Use SHA1 for MOK directory naming and matching

Resolves: RHEL-180344
2026-06-01 18:21:04 +02:00 · 2026-06-01 18:21:04 +02:00 · 2c4b1109d2
commit 2c4b1109d2
parent b74b7919d9
2 changed files with 58 additions and 1 deletions
--- a/systemtap-mok-sha1-fix.patch
+++ b/systemtap-mok-sha1-fix.patch
@ -0,0 +1,52 @@
+commit 41b6fa81922e2c7ba6a19f769167160b98e42bd1
+Author: Martin Cermak <mcermak@redhat.com>
+Date:   Mon Jun 1 17:40:32 2026 +0200
+
+    Use SHA1 for MOK directory naming and matching
+    
+    Commit a4bd43278 (April 2026) changed SystemTap to use SHA256 instead of
+    SHA1 for certificate fingerprinting, including MOK (Machine Owner Key)
+    directory naming and matching.  Mokutil (the system tool for managing
+    UEFI MOKs) is hardcoded to use SHA1 fingerprints.  That commit rendered
+    SystemTap incompatible with mokutil.
+    
+    Revert only the MOK fingerprint calculation back to SHA1 in
+    read_cert_info_from_file() while keeping SHA256 for the actual module
+    signing operation. This makes SystemTap's MOK directory names match what
+    mokutil displays.
+    
+    Assisted-by: Anthropic Claude
+
+diff --git a/nsscommon.cxx b/nsscommon.cxx
+index 5ab59ed8e..db88f6b8f 100644
+--- a/nsscommon.cxx
+++ b/nsscommon.cxx
+@@ -1962,12 +1962,16 @@ read_cert_info_from_file (const string &certPath, string &fingerprint)
+     }
+ 
+   // Get the fingerprint from the signature.
+-  unsigned char fingerprint_buf[32]; // SHA256_LENGTH
+  // Use SHA1 for MOK fingerprints to match mokutil behavior
+  // MOKutil always uses SHA1 fingerprints regardless of certificate signature algorithm
+  unsigned char fingerprint_buf[SHA1_LENGTH];
+   SECItem fpItem;
+-  rv = PK11_HashBuf(SEC_OID_SHA256, fingerprint_buf, derCert.data, derCert.len);
+  rv = PK11_HashBuf(SEC_OID_SHA1, fingerprint_buf, derCert.data, derCert.len);
+   if (rv)
+     {
+-      nsscommon_error (_F("Could not decode SHA256 fingerprint from file %s",
+      // Note: We use SHA1 for MOK fingerprints because mokutil (the UEFI MOK
+      // enrollment tool) always displays SHA1 fingerprints, not SHA256.
+      nsscommon_error (_F("Could not decode SHA1 fingerprint from file %s",
+ 			  certPath.c_str ()));
+       goto done;
+     }
+@@ -1976,7 +1980,7 @@ read_cert_info_from_file (const string &certPath, string &fingerprint)
+   str = CERT_Hexify(&fpItem, 1);
+   if (! str)
+   {
+-      nsscommon_error (_F("Could not hexify SHA256 fingerprint from file %s",
+      nsscommon_error (_F("Could not hexify SHA1 fingerprint from file %s",
+ 			  certPath.c_str ()));
+       goto done;
+   }
--- a/systemtap.spec
+++ b/systemtap.spec
@ -131,7 +131,7 @@ f /var/log/stap-server/log 0644 stap-server stap-server -
 Name: systemtap
 # PRERELEASE
 Version: 5.5
-Release: 1%{?release_override}%{?dist}
+Release: 2%{?release_override}%{?dist}
 # for version, see also configure.ac


@ -168,6 +168,7 @@ Summary: Programmable system-wide instrumentation system
 License: GPL-2.0-or-later
 URL: https://sourceware.org/systemtap/
 Source: ftp://sourceware.org/pub/systemtap/releases/systemtap-%{version}.tar.gz
+Patch0: systemtap-mok-sha1-fix.patch

 # Build*
 BuildRequires: make
@ -618,6 +619,7 @@ or within a container.

 %prep
 %setup -q
+%patch -P0 -p1

 %build

@ -1375,6 +1377,9 @@ exit 0

 # PRERELEASE
 %changelog
+* Mon Jun 01 2026 Martin Cermak <mcermak@redhat.com> - 5.5-2
+- Systemtap 5.5 doesn't work in SecureBoot mode
+
 * Fri May 01 2026 Frank Ch. Eigler <fche@redhat.com> - 5.5-1
 - Upstream release, see wiki page below for detailed notes.
  https://sourceware.org/systemtap/wiki/SystemTapReleases