[Bug 1795291] Re: xenial->bionic upgrade, /usr/share/grub/grub-check-signatures bails about unsigned kernels

Steve Langasek steve.langasek at canonical.com
Mon Oct 1 04:50:06 UTC 2018 

This is only an issue on upgrade from xenial because in bionic and later
we only ship a single, signed vmlinuz file under /boot.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1795291

Title:
  xenial->bionic upgrade, /usr/share/grub/grub-check-signatures bails
  about unsigned kernels

Status in grub2 package in Ubuntu:
  Triaged
Status in grub2 source package in Bionic:
  New
Status in grub2 source package in Cosmic:
  Triaged

Bug description:
  $ ls /boot/vmlinuz-*
  /boot/vmlinuz-4.4.0-130-generic
  /boot/vmlinuz-4.4.0-130-generic.efi.signed
  /boot/vmlinuz-4.4.0-133-generic
  /boot/vmlinuz-4.4.0-133-generic.efi.signed
  /boot/vmlinuz-4.4.0-134-generic
  /boot/vmlinuz-4.4.0-134-generic.efi.signed
  /boot/vmlinuz-4.4.0-135-generic
  /boot/vmlinuz-4.4.0-135-generic.efi.signed
  $

  On dist-upgrade from xenial to bionic, grub bails with the error:

   │ Cannot upgrade Secure Boot enforcement policy due to unsigned kernels     │ 
   │                                                                           │ 
   │ Your system has UEFI Secure Boot enabled in firmware, and the following   │ 
   │ kernels present on your system are unsigned:                              │ 
   │                                                                           │ 
   │  4.4.0-135-generic                                                        │ 
   │  4.4.0-134-generic                                                        │ 
   │  4.4.0-133-generic                                                        │ 
   │                                                                           │ 
   │                                                                           │ 
   │ These kernels cannot be verified under Secure Boot.  To ensure your       │ 
   │ system remains bootable, GRUB will not be upgraded on your disk until     │ 
   │ these kernels are removed or replaced with signed kernels.                │

  This is a false positive, only the -generic files are unsigned, not
  the .efi.signed ones; and only the .efi.signed ones are referenced in
  the grub.cfg.  So the fact that there are unsigned vmlinuz files in
  the directory alongside the signed ones should not block grub from
  upgrading.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1795291/+subscriptions

More information about the foundations-bugs mailing list