#1138295 efitools: FTBFS with openssl 4.0

Package:
efitools
Source:
efitools
Description:
Tools to manipulate EFI secure boot keys and signatures
Submitter:
Sebastian Andrzej Siewior
Date:
2026-06-12 10:31:01 UTC
Severity:
normal
Tags:
#1138295#5
Date:
2026-05-30 15:48:25 UTC
From:
To:
OpenSSL 4.0 is in experimental. This package fails to build against it:
| cc  -o sign-efi-sig-list sign-efi-sig-list.o -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/reproducible-path/efitools-1.9.2=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wl,-z,relro lib/lib.a -lcrypto
| /usr/bin/x86_64-linux-gnu-ld.bfd: lib/lib.a(openssl_sign.o): in function `read_engine_private_key':
| /build/reproducible-path/efitools-1.9.2/lib/openssl_sign.c:118:(.text+0x13a): undefined reference to `ENGINE_load_builtin_engines'
| /usr/bin/x86_64-linux-gnu-ld.bfd: /build/reproducible-path/efitools-1.9.2/lib/openssl_sign.c:119:(.text+0x142): undefined reference to `ENGINE_by_id'
| /usr/bin/x86_64-linux-gnu-ld.bfd: /build/reproducible-path/efitools-1.9.2/lib/openssl_sign.c:135:(.text+0x17d): undefined reference to `ENGINE_init'
| /usr/bin/x86_64-linux-gnu-ld.bfd: /build/reproducible-path/efitools-1.9.2/lib/openssl_sign.c:141:(.text+0x195): undefined reference to `ENGINE_load_private_key'
| /usr/bin/x86_64-linux-gnu-ld.bfd: /build/reproducible-path/efitools-1.9.2/lib/openssl_sign.c:142:(.text+0x1a0): undefined reference to `ENGINE_finish'
| /usr/bin/x86_64-linux-gnu-ld.bfd: /build/reproducible-path/efitools-1.9.2/lib/openssl_sign.c:145:(.text+0x1a8): undefined reference to `ENGINE_free'
| collect2: error: ld returned 1 exit status

Full buildlog
https://breakpoint.cc/openssl-rebuild/logs-4/attempted/efitools_1.9.2-5_amd64-2026-04-19T09:27:45Z

Sebastian

#1138295#12
Date:
2026-06-11 14:25:45 UTC
From:
To:
Please find attached a patch that fixes this issue.
#1138295#19
Date:
2026-06-11 15:30:14 UTC
From:
To:
Hi!

It fixes the *direct* issue by simply causing signing using an engine
to fail. Rather than that, it would be more helpful to update the
software to use the new "provider" APIs instead. Could you look into
that please?

#1138295#24
Date:
2026-06-12 10:29:00 UTC
From:
To:
The patch replaces the ENGINE API with the new provider APIs.