fwupd signature validation #7668

mschmitt · 2024-08-30T09:20:40Z

mschmitt
Aug 30, 2024

Hey everyone,

I've been asked to demonstrate how fwupd downloads are signed and validated.

There's a jcat manifest in /var/lib/fwupd/metadata/lvfs/metadata.xml.xz.jcat, which references a file firmware.xml.xz, that's nowhere on the system. However, the checksums in the manifest suggest that metadata.xml.xz, in the same directory might be this missing firmware.xml.xz, and in fact, it is:

# jcat-tool add-alias metadata.xml.xz.jcat firmware.xml.xz metadata.xml.xz
# jcat-tool --public-keys /etc/pki/fwupd verify metadata.xml.xz.jcat 
firmware-07438-stable.xml.xz:
    PASSED sha1: OK
    PASSED sha256: OK
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2

What could be the reason for the actual filename being absent in the manifest?

This is on Debian 12:

# fwupdmgr --version
compile   org.freedesktop.fwupd         1.8.12
compile   com.hughsie.libxmlb           0.3.10
compile   com.hughsie.libjcat           0.1.9
runtime   org.freedesktop.fwupd-efi     1.4
compile   org.freedesktop.gusb          0.3.10
runtime   com.dell.libsmbios            2.4
runtime   org.freedesktop.gusb          0.3.10
runtime   org.freedesktop.fwupd         1.8.12
runtime   org.kernel                    6.1.0-23-amd64

Answered by hughsie

Sep 9, 2024

How about #7721 as a nice ending. :)

View full answer

hughsie · 2024-08-30T13:05:26Z

hughsie
Aug 30, 2024
Maintainer

There's a jcat manifest in /var/lib/fwupd/metadata/lvfs/metadata.xml.xz.jcat, which references a file firmware.xml.xz

The firmware.xml.xz is an alias -- i.e. what the file might be called. e.g. see:

jcat-tool info /var/lib/fwupd/metadata/lvfs/metadata.xml.zst.jcat
JcatFile:
  Version:               0.1
  JcatItem:
    ID:                  firmware-07437-stable.xml.zst
    AliasId:             firmware.xml.zst

i.e. fwupd downloads metadata.xml.zst.jcat find the firmware-07437-stable.xml.zst filename, and then saves it as firmware.xml.zst in the cache. The reason we do this is that the cdn might give us a metadata.xml.zst.jcat from yesterday, in which case we want the exact metadata from yesterday -- rather than one 12 h old and one 6 hours old.

0 replies

mschmitt · 2024-09-02T09:56:12Z

mschmitt
Sep 2, 2024
Author

Thanks for the reply! If both the XML and the JCAT file get routinely renamed, wouldn't it make sense to have the other filename embedded in the JCAT as well?

Also, another question: How do /etc/pki/fwupd/ and /var/lib/fwupd/gnupg/ relate to each other? Is /var/lib/fwupd/gnupg/ only updated on the fly from /etc/pki/fwupd/ or may it at some later point update keys from a metadata server on the fly?

9 replies

mschmitt Sep 2, 2024
Author

Aliases do seem to work, but the alias simply isn't there.

# jcat-tool --public-keys /etc/pki/fwupd verify metadata.xml.xz.jcat
firmware-07440-stable.xml.xz:
    FAILED: Could not find ./firmware-07440-stable.xml.xz or ./firmware.xml.xz
Validation failed
# jcat-tool add-alias metadata.xml.xz.jcat firmware.xml.xz metadata.xml.xz
# jcat-tool --public-keys /etc/pki/fwupd verify metadata.xml.xz.jcat
firmware-07440-stable.xml.xz:
    PASSED sha1: OK
    PASSED sha256: OK
    PASSED pkcs7: O=Linux Vendor Firmware Project,CN=LVFS CA
    PASSED gpg: 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2

mschmitt Sep 2, 2024
Author

So I installed the snap, and packaged with it still is the same unupdated version of libjcat:

