Verification-done on cosmic with grub2 / grub2-signed.
Forcing an unsigned copy of the kernel, or one signed by an unknown key
leads to the system failing to upgrade, as expected:
ubuntu@ubuntu:~$ dpkg -l grub-efi\* | grep ii | awk '{ print $2" "$3 }'
grub-efi-amd64 2.02+dfsg1-5ubuntu8.1
grub-efi-amd64-bin 2.02+dfsg1-5ubuntu8.1
grub-efi-amd64-signed 1.110.1+2.02+dfsg1-5ubuntu8.1
ubuntu@ubuntu:~$ sudo apt install --reinstall grub-efi-amd64-signed
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 295 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://us.archive.ubuntu.com/ubuntu cosmic-proposed/main amd64
grub-efi-amd64-signed amd64 1.110.1+2.02+dfsg1-5ubuntu8.1 [295 kB]
Fetched 295 kB in 0s (742 kB/s)
(Reading database ... 106062 files and directories currently installed.)
Preparing to unpack
.../grub-efi-amd64-signed_1.110.1+2.02+dfsg1-5ubuntu8.1_amd64.deb ...
Unpacking grub-efi-amd64-signed (1.110.1+2.02+dfsg1-5ubuntu8.1) over
(1.110.1+2.02+dfsg1-5ubuntu8.1) ...
Setting up grub-efi-amd64-signed (1.110.1+2.02+dfsg1-5ubuntu8.1) ...
/boot/vmlinuz-4.18.0-14-matt is unsigned.
E: Your kernels are not signed with a key known to your firmware. This system
will fail to boot in a Secure Boot environment.
dpkg: error processing package grub-efi-amd64-signed (--configure):
installed grub-efi-amd64-signed package post-installation script subprocess
returned error exit status 1
Errors were encountered while processing:
grub-efi-amd64-signed
E: Sub-process /usr/bin/dpkg returned an error code (1)
ubuntu@ubuntu:~$
ubuntu@ubuntu:~$ sudo sbsign --key ~/uefi-keys/uefi.
uefi.crt uefi.key
ubuntu@ubuntu:~$ sudo sbsign --key ~/uefi-keys/uefi.key --cert
~/uefi-keys/uefi.crt /boot/vmlinuz-4.18.0-14-matt
ubuntu@ubuntu:~$ sudo apt install grub-efi-amd64-signed
Reading package lists... Done
Building dependency tree
Reading state information... Done
grub-efi-amd64-signed is already the newest version
(1.110.1+2.02+dfsg1-5ubuntu8.1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n]
Setting up grub-efi-amd64-signed (1.110.1+2.02+dfsg1-5ubuntu8.1) ...
/boot/vmlinuz-4.18.0-14-matt.signed is signed, but using an unknown key:
Subject: CN = PPA cyphermox efi
/boot/vmlinuz-4.18.0-14-matt is unsigned.
E: Your kernels are not signed with a key known to your firmware. This system
will fail to boot in a Secure Boot environment.
dpkg: error processing package grub-efi-amd64-signed (--configure):
installed grub-efi-amd64-signed package post-installation script subprocess
returned error exit status 1
Errors were encountered while processing:
grub-efi-amd64-signed
E: Sub-process /usr/bin/dpkg returned an error code (1)
** Tags removed: verification-needed verification-needed-cosmic
** Tags added: verification-done-cosmic
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1789918
Title:
grub2 signed kernel enforcement doesn't check on upgrade that
signatures are from trusted keys
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1789918/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
