gramine-sgx-sign reports "'bytearray' object cannot be converted to 'PyBytes'"

[andre-w-fischer]

Description of the problem

signing a simple binary (/usr/bin/true in the attached example) with a built-from-source gramine 1.6 fails with stack trace
(see Actual Results).

Steps to reproduce

With the attached files
bytearray-error.zip
run build.sh to first build gramine 1.6 together with missing dependencies (based on registry.access.redhat.com/ubi8/ubi:8.7)
and then sign a simple binary.

Change cryptography-error.dockerfile:43 from

ARG CryptographyVersion=42.0.0

to

ARG CryptographyVersion=41.0.7

and the problem goes away.
The 42.0.0 release was made on 23. January 2023. The 42.01 version (released today?) does not seem to fix this issue.

Expected results

gramine-sgx-sign finishes without error.

Actual results

#59 0.621 Traceback (most recent call last):
#59 0.621 File "/usr/local/bin/gramine-sgx-sign", line 171, in
#59 0.621 main() # pylint: disable=no-value-for-parameter
#59 0.621 ^^^^^^
#59 0.621 File "/usr/local/lib/python3.11/site-packages/click/core.py", line 1157, in call
#59 0.621 return self.main(*args, **kwargs)
#59 0.621 ^^^^^^^^^^^^^^^^^^^^^^^^^^
#59 0.621 File "/usr/local/lib/python3.11/site-packages/click/core.py", line 1078, in main
#59 0.621 rv = self.invoke(ctx)
#59 0.621 ^^^^^^^^^^^^^^^^
#59 0.621 File "/usr/local/lib/python3.11/site-packages/click/core.py", line 1434, in invoke
#59 0.622 return ctx.invoke(self.callback, **ctx.params)
#59 0.622 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
#59 0.622 File "/usr/local/lib/python3.11/site-packages/click/core.py", line 783, in invoke
#59 0.622 return __callback(*args, **kwargs)
#59 0.622 ^^^^^^^^^^^^^^^^^^^^^^^^^^^
#59 0.622 File "/usr/local/lib/python3.11/site-packages/click/decorators.py", line 33, in new_func
#59 0.622 return f(get_current_context(), *args, **kwargs)
#59 0.622 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
#59 0.622 File "/usr/local/bin/gramine-sgx-sign", line 145, in main
#59 0.622 sigstruct.sign(sign_func)
#59 0.622 File "/usr/local/lib/python3.11/site-packages/graminelibos/sigstruct.py", line 191, in sign
#59 0.622 exponent_int, modulus_int, signature_int = do_sign_callback(data, *args, **kwargs)
#59 0.622 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
#59 0.622 File "/usr/local/lib/python3.11/site-packages/graminelibos/sgx_sign.py", line 664, in sign_with_private_key
#59 0.622 signature = private_key.sign(data, padding.PKCS1v15(), hashes.SHA256())
#59 0.622 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
#59 0.622 TypeError: argument 'data': 'bytearray' object cannot be converted to 'PyBytes'

Gramine commit hash

https://github.com/gramineproject/gramine/archive/refs/tags/v1.6.tar.gz

[woju]

ack, will look into it

[woju]

@andre-w-fischer: Can you please check if #1732 fixes the problem?

[andre-w-fischer]

@woju I can verify that the change fixes the problem. Thank you.

[woju]

@andre-w-fischer Thanks for testing. I have one more ask if you're able: Can you wait about a week until cryptography.io releases 42.0.2 and then test without this fix (i.e. just 1.6) to check if they fixed correctly? Or even test now with unreleased cryptography.io if you can.

This would be useful mostly for users of stable Gramine (from packages/tags). I'll totally understand if you won't, we'll probably merge #1732 anyway just for clarity of method names, so this is going to get fixed around 1.7 in any case.