# fwupdmgr --version
compile   com.hughsie.libxmlb           0.3.18
compile   io.snapcraft.fwupd            6305
compile   com.hughsie.libjcat           0.1.9
compile   org.freedesktop.fwupd         1.9.23
runtime   org.freedesktop.fwupd-efi     1.4
compile   org.freedesktop.gusb          0.3.10
runtime   com.hughsie.libxmlb           0.3.x
runtime   org.freedesktop.gusb          0.3.10
runtime   org.freedesktop.fwupd         1.9.23
runtime   org.kernel                    6.1.0-23-amd64

Is there any way to see a validating signature out of the box, without having to manipulate the JCAT manifest? What makes you so confident the alias is in the JCAT when in fact it isn't? Am I using this wrong?

hughsie Sep 2, 2024
Maintainer

but the alias simply isn't there

$ wget https://cdn.fwupd.org/downloads/firmware.xml.zst.jcat
$ jcat-tool info firmware.xml.zst.jcat 
JcatFile:
  Version:               0.1
  JcatItem:
    ID:                  firmware-07440-stable.xml.zst
    AliasId:             firmware.xml.zst
...

You need a new libjcat. Maybe @superm1 can update it in the snap?

superm1 Sep 2, 2024
Maintainer

It's because we don't have a bigger version in our subproject for 1_9_X. This will bump it.
#7683

superm1 Sep 3, 2024
Maintainer

OK, confirmed the 1_9_X snap build pulled it in:
https://github.com/fwupd/fwupd/actions/runs/10669985348/job/29573036979

You can switch to the 1.9.x/edge build (1.9.24-4-g4a8c618a6) to pick it up.

mschmitt · 2024-09-02T15:03:13Z

mschmitt
Sep 2, 2024
Author

Now validate /var/lib/fwupd/metadata/lvfs/metadata.xml.zstd using this manifest.

8 replies

hughsie Sep 3, 2024
Maintainer

@superm1 i think the easiest thing to do would be to save the metadata /var/lib/fwupd/metadata/lvfs/firmware.xml.zst rather than /var/lib/fwupd/metadata/lvfs/metadata.xml.zst -- then we can validate easier. Concur?

superm1 Sep 3, 2024
Maintainer

As long as we keep it in the metadata directory I think that's totally fine

mschmitt Sep 9, 2024
Author

Thanks to the JCAT clarifications in this topic, my corporate client here decided to permit the use of fwupd on a larger number of laptops. Thanks for your work and support. :-)

hughsie Sep 9, 2024
Maintainer

How about #7721 as a nice ending. :)

Answer selected by hughsie

fwupd signature validation #7668

Uh oh!

mschmitt Aug 30, 2024

Replies: 3 comments · 17 replies

Uh oh!

hughsie Aug 30, 2024 Maintainer

Uh oh!

mschmitt Sep 2, 2024 Author

Uh oh!

mschmitt Sep 2, 2024 Author

Uh oh!

mschmitt Sep 2, 2024 Author

Uh oh!

hughsie Sep 2, 2024 Maintainer

Uh oh!

superm1 Sep 2, 2024 Maintainer

Uh oh!

superm1 Sep 3, 2024 Maintainer

Uh oh!

mschmitt Sep 2, 2024 Author

Uh oh!

hughsie Sep 3, 2024 Maintainer

Uh oh!

superm1 Sep 3, 2024 Maintainer

Uh oh!

mschmitt Sep 9, 2024 Author

Uh oh!

hughsie Sep 9, 2024 Maintainer

mschmitt
Aug 30, 2024

Replies: 3 comments 17 replies

hughsie
Aug 30, 2024
Maintainer

mschmitt
Sep 2, 2024
Author

mschmitt Sep 2, 2024
Author

mschmitt Sep 2, 2024
Author

hughsie Sep 2, 2024
Maintainer

superm1 Sep 2, 2024
Maintainer

superm1 Sep 3, 2024
Maintainer

mschmitt
Sep 2, 2024
Author

hughsie Sep 3, 2024
Maintainer

superm1 Sep 3, 2024
Maintainer

mschmitt Sep 9, 2024
Author

hughsie Sep 9, 2024
Maintainer