Bug#936009: marked as done (shim-unsigned:amd64 cannot be installed alongside shim-unsigned:i386)

Subject: Bug#936009: marked as done (shim-unsigned:amd64 cannot be installed alongside shim-unsigned:i386)

From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Date: Mon, 06 May 2024 13:09:16 +0000

Message-id: <[🔎] handler.936009.D936009.1715000702347372.ackdone@bugs.debian.org>

References: <E1s3y1b-008gA1-3E@fasolo.debian.org> <CAGkQCM014LQ-jN5gjCfikc4acjAsTOH-VQ+vWXscuPh2OxKmOw@mail.gmail.com>

Your message dated Mon, 06 May 2024 13:04:59 +0000 with message-id <E1s3y1b-008gA1-3E@fasolo.debian.org> and subject line Bug#936009: fixed in shim 15.8-1 has caused the Debian Bug report #936009, regarding shim-unsigned:amd64 cannot be installed alongside shim-unsigned:i386 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 936009: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=936009 Debian Bug Tracking System Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: shim-unsigned:amd64 cannot be installed alongside shim-unsigned:i386
From: adrian15 adrian15 <adrian15sgd@gmail.com>
Date: Thu, 29 Aug 2019 01:20:37 +0200
Message-id: <CAGkQCM014LQ-jN5gjCfikc4acjAsTOH-VQ+vWXscuPh2OxKmOw@mail.gmail.com>

Package: shim-unsigned
Version: 15+1533136590.3beb971-7
Severity: normal

Dear Maintainer,

I want to be able to build a live cd that has both ia32 and x64 Secure
Boot UEFI support.
So I need both shim-signed:amd64 and shim-signed:i386 installed.

Those two packages depend on shim-unsigned:amd64 and shim-unsigned:i386 among other packages.
I cannot install those unsigned packages hence neither I can install the signed ones.

After adding and apt i386 architecture to an amd64 system if I run:

apt-get install shim-unsigned:amd64 shim-unsigned:i386

I get this output:

Reading package lists... Done
Building dependency tree
Reading state information... Done
shim-unsigned is already the newest version (15+1533136590.3beb971-7).
shim-unsigned set to manually installed.
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
shim-unsigned : Conflicts: shim-unsigned:i386 but 15+1533136590.3beb971-7 is to be installed
shim-unsigned:i386 : Conflicts: shim-unsigned but 15+1533136590.3beb971-7 is to be installed
E: Unable to correct problems, you have held broken packages.

I would like to be able to install both packages at the same time
because generated binaries do not collide between them.

It would seem those packages are lacking some multi-arch declaration on
the package metadata.

This same problem was fixed for shim-signed on https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928486 and fixed there.
Associated commit to that fix: https://salsa.debian.org/efi-team/shim-signed/commit/f3393e69ed073007cda61d57c60e5c907c4faf51 .

I suspect that shim-helpers-amd64-signed and shim-helpers-i386-signed packages will need a similar workaround but I'm not sure on this one.

Thank you very much!

-- System Information:
Debian Release: 10.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-5-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: unable to detect

-- no debconf information

--- End Message ---

--- Begin Message ---

To: 936009-close@bugs.debian.org
Subject: Bug#936009: fixed in shim 15.8-1
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Mon, 06 May 2024 13:04:59 +0000
Message-id: <E1s3y1b-008gA1-3E@fasolo.debian.org>
Reply-to: Steve McIntyre <93sam@debian.org>

