AM11/19/22
to
Hi Stefan,
On Sat, 19 Nov 2022 12:59:07 +0100, Stefan Weil <s...@weilnetz.de> wrote:
> Code signing no longer works with the package from Debian bookworm,
> while Debian bullseye and a local build based on
> https://github.com/mtrojnar/osslsigncode works fine.
Thanks for taking the time to report this!
Since you have a working build, could you run ldd on it and reply with the
result?
Regards,
Stephen
On Sat, 19 Nov 2022 12:59:07 +0100, Stefan Weil <s...@weilnetz.de> wrote:
> Code signing no longer works with the package from Debian bookworm,
> while Debian bullseye and a local build based on
> https://github.com/mtrojnar/osslsigncode works fine.
Since you have a working build, could you run ldd on it and reply with the
result?
Regards,
Stephen
Stefan Weil
Nov 19, 2022, 9:10:03 AM11/19/22
to
Am 19.11.22 um 14:03 schrieb Stephen Kitt:
> Since you have a working build, could you run ldd on it and reply with the
> result?
Working build:
linux-vdso.so.1 (0x00007ffd29d74000)
libcrypto.so.1.1 => /lib/x86_64-linux-gnu/libcrypto.so.1.1
(0x00007f41f5e00000)
libcurl-gnutls.so.4 => /lib/x86_64-linux-gnu/libcurl-gnutls.so.4
(0x00007f41f615e000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f41f5c1f000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f41f7278000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007f41f7273000)
libnghttp2.so.14 => /lib/x86_64-linux-gnu/libnghttp2.so.14
(0x00007f41f7242000)
libidn2.so.0 => /lib/x86_64-linux-gnu/libidn2.so.0 (0x00007f41f613d000)
librtmp.so.1 => /lib/x86_64-linux-gnu/librtmp.so.1 (0x00007f41f611e000)
libssh2.so.1 => /lib/x86_64-linux-gnu/libssh2.so.1 (0x00007f41f5bde000)
libpsl.so.5 => /lib/x86_64-linux-gnu/libpsl.so.5 (0x00007f41f722e000)
libnettle.so.8 => /lib/x86_64-linux-gnu/libnettle.so.8
(0x00007f41f5b96000)
libgnutls.so.30 => /lib/x86_64-linux-gnu/libgnutls.so.30
(0x00007f41f5800000)
libgssapi_krb5.so.2 => /lib/x86_64-linux-gnu/libgssapi_krb5.so.2
(0x00007f41f5b44000)
libldap-2.5.so.0 => /lib/x86_64-linux-gnu/libldap-2.5.so.0
(0x00007f41f5ae5000)
liblber-2.5.so.0 => /lib/x86_64-linux-gnu/liblber-2.5.so.0
(0x00007f41f610e000)
libzstd.so.1 => /lib/x86_64-linux-gnu/libzstd.so.1 (0x00007f41f5a2c000)
libbrotlidec.so.1 => /lib/x86_64-linux-gnu/libbrotlidec.so.1
(0x00007f41f6100000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f41f57e3000)
/lib64/ld-linux-x86-64.so.2 (0x00007f41f7292000)
libunistring.so.2 => /lib/x86_64-linux-gnu/libunistring.so.2
(0x00007f41f562d000)
libhogweed.so.6 => /lib/x86_64-linux-gnu/libhogweed.so.6
(0x00007f41f55e4000)
libgmp.so.10 => /lib/x86_64-linux-gnu/libgmp.so.10 (0x00007f41f5563000)
libcrypto.so.3 => /lib/x86_64-linux-gnu/libcrypto.so.3
(0x00007f41f5000000)
libp11-kit.so.0 => /lib/x86_64-linux-gnu/libp11-kit.so.0
(0x00007f41f4ecc000)
libtasn1.so.6 => /lib/x86_64-linux-gnu/libtasn1.so.6
(0x00007f41f554d000)
libkrb5.so.3 => /lib/x86_64-linux-gnu/libkrb5.so.3 (0x00007f41f4df2000)
libk5crypto.so.3 => /lib/x86_64-linux-gnu/libk5crypto.so.3
(0x00007f41f5520000)
libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2
(0x00007f41f60f8000)
libkrb5support.so.0 => /lib/x86_64-linux-gnu/libkrb5support.so.0
(0x00007f41f5a1e000)
libsasl2.so.2 => /lib/x86_64-linux-gnu/libsasl2.so.2
(0x00007f41f5503000)
libbrotlicommon.so.1 => /lib/x86_64-linux-gnu/libbrotlicommon.so.1
(0x00007f41f54e0000)
libffi.so.7 => /lib/x86_64-linux-gnu/libffi.so.7 (0x00007f41f54d4000)
libkeyutils.so.1 => /lib/x86_64-linux-gnu/libkeyutils.so.1
(0x00007f41f54cd000)
libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2
(0x00007f41f54bc000)
That differs from the non-working one which does not use
libcrypto.so.1.1 (that's the only difference).
