cbgbt
commented
4 months ago We've opted to instead include this fix in the SDK itself in https://github.com/bottlerocket-os/bottlerocket-sdk/pull/194
Closed cbgbt closed 4 months ago
cbgbt
commented
4 months ago We've opted to instead include this fix in the SDK itself in https://github.com/bottlerocket-os/bottlerocket-sdk/pull/194
Description of changes: During image creation, bottlerocket uses the
pesigcheckutility to verify secureboot signatures on all signed artifacts. The signature validation is implemented via libnss.The next Bottlerocket SDK release will move to NSS 3.101.
In NSS 3.101, lib::pkix was enabled as the default X.509 validator. This causes pesigcheck to fail with "Peer's Certificate issuer is not recognized," despite the CA issuer being provided to pesigcheck.
This change sets
NSS_DISABLE_PKIX_VERIFY=1, which reverts to the previous default verifier.I've opened https://github.com/bottlerocket-os/twoliter/issues/334 to root-cause the changes in pkix which cause the issue. We will revert to the previous validator while working to become compatible with pkix.
Testing done:
0.42.0and test artifacts for0.43.0.Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.