1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DEVEL.RELEAS

  • Bug#1110126: unblock: shim-signed/1.47

    From Steve McIntyre@21:1/5 to All on Wed Jul 30 12:40:01 2025
    XPost: linux.debian.bugs.dist

    This is a multi-part MIME message sent by reportbug.


    Package: release.debian.org
    Severity: normal
    User: [email protected]
    Usertags: unblock
    X-Debbugs-Cc: [email protected]
    Control: affects -1 + src:shim-signed

    Hi folks,

    Please unblock package shim-signed

    Apologies for leaving this so late - I started hacking on this during
    DebCamp, then... :-(

    I've added a targeted fix for the serious bug #1108278 (Asks to
    disable EFI Secure Boot with enrolled DKMS key). We really shouldn't
    be telling users to disable Secure Boot when they've followed the
    instructions and generated a key for DKMS to use. So I've added logic
    to test for that in the update-secureboot-policy that we run from the shim-signed.postinst.

    I've tested this reaonable extensively on some machines here, and both
    of the contributors in #1108278 have also tested the fix
    successfully. I've tried to be as careful as possible in the change
    here, to reduce the chances of DKMS users being locked out via SB if
    anything is missing.

    I've had a number of other people ask about this outside of the bug
    report, via IRC and IRL. As we have a lot of people using DKMS for
    Nvidia drivers in particular, this change should hopefully reduce a
    lot of upgrade pain for our users.

    (Please provide enough (but not too much) information to help
    the release team to judge the request efficiently. E.g. by
    filling in the sections below.)

    Debdiff attached.

    unblock shim-signed/1.47

    diff -Nru shim-signed-1.46/debian/changelog shim-signed-1.47/debian/changelog --- shim-signed-1.46/debian/changelog 2025-06-23 11:55:56.000000000 +0100
    +++ shim-signed-1.47/debian/changelog 2025-07-29 18:40:12.000000000 +0100
    @@ -1,3 +1,16 @@
    +shim-signed (1.47) unstable; urgency=medium
    +
    + * update-secureboot-policy: do better checking around DKMS
    + If we have DKMS modules installed:
    + + Check to see if a DKMS MOK key has been created and enrolled;
    + + Check that all the DKMS modules are signed with that key;
    + If successful, don't tell users to disable Secure Boot.
    + Closes: #1108278.
    + Add dependencies on openssl and kmod for shim-signed-common,
    + needed for implementing these check.
    +
    + -- Steve McIntyre <[email protected]> Tue, 29 Jul 2025 18:40:14 +0100
    +
    shim-signed (1.46) unstable; urgency=medium

    * No-change rebuild to upload source-only. Argh. :-/
    diff -Nru shim-signed-1.46/debian/control shim-signed-1.47/debian/control
    --- shim-signed-1.46/debian/control 2025-06-22 22:53:36.000000000 +0100
    +++ shim-signed-1.47/debian/control 202
  • From Debian Bug Tracking System@21:1/5 to All on Thu Jul 31 08:30:01 2025
    This is a multi-part message in MIME format...

    Your message dated Thu, 31 Jul 2025 06:18:43 +0000
    with message-id <[email protected]>
    and subject line unblock shim-signed
    has caused the Debian Bug report #1110126,
    regarding unblock: shim-signed/1.47
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected]
    immediately.)


    --
    1110126: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110126
    Debian Bug Tracking System
    Contact [email protected] with problems

    Received: (at submit) by bugs.debian.org; 30 Jul 2025 10:29:16 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
    (2024-03-25) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-29.0 required=4.0 tests=BAYES_00,
    BODY_INCLUDES_CONTROL_AFFECTS,BODY_INCLUDES_PACKAGE,DKIM_SIGNED,
    DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FOURLA,HAS_PACKAGE,
    RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS,XMAILER_REPORTBUG
    autolearn=ham autolearn_force=no
    version=4.0.1-bugs.debian.org_2005_01_02
    X-Spam-Bayes: score:0.0000 Tokens: new, 50; hammy, 150; neutral, 247; spammy,
    0. spammytokens: hammytokens:0.000-+--XDebbugsCc,
    0.000-+--X-Debbugs-Cc, 0.000-+--H*x:12.0.0, 0.000-+--H*UA:12.0.0,
    0.000-+--H*M:reportbug
    Return-path: <[email protected]>
    Received: from cheddar.halon.org.uk ([93.93.131.118]:54376)
    by buxtehude.debian.org with esmtp