It looks like libcrypto.so.1.1 is essential: after libssl1.1 (which
provides libcrypto.so.1.1) was uninstalled, a fresh build also produces
a failing osslsigncode.
So it works with libssl1, but not with libssl3.
Stefan
> Since you have a working build, could you run ldd on it and reply with the
> result?
linux-vdso.so.1 (0x00007ffd29d74000)
libcrypto.so.1.1 => /lib/x86_64-linux-gnu/libcrypto.so.1.1
(0x00007f41f5e00000)
libcurl-gnutls.so.4 => /lib/x86_64-linux-gnu/libcurl-gnutls.so.4
(0x00007f41f615e000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f41f5c1f000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f41f7278000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007f41f7273000)
libnghttp2.so.14 => /lib/x86_64-linux-gnu/libnghttp2.so.14
(0x00007f41f7242000)
libidn2.so.0 => /lib/x86_64-linux-gnu/libidn2.so.0 (0x00007f41f613d000)
librtmp.so.1 => /lib/x86_64-linux-gnu/librtmp.so.1 (0x00007f41f611e000)
libssh2.so.1 => /lib/x86_64-linux-gnu/libssh2.so.1 (0x00007f41f5bde000)
libpsl.so.5 => /lib/x86_64-linux-gnu/libpsl.so.5 (0x00007f41f722e000)
libnettle.so.8 => /lib/x86_64-linux-gnu/libnettle.so.8
(0x00007f41f5b96000)
libgnutls.so.30 => /lib/x86_64-linux-gnu/libgnutls.so.30
(0x00007f41f5800000)
libgssapi_krb5.so.2 => /lib/x86_64-linux-gnu/libgssapi_krb5.so.2
(0x00007f41f5b44000)
libldap-2.5.so.0 => /lib/x86_64-linux-gnu/libldap-2.5.so.0
(0x00007f41f5ae5000)
liblber-2.5.so.0 => /lib/x86_64-linux-gnu/liblber-2.5.so.0
(0x00007f41f610e000)
libzstd.so.1 => /lib/x86_64-linux-gnu/libzstd.so.1 (0x00007f41f5a2c000)
libbrotlidec.so.1 => /lib/x86_64-linux-gnu/libbrotlidec.so.1
(0x00007f41f6100000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f41f57e3000)
/lib64/ld-linux-x86-64.so.2 (0x00007f41f7292000)
libunistring.so.2 => /lib/x86_64-linux-gnu/libunistring.so.2
(0x00007f41f562d000)
libhogweed.so.6 => /lib/x86_64-linux-gnu/libhogweed.so.6
(0x00007f41f55e4000)
libgmp.so.10 => /lib/x86_64-linux-gnu/libgmp.so.10 (0x00007f41f5563000)
libcrypto.so.3 => /lib/x86_64-linux-gnu/libcrypto.so.3
(0x00007f41f5000000)
libp11-kit.so.0 => /lib/x86_64-linux-gnu/libp11-kit.so.0
(0x00007f41f4ecc000)
libtasn1.so.6 => /lib/x86_64-linux-gnu/libtasn1.so.6
(0x00007f41f554d000)
libkrb5.so.3 => /lib/x86_64-linux-gnu/libkrb5.so.3 (0x00007f41f4df2000)
libk5crypto.so.3 => /lib/x86_64-linux-gnu/libk5crypto.so.3
(0x00007f41f5520000)
libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2
(0x00007f41f60f8000)
libkrb5support.so.0 => /lib/x86_64-linux-gnu/libkrb5support.so.0
(0x00007f41f5a1e000)
libsasl2.so.2 => /lib/x86_64-linux-gnu/libsasl2.so.2
(0x00007f41f5503000)
libbrotlicommon.so.1 => /lib/x86_64-linux-gnu/libbrotlicommon.so.1
(0x00007f41f54e0000)
