sign-file linked against libssl1.1 instead of libssl3 #1232
Description
Linking error when trying to run sign-file on the current version of Debian (12, aka bookworm).
root@surface:~# /usr/src/linux-headers-6.4.7-surface/scripts/sign-file
/usr/src/linux-headers-6.4.7-surface/scripts/sign-file: error while loading shared libraries: libcrypto.so.1.1: cannot open shared object file: No such file or directoryThe sign-file is provided by the linux-headers-6.4.7-surface, as can be verified with dpkg.
root@surface:~# dpkg -L linux-headers-6.4.7-surface | grep /usr/src/linux-headers-6.4.7-surface/scripts/sign-file
/usr/src/linux-headers-6.4.7-surface/scripts/sign-file
/usr/src/linux-headers-6.4.7-surface/scripts/sign-file.cThe issue is that it sign-file was built with OpenSSL1.1, however Debian 12 has moved on to OpenSSL 3.0. This can be verified with apt show as follows:
root@surface:~# apt show libssl3
Package: libssl3
Version: 3.0.9-1
Priority: optional
Section: libs
Source: openssl
Maintainer: Debian OpenSSL Team <[email protected]>
Installed-Size: 6,140 kB
Depends: libc6 (>= 2.34)
Homepage: https://www.openssl.org/
Tag: role::shared-lib
Download-Size: 2,016 kB
APT-Manual-Installed: yes
APT-Sources: http://debian.uchicago.edu/debian bookworm/main amd64 Packages
Description: Secure Sockets Layer toolkit - shared libraries
This package is part of the OpenSSL project's implementation of the SSL
and TLS cryptographic protocols for secure communication over the
Internet.
.
It provides the libssl and libcrypto shared libraries.If a new kernel package can be compiled which links against libssl3 instead of libssl1.1, that should take care of this issue.
The only thing that might complicate matters is that it looks like your apt repo tries to use the same packages for all versions of Debian, which isn't going to work in this situation. Users on bookworm need to get a package linked against libssl3 and users on old versions need to get libssl1.1. Linking against version 1.1 will work for both bullseye and buster.
Unfortunately, this means having bookworm users update their apt sources file. However, if users are not using secure boot and signing kernel modules they built, they may never hit this bug and thus not need to update their apt sources file. sign-tool will remain broken for them, but it doesn't matter if they don't need it.
There is no workaround for this issue other than to downgrade the the entire OS to Debian 11. All users on Debian 12 can not sign kernel modules, which means they can not run VMs (e.g. VirtualBox).
Environment
- Hardware model: Surface 6, however this issue is not specific to this hardware
- Kernel version:
Linux surface 6.4.7-surface #3 SMP PREEMPT_DYNAMIC Tue Aug 1 21:23:55 UTC 2023 x86_64 GNU/Linux - Distribution: Debian 12