[Bug 1936640] Re: Download signed version from versioned URL

Launchpad Bug Tracker 1936640 at bugs.launchpad.net
Mon Aug 2 19:46:16 UTC 2021 

This bug was fixed in the package shim-signed - 1.40.6

---------------
shim-signed (1.40.6) focal; urgency=medium

  * Update to shim 15.4-0ubuntu7:
    - Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
    - Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
    - Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
    - mok: relax the maximum variable size check (LP: #1934780) (PR #369)
  * download-signed: Fetch signed artefacts from versioned URL instead
    of current/ symlink to work around caching (LP: #1936640)

shim-signed (1.40.5) focal; urgency=medium

  * New upstream release 15.4.  LP: #1921134
  * Synchronize packaging with 1.48, summary
    - Update packaging to pull fb and mm from shim-signed package as in
      later releases, dropping the runtime dependency on shim.
    - Add download-signed script from linux-signed package
    - Include reworked Makefile from devel to better assert the integrity of
      the executables.
    - Dual-signed shim
    - Set XB-Important: yes and Protected: yes on shim-signed package
      so that it cannot be removed by accident (LP: #1898729)
  * Update to shim 15.4-0ubuntu5:
    - Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
      is causing systems to run out of EFI storage space, or just hang up
      when trying to write it (LP: #1924605) (LP: #1928434)
    - Further relax the check for variable mirroring on non-secureboot systems
      avoiding boot failures on out of space conditons (pull request #372)
    - Don't unhook ExitBootServices() when EBS protection is disabled
      (LP: #1931136) (pull request #378)

 -- Julian Andres Klode <juliank at ubuntu.com>  Fri, 16 Jul 2021 13:33:00
+0200

** Changed in: shim-signed (Ubuntu Focal)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1936640

Title:
  Download signed version from versioned URL

Status in shim-signed package in Ubuntu:
  Fix Released
Status in shim-signed source package in Bionic:
  Fix Committed
Status in shim-signed source package in Focal:
  Fix Released
Status in shim-signed source package in Hirsute:
  Fix Released

Bug description:
  [Impact]
  shim-signed uploads FTBFS for a couple hours after upload on arm64, as the arm64 builders are behind a proxy with caching, and the proxy caches the old version for the current/ url.

  Switch the download-signed script to extract the current version from
  the apt cache and download from that instead of the unversioned
  symlink. This means it will 404 on first try, and then hopefully the
  404 is not cached for hours.

  [Test plan]
  Check it downloads versioned script during build

  [Where problems could occur]
  I can imagine that if the version number of "shim" contains special characters, they might need URL escaping. At the moment, we don't have special characters, so it should just work.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1936640/+subscriptions

More information about the foundations-bugs mailing list