[Bug 1700170] Re: backport shim-signed 1.30 from artful to supported releases

[Steve Langasek]

Hello Mathieu, or anyone else affected,

Accepted shim-signed into trusty-proposed. The package will build now
and be available at https://launchpad.net/ubuntu/+source/shim-
signed/1.32~14.04.1 in a few hours, and then in the -proposed
repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-trusty to verification-done-trusty. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-trusty. In either case, details of your
testing will help us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: shim-signed (Ubuntu Trusty)
       Status: New => Fix Committed

** Tags added: verification-needed-trusty

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1700170

Title:
  backport shim-signed 1.30 from artful to supported releases

Status in shim-signed package in Ubuntu:
  Fix Released
Status in shim-signed source package in Trusty:
  Fix Committed
Status in shim-signed source package in Xenial:
  Fix Committed
Status in shim-signed source package in Yakkety:
  Fix Committed
Status in shim-signed source package in Zesty:
  Fix Committed

Bug description:
  [Impact]
  shim-signed ships the signed shim$arch.efi binary that goes with the shim package available in each release, which should remain synchronized across all supported releases as to make sure the security sensitive binary can be appropriately supported.

  shim-signed also ships some additional bits that are useful to go
  along with the shim binary; and this is what is actually targetted on
  this SRU: shim itself does not change, but in the interest of making
  support as easy as possible, the supporting files shipped with it are
  also kept synchronized across releases.

  These files are the following:
   - an apport hook, useful to let users report issues in updating the Boot Entries on their firmware, debugging upgrade issues, etc; and provides critical information about the system on which a bug is reported about the state of that system's EFI firmware: whether EFI validation is enabled, whether Secure Boot is enabled, whether it was properly started by the kernel;
   - a BOOT$arch.CSV file, to be installed by grub2 if present, where grub2 has that feature (in artful only), or to be installed manually by the user if wanted. This file is a text file that provides the location of shim on a system when running the shim fallback binary (also not installed prior to artful).

  [Test case]
  See the other closed bugs for this backport, which include their own test cases.

  == boot.csv ==
  1) Verify that /usr/lib/shim/BOOTX64.CSV contains:
  shimx64.efi,ubuntu,,This is the boot entry for Ubuntu

  [Regression potential]
  See the other closed bugs for this backport, which include their own test cases.

  Shipping the BOOT$arch.CSV file alone has no risk of regression, it
  constitutes a single text file shipped in a location where it is not
  used; it is only contained in the backport to simplify keeping the
  shim-signed packages synchronized.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1700170/+subscriptions