test_ukify: use sha384 in the signing tests

On Fedora, with crypto policy TEST-FEDORA41, sha1 is not allowed: $ SYSTEMD_LOG_LEVEL=debug build/systemd-measure sign --linux=/lib/modules/6.9.7-200.fc40.x86_64/vmlinuz --osrel=/tmp/tmp.osrelbl2sr77f --cmdline=/tmp/tmp.cmdlineouc7hqtj --uname=/tmp/tmp.unamecbjgesty --pcrpkey=/tmp/tmpufiadu8l --initrd=/boot/3a9d668b4db749398a4a5e78a03bffa5/6.9.7-200.fc40.x86_64/initrd --sbat=/tmp/tmp.sbataz9arpy0 --private-key=/tmp/tmppyf0gx6w --public-key=/tmp/tmpufiadu8l --bank=sha1 Measuring boot phases: enter-initrd, enter-initrd:leave-initrd, enter-initrd:leave-initrd:sysinit, enter-initrd:leave-initrd:sysinit:ready Loaded 'libtss2-esys.so.0' via dlopen() Loaded 'libtss2-rc.so.0' via dlopen() Loaded 'libtss2-mu.so.0' via dlopen() PolicyPCR calculated digest: cec1a2ccb188ddd171a2be7bfa6b31cb9148776647354eb1069e0f891ed2dbe7 Failed to initialize signature context: error:03000098:digital envelope routines::invalid digest Failed to sign PCR policy: Input/output error
2025-01-11 09:18:07 +03:00 · 2024-07-18 14:48:37 +02:00 · 2024-07-18 14:48:37 +02:00 · 87204601df
commit 87204601df
parent 987f4bce93
1 changed files with 6 additions and 6 deletions
--- a/src/ukify/test/test_ukify.py
+++ b/src/ukify/test/test_ukify.py
@ -689,7 +689,7 @@ def test_pcr_signing(kernel_initrd, tmp_path):
        '--uname=1.2.3',
        '--cmdline=ARG1 ARG2 ARG3',
        '--os-release=ID=foobar\n',
-        '--pcr-banks=sha1',   # use sha1 because it doesn't really matter
+        '--pcr-banks=sha384',   # sha1 might not be allowed, use something else
        f'--pcr-private-key={priv.name}',
    ] + arg_tools

@ -732,8 +732,8 @@ def test_pcr_signing(kernel_initrd, tmp_path):
        assert open(tmp_path / 'out.cmdline').read() == 'ARG1 ARG2 ARG3'
        sig = open(tmp_path / 'out.pcrsig').read()
        sig = json.loads(sig)
-        assert list(sig.keys()) == ['sha1']
-        assert len(sig['sha1']) == 4   # four items for four phases
+        assert list(sig.keys()) == ['sha384']
+        assert len(sig['sha384']) == 4   # four items for four phases

    shutil.rmtree(tmp_path)

@ -765,7 +765,7 @@ def test_pcr_signing2(kernel_initrd, tmp_path):
        '--uname=1.2.3',
        '--cmdline=ARG1 ARG2 ARG3',
        '--os-release=ID=foobar\n',
-        '--pcr-banks=sha1',
+        '--pcr-banks=sha384',
        f'--pcrpkey={pub2.name}',
        f'--pcr-public-key={pub.name}',
        f'--pcr-private-key={priv.name}',
@ -805,8 +805,8 @@ def test_pcr_signing2(kernel_initrd, tmp_path):

    sig = open(tmp_path / 'out.pcrsig').read()
    sig = json.loads(sig)
-    assert list(sig.keys()) == ['sha1']
-    assert len(sig['sha1']) == 6   # six items for six phases paths
+    assert list(sig.keys()) == ['sha384']
+    assert len(sig['sha384']) == 6   # six items for six phases paths

    shutil.rmtree(tmp_path)