libffi.so.7 => /lib/x86_64-linux-gnu/libffi.so.7 (0x00007f41f54d4000)
libkeyutils.so.1 => /lib/x86_64-linux-gnu/libkeyutils.so.1
(0x00007f41f54cd000)
libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2
(0x00007f41f54bc000)
That differs from the non-working one which does not use
libcrypto.so.1.1 (that's the only difference).
It looks like libcrypto.so.1.1 is essential: after libssl1.1 (which
provides libcrypto.so.1.1) was uninstalled, a fresh build also produces
a failing osslsigncode.
So it works with libssl1, but not with libssl3.
Stefan
Stephen Kitt
Nov 19, 2022, 10:20:04 AM11/19/22
to
On Sat, 19 Nov 2022 14:59:57 +0100, Stefan Weil <s...@weilnetz.de> wrote:
> Am 19.11.22 um 14:03 schrieb Stephen Kitt:
> > Since you have a working build, could you run ldd on it and reply with the
> > result?
>
[...]
> Am 19.11.22 um 14:03 schrieb Stephen Kitt:
> > Since you have a working build, could you run ldd on it and reply with the
> > result?
>
>
> That differs from the non-working one which does not use
> libcrypto.so.1.1 (that's the only difference).
>
> It looks like libcrypto.so.1.1 is essential: after libssl1.1 (which
> provides libcrypto.so.1.1) was uninstalled, a fresh build also produces
> a failing osslsigncode.
>
> So it works with libssl1, but not with libssl3.
Thanks! This is an upstream bug:
> That differs from the non-working one which does not use
> libcrypto.so.1.1 (that's the only difference).
>
> It looks like libcrypto.so.1.1 is essential: after libssl1.1 (which
> provides libcrypto.so.1.1) was uninstalled, a fresh build also produces
> a failing osslsigncode.
>
> So it works with libssl1, but not with libssl3.
https://github.com/mtrojnar/osslsigncode/issues/178
libssl1.1 is no longer available for packages to build against, so we’ll have
to wait for an upstream fix.
Regards,
Stephen
Stefan Weil
Nov 19, 2022, 10:20:04 AM11/19/22
to
I could now debug the code and at least see which function fails:
PKCS12_parse failed with
error:0308010C:digital envelope routines::unsupported.
libssl3 no longer provides support by default for some old and unsecure
algorithms. Such algorithms can be loaded by function OSSL_PROVIDER_load
or by adding the right "providers" to the configuration of libssl.
I tried that, but failed so far. Maybe Sebastian (cc'ed) can help.
Stefan
PKCS12_parse failed with
error:0308010C:digital envelope routines::unsupported.
libssl3 no longer provides support by default for some old and unsecure
algorithms. Such algorithms can be loaded by function OSSL_PROVIDER_load
or by adding the right "providers" to the configuration of libssl.
I tried that, but failed so far. Maybe Sebastian (cc'ed) can help.
Stefan
0 new messages