Package: systemd-boot
Version: 257.7-1
Severity: normal
X-Debbugs-Cc: [email protected]

Hi!

on a system with systemd-boot-efi installed (and not it's signed counterpart), but shim-signed installed, systemd-boot's postinst will fail every other time if the ESP is not mounted.

I used reinstalling shim-signed as trigger here:

Log started: 2025-07-31 03:09:11
Preparing to unpack .../shim-signed_1.46+15.8-1_amd64.deb ...
Unpacking shim-signed:amd64 (1.46+15.8-1) over (1.46+15.8-1) ...
Setting up shim-signed:amd64 (1.46+15.8-1) ...
No DKMS packages installed: not changing Secure Boot validation state. Processing triggers for systemd-boot (257.7-1) ...
[1mdpkg:[0m error processing package systemd-boot (--configure):
installed systemd-boot package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
systemd-boot
Log ended: 2025-07-31 03:09:12

Log started: 2025-07-31 03:09:14
Preparing to unpack .../shim-signed_1.46+15.8-1_amd64.deb ...
Unpacking shim-signed:amd64 (1.46+15.8-1) over (1.46+15.8-1) ...
Setting up shim-signed:amd64 (1.46+15.8-1) ...
No DKMS packages installed: not changing Secure Boot validation state.
Setting up systemd-boot (257.7-1) ...
Log ended: 2025-07-31 03:09:14


The culprit is the invocation of

esp_path="$(bootctl --quiet --print-esp-path 2>/dev/null)"

in remove_shim() in systemd-boot's postinst, combined with `set -e`.

Executing this command exits with exit code 1 if no ESP can be found.

I understand this is a bit of an exotic setup, but I don't think having this particular combination of packages installed without a currently mounted ESP is in some way forbidden, and there might be valid reasons like manually managing multiple ESPs, or robustness concerns about having the ESP mounted all the time, that make it likely to trigger in practice.

I think the fix is quite simple - gracefully handle no ESP being mounted, which seems to already be the intention. E.g., the invocation could be extended with a final `|| true` to make it infallible.

-- System Information:
Debian Release: 13.0
APT prefers testing-security
APT policy: (500, 'testing-security'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.38+deb13-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages systemd-boot depends on:
ii libc6 2.41-11
ii libsystemd-shared 257.7-1
ii systemd 257.7-1
ii systemd-boot-efi 257.7-1
ii systemd-boot-tools 257.7-1

Versions of packages systemd-boot recommends:
ii efibootmgr 18-2
ii shim-signed 1.46+15.8-1

Versions of packages systemd-boot suggests:
pn systemd-ukify <none>

-- no debconf information

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Control: tags -1 patch

verified that the attached patch makes the postinst handle this
situation gracefully

RnJvbSA2MmEyYTAwZjNlMzI2MTRiNGQzMjUxMTUwMTQ5YTY2YWQ4ZTJkMmYxIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiA9P1VURi04P3E/RmFiaWFuPTIwR3I9QzM9QkNuYmljaGxlcj89 IDxmLmdydWVuYmljaGxlckBwcm94bW94LmNvbT4KRGF0ZTogVGh1LCAzMSBKdWwgMjAyNSAwOToz OTozMyArMDIwMApTdWJqZWN0OiBbUEFUQ0hdIHN5c3RlbWQtYm9vdDogZml4IHBvc3RpbnN0IHRv IGhhbmRsZSBtaXNzaW5nIEVTUApNSU1FLVZlcnNpb246IDEuMApDb250ZW50LVR5cGU6IHRleHQv cGxhaW47IGNoYXJzZXQ9VVRGLTgKQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogOGJpdAoKbWFr ZSB0aGUgcXVlcnkgZm9yIHRoZSBFU1AgcGF0aCB2aWEgYm9vdGN0bCBoYW5kbGUgYSBtaXNzaW5n IEVTUApncmFjZWZ1bGx5LCBzaW5jZSBib290Y3RsIHdpbGwgYWx3YXlzIGV4aXQgd2l0aCAxIGFu ZCB0aGUgcG9zdGluc3QgaXMKZXhlY3V0ZWQgdW5kZXIgYHNldCAtZWAuCgpTaWduZWQtb2ZmLWJ5 OiBGYWJpYW4gR3LDvG5iaWNobGVyIDxmLmdydWVuYmljaGxlckBwcm94bW94LmNvbT4KLS0tCiBk ZWJpYW4vc3lzdGVtZC1ib290LnBvc3RpbnN0IHwgNCArKy0tCiAxIGZpbGUgY2hhbmdlZCwgMiBp bnNlcnRpb25zKCspLCAyIGRlbGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL2RlYmlhbi9zeXN0ZW1k LWJvb3QucG9zdGluc3QgYi9kZWJpYW4vc3lzdGVtZC1ib290LnBvc3RpbnN0CmluZGV4IDExMGUy OTMuLjEwOWI5MmUgMTAwNjQ0Ci0tLSBhL2RlYmlhbi9zeXN0ZW1kLWJvb3QucG9zdGluc3QKKysr IGIvZGViaWFuL3N5c3RlbWQtYm9vdC5wb3N0aW5zdApAQCAtMzQsNyArMzQsNyBAQCByZW1vdmVf c2hpbSgpIHsKICAgICB2ZW5kb3I9IiR7SUQ6LWRlYmlhbn0iCiAgICAgdmVuZG9yX3VwcGVyPSIk KGVjaG8gIiR2ZW5kb3IiIHwgY3V0IC1jMSB8IHRyICdbOmxvd2VyOl0nICdbOnVwcGVyOl0nKSQo ZWNobyAiJHZlbmRvciIgfCBjdXQgLWMyLSkiCiAKLSAgICBlc3BfcGF0aD0iJChib290Y3RsIC0t cXVpZXQgLS1wcmludC1lc3AtcGF0aCAyPi9kZXYvbnVsbCkiCisgICAgZXNwX3BhdGg9IiQoYm9v dGN0bCAtLXF1aWV0IC0tcHJpbnQtZXNwLXBhdGggMj4vZGV2L251bGwgfHwgdHJ1ZSkiCiAgICAg aWYgWyAteiAiJGVzcF9wYXRoIiBdOyB0aGVuCiAgICAgICAgIHJldHVybgogICAgIGZpCkBAIC05 OSw3ICs5OSw3IEBAIGluc3RhbGxfc2hpbSgpIHsKICAgICAgICAgcmV0dXJuCiAgICAgZmkKIAot ICAgIGVzcF9wYXRoPSIkKGJvb3RjdGwgLS1xdWlldCAtLXByaW50LWVzcC1wYXRoIDI+L2Rldi9u dWxsKSIKKyAgICBlc3BfcGF0aD0iJChib290Y3RsIC0tcXVpZXQgLS1wcmludC1lc3AtcGF0aCAy Pi9kZXYvbnVsbCB8fCB0cnVlKSIKICAgICBpZiBbIC16ICIkZXNwX3BhdGgiIF07IHRoZW4KICAg ICAgICAgcmV0dXJuCiAgICAgZmkKLS0gCjIuMzkuNQoK

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)