Source: shim
Source-Version: 15.8-1
Done: Steve McIntyre <93sam@debian.org>

We believe that the bug you reported is fixed in the latest version of
shim, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 936009@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve McIntyre <93sam@debian.org> (supplier of updated shim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 04 May 2024 23:29:52 +0100
Source: shim
Architecture: source
Version: 15.8-1
Distribution: unstable
Urgency: medium
Maintainer: Debian EFI team <debian-efi@lists.debian.org>
Changed-By: Steve McIntyre <93sam@debian.org>
Closes: 936009 1043485 1046268 1054210 1057606 1061519 1064220 1069054
Changes:
 shim (15.8-1) unstable; urgency=medium
 .
   [ Steve McIntyre ]
   * Cope with changes in pesign packaging. Closes: #1057606
   * New upstream release fixing more bugs. Closes: #1061519, #1064220
     + CVE-2023-40546 mok: fix LogError() invocation (Closes: #1054210)
     + CVE-2023-40547 - avoid incorrectly trusting HTTP headers
     + CVE-2023-40548 Fix integer overflow on SBAT section size on
       32-bit system
     + CVE-2023-40549 Authenticode: verify that the signature header is
       in bounds.
     + CVE-2023-40550 pe: Fix an out-of-bound read in
       verify_buffer_sbat()
     + CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries
   * Remove all our previous patches, no longer needed:
     + Make-sbat_var.S-parse-right-with-buggy-gcc-binutils.patch (now
       upstream)
     + Enable-NX.patch (we don't want NX just yet until the whole boot
       stack is NX-capable)
     + block-grub-sbat3-debian.patch (not needed now upstream grub SBAT
       is 4)
   * Cherry-pick 2 new patches from upstream for grub revocations:
     + 0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch
     + 0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch
   * NOTE: Stop building for i386
     + Debian kernels are no longer signed for i386, it's time to stop
       supporting i386 SB.
   * Log if the build is nx-compatible or not
   * Force shim to use the latest revocations by default to block some
     older grub / peimage issues. This is:
     "shim,4\ngrub,4\ngrub.peimage,2\n"
   * Install a copy of the Debian CA certificate into /usr/share/shim.
     Closes: #1069054
   * Clean up better after build. Closes: #1046268
 .
   [ Bastien Roucariès ]
   * Port autopkgtest from ubuntu
   * Import MR-12: "shim-unsigned:amd64 cannot be installed alongside
     shim-unsigned:i386", thanks to adrian15 adrian15 (Closes: #936009).
   * Fix debian/watch and check signature (Closes: #1043485)
Checksums-Sha1:
 8a2d725f65087e1a6c7f012c4c70666666fef4f3 2490 shim_15.8-1.dsc
 cdec924ca437a4509dcb178396996ddf92c11183 2315201 shim_15.8.orig.tar.bz2
 5b62d9edbaad7ece7546868dfd6e6e5be42de236 59308 shim_15.8-1.debian.tar.xz
 062041702d5cdb3828fb0e3bdecf6515fa1a7062 7121 shim_15.8-1_source.buildinfo
Checksums-Sha256:
 65ca82c131a66362a0bb222497eebbca5d64ba9efd44738d7889eb0500b5e4fa 2490 shim_15.8-1.dsc
 a79f0a9b89f3681ab384865b1a46ab3f79d88b11b4ca59aa040ab03fffae80a9 2315201 shim_15.8.orig.tar.bz2
 fad222c56f31a20b65753f16c66e270082295a2cccf2909686a980f19be665de 59308 shim_15.8-1.debian.tar.xz
 647867dea6c5dc9d7d5d59fa70629f322379593675a7ccc3667d2dc2f1024b03 7121 shim_15.8-1_source.buildinfo
Files:
 96fd60cb002486370c4176382044041e 2490 admin optional shim_15.8-1.dsc
 a9452c2e6fafe4e1b87ab2e1cac9ec00 2315201 admin optional shim_15.8.orig.tar.bz2
 4689fb8317f8a9a5ca53107743d67a27 59308 admin optional shim_15.8-1.debian.tar.xz
 66bbd0b3ac2a98555d32f3f47ca1fb7e 7121 admin optional shim_15.8-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCAAvFiEEzrtSMB1hfpEDkP4WWHl5VzRCaE4FAmY40QURHDkzc2FtQGRl
Ymlhbi5vcmcACgkQWHl5VzRCaE6F5Q/9F2uB+m9hTJDk2PIn5LAn8b39vBzYkoju
lirfsA/FJzygJR+qJQG70nrPe+TutO8BFPdo+yhfc2G9RdLd3CXsslkl6QdNpTau
LUc4FRMzHsis3Wn/7BO8WZPzPBf+2N/NUucIe02h+6gabpiXqpwt5EZf6WTGUC8D
LOinr/l3iDDoymjogTBvp0PMEph0luqE95deOeXmJ6CbLQ2Ozzi40g47E4uUQ4ao
jGD6yPk3PulHdaW8oXbab14e94akfrXUe0P26Y8oUUji+6mRtfckNWjhY78udMwD
Cxy8gTULqPdDfjjGleVDppD+C2+pGTNs3tCPr1PdM9XOjlm0bGHzDNSkeOc39eA9
CZvOvXmQ/V9qG8puj5U1Bh+S5dPjP//gKpKnnowAc/fgMaWjP+Li/hW7TTvnilxi
vMhQ6XizySj3DDEkCvGK1uH2Z75ryTsAbT3WmL9KubxKrWDGImMJKYs7soePGwPL
VDFaPqEBKhAwlXO3nBDJWqSOP/QoQmAxZ6x0P7z4nLcnKK2KS9eWuFt9cBawuPYE
XwDIcAFoLXyFuZGlQFinBElvdIYbreS7LGm9zKkBQDWpmu01HcT0WAlhd6fNVMOk
CnT5Pg1KTUtSmyauYoc4CmcBmipH2fKCdJIFVtAaeU8qVcIV77RS46y2XnhGVst8
aJ4tOJYtaAk=
=+QSm
-----END PGP SIGNATURE-----

Attachment: pgpctkb3G44DH.pgp
Description: PGP signature

--- End Message ---

Reply to: