test_ukify: use sha384 in the signing tests

On Fedora, with crypto policy TEST-FEDORA41, sha1 is not allowed:

$ SYSTEMD_LOG_LEVEL=debug build/systemd-measure sign
  --linux=/lib/modules/6.9.7-200.fc40.x86_64/vmlinuz
  --osrel=/tmp/tmp.osrelbl2sr77f
  --cmdline=/tmp/tmp.cmdlineouc7hqtj
  --uname=/tmp/tmp.unamecbjgesty
  --pcrpkey=/tmp/tmpufiadu8l
  --initrd=/boot/3a9d668b4db749398a4a5e78a03bffa5/6.9.7-200.fc40.x86_64/initrd
  --sbat=/tmp/tmp.sbataz9arpy0
  --private-key=/tmp/tmppyf0gx6w
  --public-key=/tmp/tmpufiadu8l
  --bank=sha1
Measuring boot phases: enter-initrd, enter-initrd:leave-initrd, enter-initrd:leave-initrd:sysinit, enter-initrd:leave-initrd:sysinit:ready
Loaded 'libtss2-esys.so.0' via dlopen()
Loaded 'libtss2-rc.so.0' via dlopen()
Loaded 'libtss2-mu.so.0' via dlopen()
PolicyPCR calculated digest: cec1a2ccb188ddd171a2be7bfa6b31cb9148776647354eb1069e0f891ed2dbe7
Failed to initialize signature context: error:03000098:digital envelope routines::invalid digest
Failed to sign PCR policy: Input/output error

diff --git a/src/ukify/test/test_ukify.py b/src/ukify/test/test_ukify.py
index 123f9eac053aaecd3d0fd6e16c6926d0b84d3847..60d6498d58653ad5d015937f3787ffa6a82e6e76 100755 (executable)
--- a/src/ukify/test/test_ukify.py
+++ b/src/ukify/test/test_ukify.py
@@ -689,7 +689,7 @@ def test_pcr_signing(kernel_initrd, tmp_path):
         '--uname=1.2.3',
         '--cmdline=ARG1 ARG2 ARG3',
         '--os-release=ID=foobar\n',
-        '--pcr-banks=sha1',   # use sha1 because it doesn't really matter
+        '--pcr-banks=sha384',   # sha1 might not be allowed, use something else
         f'--pcr-private-key={priv.name}',
     ] + arg_tools
 
@@ -732,8 +732,8 @@ def test_pcr_signing(kernel_initrd, tmp_path):
         assert open(tmp_path / 'out.cmdline').read() == 'ARG1 ARG2 ARG3'
         sig = open(tmp_path / 'out.pcrsig').read()
         sig = json.loads(sig)
-        assert list(sig.keys()) == ['sha1']
-        assert len(sig['sha1']) == 4   # four items for four phases
+        assert list(sig.keys()) == ['sha384']
+        assert len(sig['sha384']) == 4   # four items for four phases
 
     shutil.rmtree(tmp_path)
 
@@ -765,7 +765,7 @@ def test_pcr_signing2(kernel_initrd, tmp_path):
         '--uname=1.2.3',
         '--cmdline=ARG1 ARG2 ARG3',
         '--os-release=ID=foobar\n',
-        '--pcr-banks=sha1',
+        '--pcr-banks=sha384',
         f'--pcrpkey={pub2.name}',
         f'--pcr-public-key={pub.name}',
         f'--pcr-private-key={priv.name}',
@@ -805,8 +805,8 @@ def test_pcr_signing2(kernel_initrd, tmp_path):
 
     sig = open(tmp_path / 'out.pcrsig').read()
     sig = json.loads(sig)
-    assert list(sig.keys()) == ['sha1']
-    assert len(sig['sha1']) == 6   # six items for six phases paths
+    assert list(sig.keys()) == ['sha384']
+    assert len(sig['sha384']) == 6   # six items for six phases paths
 
     shutil.rmtree(tmp_path)