Bug #1856422 “always call mokutil with --timeout -1 when enrolli...” : Bugs : shim-signed package : Ubuntu

Steve Langasek (vorlon) on 2019-12-15

description:	updated
Changed in ubiquity (Ubuntu Eoan):
status:	New → Won't Fix

Steve Langasek (vorlon) on 2019-12-15

Changed in shim-signed (Ubuntu Bionic):
status:	New → In Progress
Changed in shim-signed (Ubuntu):
status:	New → Fix Committed
description:	updated

Steve Langasek (vorlon) on 2019-12-15

description:

updated

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-12-15:

#1

This bug was fixed in the package shim-signed - 1.40

---------------
shim-signed (1.40) focal; urgency=medium

  * Pass --timeout -1 to mokutil so that users don't end up with broken
    systems by missing MokManager on reboot after install. LP: #1856422.
  * Add a versioned dependency on the mokutil that introduces --timeout.

-- Steve Langasek <email address hidden> Sat, 14 Dec 2019 20:26:42 -0800

Changed in shim-signed (Ubuntu):
status:	Fix Committed → Fix Released

Revision history for this message

Łukasz Zemczak (sil2100) wrote on 2019-12-16:

#2

The change is good and I'd be willing to accept it, but before I do so I wanted to consult the SRU version number first. You have used 1.39.1, but currently 1.39 is present both in eoan and disco. I know disco goes EOL on January next year, but knowing our bad luck, I'm worried that if some emergency upload is required, the version number might be problematic. On the other hand, I guess in this very improbable case we could just use ~ for disco.

Revision history for this message

Anthony Wong (anthonywong) wrote on 2019-12-20:

#3

On Focal MokManager doesn't come up on reboot, I found mokutil doesn't allow --timeout be used with --import. So either call mokutil --timeout in a second command, or need https://github.com/lcp/mokutil/pull/26/commits/8dc9f57b6fe5ca0d459c9aec2da35ef8f36cf94b# to fix mokutil.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-12-30:

#4

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in shim-signed (Ubuntu Eoan):
status:	New → Confirmed
Changed in ubiquity (Ubuntu Bionic):
status:	New → Confirmed
Changed in ubiquity (Ubuntu):
status:	New → Confirmed

Revision history for this message

Timo Aaltonen (tjaalton) wrote on 2020-02-07: Please test proposed package

#7

Hello Steve, or anyone else affected,

Accepted shim-signed into eoan-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.39.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-eoan to verification-done-eoan. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-eoan. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim-signed (Ubuntu Eoan):
status:	Confirmed → Fix Committed
tags:	added: verification-needed verification-needed-eoan
Changed in shim-signed (Ubuntu Bionic):
status:	In Progress → Fix Committed
tags:	added: verification-needed-bionic

Revision history for this message

Timo Aaltonen (tjaalton) wrote on 2020-02-07:

#8

Hello Steve, or anyone else affected,

Accepted shim-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.37~18.04.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message

Steve Langasek (vorlon) wrote on 2020-02-10:

#9

shim-signed is verification-failed for bionic because the versioned dependency on mokutils is not satisfied (LP: #1862632).

tags:

added: verification-failed-bionic
removed: verification-needed-bionic

Revision history for this message

Łukasz Zemczak (sil2100) wrote on 2020-02-10:

#10

Hello Steve, or anyone else affected,

Accepted shim-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.37~18.04.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags:

added: verification-needed-bionic
removed: verification-failed-bionic

Mathew Hodson (mhodson) on 2020-03-21

no longer affects:	ubiquity (Ubuntu Eoan)
no longer affects:	ubiquity (Ubuntu Bionic)
no longer affects:	ubiquity (Ubuntu)

Steve Langasek (vorlon) on 2020-04-16

Changed in ubiquity (Ubuntu):
status:	New → Triaged
importance:	Undecided → High

Jean-Baptiste Lallement (jibel) on 2020-04-16

Changed in ubiquity (Ubuntu):
status:	Triaged → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-04-17:

#11

This bug was fixed in the package ubiquity - 20.04.13

---------------
ubiquity (20.04.13) focal; urgency=medium

  [ Steve Langasek ]
  * Always invoke mokutil with --timeout -1 so that users don't miss the key
    enrollment on reboot and end up with broken dkms modules. LP: #1856422.

  [ Iain Lane ]
  * plugininstall: Don't modify oem_pkgs while we're iterating over it
    (LP: #1873146)
  * plugininstall: Don't bother calling do_install() if there's no packages

  [ Dimitri John Ledkov ]
  * Correctly install oem kernel flavour, when desired.
  * When validating new kernel, allow kernel version higher than 2.x
  * When keeping existing kernel, do not mark kernel image as manually
    instally, only the meta.
  * When removing a kernel, remove modules and meta.

