Bug#990447: fwupdmgr: Unable to install new updates

[Julian Andres Klode <jak@debian.org>]

Control: reassign -1 shim
Control: affects -1 fwupd

On Wed, Jun 30, 2021 at 11:27:52PM +0200, Ansgar wrote:
> Salvatore Bonaccorso writes:
> > On Tue, Jun 29, 2021 at 02:04:47PM +0200, Salvatore Bonaccorso wrote:
> >> Package: fwupd
> >> Version: 1.5.7-4
> [...]
> > Interesting datapoint: I experimented further, and disabled secure
> > boot. After that I was able to install those updates.
> >
> > Does that possibly ring some bell?
> 
> I have no idea about fwupd, but if disabling secure boot works: I would
> check if the fwupd binaries in /boot/efi/EFI/debian are outdated for
> some reason. fwupd-amd64-signed switched to a new signing key with
> 1.5.7+3 and the old key should be revoked.

shim 15.4 does not support loading fwupd. Patches in discussion to fix
this (or rather pending discussion...):

https://github.com/rhboot/shim/pull/379
https://github.com/rhboot/shim/pull/381

I am running the former and will submit it on the Ubuntu side for
signing soon, and then push it into development release ASAP next
week and then down the lines.

The reason it works if you disable secure boot is that fwupdmgr
installs a different boot entry that does not use shim, which
causes this confusion:

https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/1931213

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en