[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #38620] Unable to verify a signature using Verify module in grub

From: Wei Hu
Subject: [bug #38620] Unable to verify a signature using Verify module in grub
Date: Thu, 28 Mar 2013 23:30:52 +0000
User-agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:19.0) Gecko/20100101 Firefox/19.0


                 Summary: Unable to verify a signature using Verify module in
                 Project: GNU GRUB
            Submitted by: whu
            Submitted on: Thu 28 Mar 2013 11:30:52 PM GMT
                Category: Security
                Severity: Major
                Priority: 5 - Normal
              Item Group: Software Error
                  Status: None
                 Privacy: Public
             Assigned to: None
         Originator Name: wei hu
        Originator Email: address@hidden
             Open/Closed: Open
         Discussion Lock: Any
                 Release: 1.97
         Reproducibility: Every Time
         Planned Release: None



I am trying to use the grub verify module to verify a detached signature I
signed using gpg on Linux. I did two different signings. Both of them failed,
but at the different places in grub_verify_signature(). I am wonder if I did
something wrong or the module has some bugs in it. Let me detail my procedure
here. The text file, signature file and my public key are all attached.

Signing Approach 1

On my Ubuntu system, say I want to detached sign myfile.txt

> gpg --detach-sign myfile.txt

It creates the signature file myfile.txt.sig. I noticed it uses ripemd160 hash
algorithm. Then I export my public key as

> gpg --output my.pubkey --export 'address@hidden'

The my.pubkey file contains my public key.  Then I create a grub rescue cd
image with all these three file myfile.txt myfile.txt.sig and my.pubkey.

> grub-mkrescue -o image.iso ./myfile.txt ./myfile.txt.sig ./my.pubkey

After this, I booted the image and at the grub prompt I did

grub > verify_detached /myfile.txt /myfile.txt.sig /my.pubkey

It returns bad signature in grub_verify_signature() after following line:
    hash->final (context);
    grub_dprintf ("crypt", "aliven");
    hval = hash->read (context);
    if (grub_file_read (sig, hash_start, sizeof (hash_start)) != sizeof
         return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad signature"));    

    if (grub_memcmp (hval, hash_start, sizeof (hash_start)) != 0)
      return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad signature"));        
<-- - failed here

My understanding is it calls ripemd160 algorithm to verify a two byte hash
value and it failed. So I try to change the algorithm using in gpg for hashing
as follows:

Signing Approch 2

I just sign the myfile.txt with sha512 like this:

> gpg --digest-algo sha512 --detach-sign myfile.txt

It creates a myfile.txt.sig file. Then a created the iso image and boot just
as in approach 1.

grub > verify_detached /myfile.txt /myfile.txt.sig /my.pubkey

This time I went much further in grub_verify_signature(). It seem failed at
last when calling dsa verify routine:

    unsigned nbits = gcry_mpi_get_nbits (sk->mpis[1]);
    grub_dprintf ("crypt", "must be %u bits got %d bitsn", nbits,
                  (int)(8 * hash->mdlen));                                    
              <---- Here debug output is: must be 17 bits got 512 bits
    if (!grub_crypto_pk_dsa)
      return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("module `%s' isn't
loaded"), "gcry_dsa");
    if (grub_crypto_pk_dsa->verify (0, hmpi, mpis, sk->mpis, 0, 0))           
                     <------ failed here.
      return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad signature"));        

So I guess I was not doing right somewhere? Have you tested this verification
module? The grub_dprintf() output (expecting 17bits but got 512 bits) is very

For this Verify module to work, what tool and what procedure should I follow
to sign a file?


File Attachments:

Date: Thu 28 Mar 2013 11:30:52 PM GMT  Name: my.pubkey  Size: 1kB   By: whu

Date: Thu 28 Mar 2013 11:30:52 PM GMT  Name: myfile.txt  Size: 17B   By: whu

Date: Thu 28 Mar 2013 11:30:52 PM GMT  Name: myfile.txt.ripemd160.sig  Size:
287B   By: whu

Date: Thu 28 Mar 2013 11:30:52 PM GMT  Name: myfile.txt.sha512.sig  Size: 287B
  By: whu



Reply to this item at:


  Message sent via/by Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]