-- Dimitri John Ledkov <email address hidden> Thu, 16 Apr 2020 22:56:34 +0100

Changed in ubiquity (Ubuntu):
status:	Fix Committed → Fix Released

Revision history for this message

Brian Murray (brian-murray) wrote on 2020-07-17: [shim-signed/bionic] verification still needed

#12

The fix for this bug has been awaiting testing feedback in the -proposed repository for bionic for more than 90 days. Please test this fix and update the bug appropriately with the results. In the event that the fix for this bug is still not verified 15 days from now, the package will be removed from the -proposed repository.

tags:

added: removal-candidate

Revision history for this message

Łukasz Zemczak (sil2100) wrote on 2020-08-03: Please test proposed package

#13

Hello Steve, or anyone else affected,

Accepted shim-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.37~18.04.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message

Steve Langasek (vorlon) wrote on 2020-08-04:

#14

eoan is EOL, wontfixing.

Changed in shim-signed (Ubuntu Eoan):
status:	Fix Committed → Won't Fix

Revision history for this message

Steve Langasek (vorlon) wrote on 2020-08-04:

#15

For bionic, this has been verified as a side-effect of verifying LP: #1869187.

tags:	added: emoval-candidate verification-done-bionic removed: removal-candidate verification-needed-bionic verification-needed-eoan
tags:	removed: emoval-candidate

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-08-04:

#16

This bug was fixed in the package shim-signed - 1.37~18.04.6

---------------
shim-signed (1.37~18.04.6) bionic; urgency=medium

* Pass --timeout -1 to mokutil in a separate mokutil run (LP: #1869187)
thanks to Aleksander Miera for the patch.

shim-signed (1.37~18.04.5) bionic; urgency=medium

* Fix versioned dependency on mokutil so that it matches the version in
bionic-updates. LP: #1862632.

shim-signed (1.37~18.04.4) bionic; urgency=medium

  * Pass --timeout -1 to mokutil so that users don't end up with broken
    systems by missing MokManager on reboot after install. LP: #1856422.
  * Add a versioned dependency on the mokutil that introduces --timeout.

-- Matthieu Clemenceau <email address hidden> Fri, 10 Jul 2020 14:27:41 -0500

Changed in shim-signed (Ubuntu Bionic):
status:	Fix Committed → Fix Released

Revision history for this message

Steve Langasek (vorlon) wrote on 2020-08-04: Update Released

#17

The verification of the Stable Release Update for shim-signed has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message

Łukasz Zemczak (sil2100) wrote on 2020-08-18: Proposed package removed from archive

#18

The version of shim-signed in the proposed pocket of Eoan that was purported to fix this bug report has been removed because the bugs that were to be fixed by the upload were not verified in a timely (105 days) fashion.

Revision history for this message

Łukasz Zemczak (sil2100) wrote on 2021-05-14: Please test proposed package

#21

Hello Steve, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.33.1~16.04.7 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim-signed (Ubuntu Xenial):
status:	New → Fix Committed
tags:	added: verification-needed-xenial

Revision history for this message

Steve Langasek (vorlon) wrote on 2021-06-22:

#22

Hello Steve, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.33.1~16.04.8 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message

Brian Murray (brian-murray) wrote on 2021-06-24:

#23

Hello Steve, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.33.1~16.04.9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message

Julian Andres Klode (juliank) wrote on 2021-06-28:

#24

Verified for ...16.04.9. Timeout is there with old shim-signed, gone with new one :)

tags:

added: verification-done verification-done-xenial
removed: verification-needed verification-needed-xenial

Revision history for this message

Łukasz Zemczak (sil2100) wrote on 2021-07-19:

#25

Hello Steve, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.33.1~16.04.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags:

added: verification-needed verification-needed-xenial
removed: verification-done verification-done-xenial

Revision history for this message

Julian Andres Klode (juliank) wrote on 2021-07-23:

#26

The verification from 16.04.9 is also valid for 16.04.10, as only the shim binaries changed, and not the scripts

tags:

added: verification-done verification-done-xenial
removed: verification-needed verification-needed-xenial

Revision history for this message

Launchpad Janitor (janitor) wrote on 2021-08-16:

#27

This bug was fixed in the package shim-signed - 1.33.1~16.04.10

---------------
shim-signed (1.33.1~16.04.10) xenial; urgency=medium

  * Update to shim 15.4-0ubuntu7:
    - Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
    - Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
    - Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
    - mok: relax the maximum variable size check (LP: #1934780) (PR #369)

shim-signed (1.33.1~16.04.9) xenial; urgency=medium

  * Do not build a dual-signed shim (fixing regression from ~16.04.7), and
    disable verifying fbx64.efi and mmx64.efi certificates as xenial's
    sbverify is unable to (impish works fine)
  * Clean up debhelper log file accidentally imported into git during 16.04.7
    import.

