Skip to content

Cannot verify signatures signed by sbsigntool #1

Description

@sharathkurudi

I have created shim.efi using the Makefile in https://github.com/rhboot/shim. Signed the generated shim.efi using the keys generated by openssl and the sbsign executable. (Command sbsign --key shim.key --cert shim.crt). I got the following warning message " warning: data remaining[1034752 vs 1159672]: gaps between PE/COFF sections?".
The generated efi did not pass the signature validation check in the new BIOS.

On further investigation I found that in the following if statement
if (bytes + image->cert_table_size < image->size), a new checksum region is added.
On commenting/removing the above checksum addition, the generated efi passed the validation check in the BIOS.

I would like to know why the extra bytes are added and is there any other way to solve this issue

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions