[Bug 1789918] Re: grub2 signed kernel enforcement doesn't check on upgrade that signatures are from trusted keys

Launchpad Bug Tracker 1789918 at bugs.launchpad.net
Tue Jan 22 15:25:06 UTC 2019 

This bug was fixed in the package grub2 - 2.02+dfsg1-5ubuntu10

---------------
grub2 (2.02+dfsg1-5ubuntu10) disco; urgency=medium

  * debian/grub-check-signatures: check kernel signatures against keys known
    in firmware, in case a kernel is signed but not using a key that will pass
    validation, such as when using kernels coming from a PPA. (LP: #1789918)

 -- Mathieu Trudel-Lapierre <cyphermox at ubuntu.com>  Mon, 21 Jan 2019
09:34:36 -0500

** Changed in: grub2 (Ubuntu)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
Matching subscriptions: mokutil-bugs
https://bugs.launchpad.net/bugs/1789918

Title:
  grub2 signed kernel enforcement doesn't check on upgrade that
  signatures are from trusted keys

Status in grub2 package in Ubuntu:
  Fix Released
Status in mokutil package in Ubuntu:
  Fix Released

Bug description:
  This is on a cosmic system. I wanted to test the 4.18 kernel in the kernel teams unstable ppa. I enabled that ppa, then ran "sudo apt-get update; sudo apt-get dist-upgrade" and then rebooted. Upon boot grub started reporting that none of the kernels I have installed have valid signatures. These were working just fine before this update. The only remedy was to disable secure boot in my bios.
  --- 
  ProblemType: Bug
  ApportVersion: 2.20.10-0ubuntu9
  Architecture: amd64
  CurrentDesktop: ubuntu:GNOME
  DistroRelease: Ubuntu 18.10
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2017-08-14 (380 days ago)
  InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Alpha amd64 (20170812)
  Package: grub2 (not installed)
  ProcEnviron:
   TERM=tmux-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  ProcVersionSignature: Ubuntu 4.18.0-7.8-generic 4.18.5
  Tags:  wayland-session cosmic
  Uname: Linux 4.18.0-7-generic x86_64
  UpgradeStatus: No upgrade log present (probably fresh install)
  UserGroups: adm cdrom dip kvm libvirt lpadmin plugdev sambashare sudo
  _MarkForUpload: True

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1789918/+subscriptions

More information about the foundations-bugs mailing list