shim-signed (1.33.1~16.04.8) xenial; urgency=medium

  * debian/*.postinst: Unconditionally call grub-install with
    --force-extra-removable, so that the \EFI\BOOT removable path as used in
    cloud images receives the updates. LP: #1930742.
  * Update to shim 15.4-0ubuntu5:
    - Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
      is causing systems to run out of EFI storage space, or just hang up
      when trying to write it (LP: #1924605) (LP: #1928434)
    - Further relax the check for variable mirroring on non-secureboot systems
      avoiding boot failures on out of space conditons (pull request #372)
    - Don't unhook ExitBootServices() when EBS protection is disabled
      (LP: #1931136) (pull request #378)

shim-signed (1.33.1~16.04.7) xenial; urgency=medium

  * New upstream release 15.4. LP: #1921134
  * Update packaging to pull fb and mm from shim-signed package as in
    later releases, dropping the runtime dependency on shim.
  * Add download-signed script from linux-signed package
  * Add a versioned dependency on the mokutil that introduces --timeout, and
    call mokutil --timeout -1 so that users don't end up with broken systems
    by missing MokManager on reboot after install. LP: #1856422.
  * Add versioned dependencies on grub-efi-amd64-signed and grub2-common,
    to ensure we have SBAT-compatible grub.efi and grub 2.04-compatible
    grub-install present when we are installing new shim to the ESP.
  * Include reworked Makefile from devel to better assert the integrity of
    the executables.

-- Julian Andres Klode <email address hidden> Fri, 16 Jul 2021 13:04:57 +0200

This bug was fixed in the package shim-signed - 1.33.1~16.04.10

---------------
shim-signed (1.33.1~16.04.10) xenial; urgency=medium

* Update to shim 15.4-0ubuntu7:
    - Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
    - Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
    - Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
    - mok: relax the maximum variable size check (LP: #1934780) (PR #369)

shim-signed (1.33.1~16.04.9) xenial; urgency=medium

* Do not build a dual-signed shim (fixing regression from ~16.04.7), and
    disable verifying fbx64.efi and mmx64.efi certificates as xenial's
    sbverify is unable to (impish works fine)
  * Clean up debhelper log file accidentally imported into git during 16.04.7
    import.

shim-signed (1.33.1~16.04.8) xenial; urgency=medium

* debian/*.postinst: Unconditionally call grub-install with
    --force-extra-removable, so that the \EFI\BOOT removable path as used in
    cloud images receives the updates.  LP: #1930742.
  * Update to shim 15.4-0ubuntu5:
    - Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
      is causing systems to run out of EFI storage space, or just hang up
      when trying to write it (LP: #1924605) (LP: #1928434)
    - Further relax the check for variable mirroring on non-secureboot systems
      avoiding boot failures on out of space conditons (pull request #372)
    - Don't unhook ExitBootServices() when EBS protection is disabled
      (LP: #1931136) (pull request #378)

shim-signed (1.33.1~16.04.7) xenial; urgency=medium

* New upstream release 15.4.  LP: #1921134
  * Update packaging to pull fb and mm from shim-signed package as in
    later releases, dropping the runtime dependency on shim.
  * Add download-signed script from linux-signed package
  * Add a versioned dependency on the mokutil that introduces --timeout, and
    call mokutil --timeout -1 so that users don't end up with broken systems
    by missing MokManager on reboot after install.  LP: #1856422.
  * Add versioned dependencies on grub-efi-amd64-signed and grub2-common,
    to ensure we have SBAT-compatible grub.efi and grub 2.04-compatible
    grub-install present when we are installing new shim to the ESP.
  * Include reworked Makefile from devel to better assert the integrity of
    the executables.

-- Julian Andres Klode <juliank@ubuntu.com>  Fri, 16 Jul 2021 13:04:57 +0200

Changed in shim-signed (Ubuntu Xenial):
status:	Fix Committed → Fix Released

Ubuntu
shim-signed package

always call mokutil with --timeout -1 when enrolling dkms keys

Bug Description

Related branches

Other bug subscribers

Remote bug watches

	Status	Importance	Assigned to
shim-signed (Ubuntu)	Fix Released	Undecided	Unassigned
Xenial	Fix Released	Undecided	Unassigned
Bionic	Fix Released	Undecided	Unassigned
Eoan	Won't Fix	Undecided	Unassigned
ubiquity (Ubuntu)	Fix Released	High	Unassigned

Ubuntushim-signed package

always call mokutil with --timeout -1 when enrolling dkms keys

Bug Description

Related branches

Other bug subscribers

Remote bug watches

Ubuntu
shim-signed package