[Bug 1993207] Re: can't install "Secure Boot dbx Configuration Update" firmware upgrade version 217 because of abandoned and stale (I think) "/boot/efi/EFI/ubuntu/shimx64.efi

Jonathan Kamens 1993207 at bugs.launchpad.net
Sun Jan 29 00:08:31 UTC 2023 

Perhaps it is no longer possible to _remove_ shim-signed, but how was it
possible for me to get my machine into a state where it wasn't
installed, and that state was not rectified by a subsequent upgrade?
Given that was possible, aren't other people upgrading going to run into
this?

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1993207

Title:
  can't install "Secure Boot dbx Configuration Update" firmware upgrade
  version 217 because of abandoned and stale (I think)
  "/boot/efi/EFI/ubuntu/shimx64.efi

Status in grub2-signed package in Ubuntu:
  Fix Released

Bug description:
  The Ubuntu Software app says it wants to update my "Secure Boot dbx
  Configuration Update" to version 217, but when I try to install the
  udpate, it says:

  Unable to update "Secure Boot dbx Configuration Update": Blocked
  executable in the ESP, ensure grub and shim are up to date:
  /boot/efi/EFI/ubuntu/shimx64.efi Authenticode checksum [e060d...I'm
  not going to type the whole thing...cec6df] is present in dbx

  The file /boot/efi/EFI/ubuntu/shimx64.efi was last modified on
  September 20, 2020 and is not owned by any package. There are two
  other files in that directdory, mmx64.efi and BOOTX64.CSV, that were
  last modified on September 20, 2020, and two files in that directory,
  grub.cfg and grubx64.efi, that were last modified on September 24,
  2022 when grub-efi-amd64-signed was upgraded.

  My guess—just a guess, maybe I'm wrong—is that the three files last
  modified on September 20, 2020 are obsolete and should have been
  cleaned up by a package upgrade at some point but were not. However,
  I'm not comfortable with simply deleting them because I don't know
  enough about secure boot to know for certain that's safe for me to do
  without bricking my system.

  I think if these files are indeed obsolete then the package
  configurator needs to clean them up so others who are upgrading don't
  end up in this situation.

  ProblemType: Bug
  DistroRelease: Ubuntu 22.10
  Package: grub-efi-amd64-signed 1.185+2.06-2ubuntu12
  ProcVersionSignature: Ubuntu 5.19.0-21.21-generic 5.19.7
  Uname: Linux 5.19.0-21-generic x86_64
  NonfreeKernelModules: nvidia_modeset nvidia
  ApportVersion: 2.23.1-0ubuntu3
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: ubuntu:GNOME
  Date: Mon Oct 17 16:00:46 2022
  InstallationDate: Installed on 2019-01-02 (1384 days ago)
  InstallationMedia: Ubuntu 18.10 "Cosmic Cuttlefish" - Release amd64 (20181017.3)
  SourcePackage: grub2-signed
  UpgradeStatus: Upgraded to kinetic on 2022-09-24 (22 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1993207/+subscriptions

More information about the foundations-bugs mailing list