Bug#1108278: marked as done (shim-signed: Asks to disable EFI Secure Boot with enrolled DKMS key)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Tue, 29 Jul 2025 18:04:54 +0000
with message-id <E1ugoh4-008JGM-00@fasolo.debian.org>
and subject line Bug#1108278: fixed in shim-signed 1.47
has caused the Debian Bug report #1108278,
regarding shim-signed: Asks to disable EFI Secure Boot with enrolled DKMS key
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1108278: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108278
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: shim-signed: Asks to disable EFI Secure Boot with enrolled DKMS key
• From: Guillem Jover <guillem@debian.org>
• Date: Tue, 24 Jun 2025 19:04:38 +0200
• Message-id: <aFraphsgJGcoLmsZ@thunder.hadrons.org>

Package: shim-signed-common
Version: 1.46
Severity: important

[ Given that this seems security sensitive, I've set it to important,
  but feel free to lower or rise it as you deem fit. ]

Hi!

If I've not gotten the origin of the problem incorrectly, the recent
shim-signed upgrade caused a debconf prompt to pop up (I think from
update-secureboot-policy (?)) asking to disable the EFI Secure Boot
for next boot, stating that otherwise kernel modules for third parties
might become unusable.

But some time ago (probably after the last shim-signed upload) I
enrolled the DKMS signing keys via the instructions from
<https://wiki.debian.org/SecureBoot#DKMS_and_Secure_Boot>, so I'd
expect no such debconf message to pop up, as I was initially very
confused, and thought there was perhaps a breaking change in that
shim-signed version that would cause that, and that the next boot
would cause modules to stop working, which would instead lower
the security of the system.

Thanks,
Guillem

--- End Message ---

--- Begin Message ---

• To: 1108278-close@bugs.debian.org
• Subject: Bug#1108278: fixed in shim-signed 1.47
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Tue, 29 Jul 2025 18:04:54 +0000
• Message-id: <E1ugoh4-008JGM-00@fasolo.debian.org>
• Reply-to: Steve McIntyre <93sam@debian.org>

Source: shim-signed
Source-Version: 1.47
Done: Steve McIntyre <93sam@debian.org>

We believe that the bug you reported is fixed in the latest version of
shim-signed, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1108278@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve McIntyre <93sam@debian.org> (supplier of updated shim-signed package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 29 Jul 2025 18:40:14 +0100
Source: shim-signed
Architecture: source
Version: 1.47
Distribution: unstable
Urgency: medium
Maintainer: Debian EFI Team <debian-efi@lists.debian.org>
Changed-By: Steve McIntyre <93sam@debian.org>
Closes: 1108278
Changes:
 shim-signed (1.47) unstable; urgency=medium
 .
   * update-secureboot-policy: do better checking around DKMS
     If we have DKMS modules installed:
     + Check to see if a DKMS MOK key has been created and enrolled;
     + Check that all the DKMS modules are signed with that key;
     If successful, don't tell users to disable Secure Boot.
     Closes: #1108278.
     Add dependencies on openssl and kmod for shim-signed-common,
     needed for implementing these check.
Checksums-Sha1:
 d79e8df69d214d23dc1c92d68509cbd5d5d9b945 1893 shim-signed_1.47.dsc
 18858265108d55a5a3f928ea5adab4ca899e5ef6 587868 shim-signed_1.47.tar.xz
 439c040949b241756694e1788bbc7578c217fd6a 6146 shim-signed_1.47_source.buildinfo
Checksums-Sha256:
 7380f8205df668c6d5dd3d4453cdd8e74900729875c2b91c6eb327dc4fb55c21 1893 shim-signed_1.47.dsc
 67f41d685773d0274ec3f880cc65d7d1a3fa3ac56258991480a163130a263071 587868 shim-signed_1.47.tar.xz
 5f2760ae610562245714008f811d5afab447379bdafb67cc64f13e1887e08ed3 6146 shim-signed_1.47_source.buildinfo
Files:
 5319297c19a70e0cd935681946034bdd 1893 utils optional shim-signed_1.47.dsc
 9579ca4508b5f04b31ba8e93617c1530 587868 utils optional shim-signed_1.47.tar.xz
 aa4f389bb1a3f9ec3846e754821f1f18 6146 utils optional shim-signed_1.47_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCAAvFiEEzrtSMB1hfpEDkP4WWHl5VzRCaE4FAmiJCHQRHDkzc2FtQGRl
Ymlhbi5vcmcACgkQWHl5VzRCaE6B1w/+PrSPjyrzeJ1QTt7aRMcttYTtrElR9xkS
sy7O/9A2G2U6/6YV/NuhI3hcSJjgwnyu4rc4HOwNNR7fuJn7rB/6ZdoYiP7vdGTd
0+gsMFYx42cEsKMOlvZWvaUpHcF3KozSTG0OoUn8RSK8ru/ufWEI1IqjvyFPGv2L
2+9SpdH+e0z/oeKdCaMk8zSjZl4FNwhZS5UwfaEJu9aI5J+nHMt9uUEaHhYaxaAq
uFn0BOPto5e1uouAkTshEr0ea59icRgyWAT7XX45NhalErcji83UKsDYnuzqs4uA
S1TPdcl/7RscBISnH/mv01E7jy84Vsv+QvkfFS9LQsvESLcUi7Hzdt2yAPA+rNjv
eeurHjqRLnuELfEaUQqoA6gTLTPGbA+HUKpQiyLo4x/T22Yc59F967eoup85eFyt
UEjbIOMgCLzuxQIbMaQV93MZmEJO/XOQI1ukxIlP08NiU0LUwBJif4lqdXK7wRSv
uQQi4mXQBBoXxA3BNlhPjnn5HJTD43HVNbA0o9Y06RBQNrJ5UuzcG7ELi7T7Fbth
Fe11klAyEeE7b2boG1Xlu9wgTIrTyKK5fMygdO8uOIBJri5v/RQYjfuRMlUqrUhi
0wgSMRAqSOvdVSkCP9p2dO0/t+Jeka+k/RUQkmsmW3ePaZRaTXuINBepPLl9o0wf
YpsnkY8CafE=
=WOAq
-----END PGP SIGNATURE-----

Attachment: pgp6NYNLnSesE.pgp
Description: PGP signature

--- End Message ---