fwupd / fwupd-efi split on version 1.7.x

For current fwupd 1.5.x

- Source pkg: fwupd
- Binary pkg:
    fwupd:
      /usr/libexec/fwupd/efi/fwupdx64.efi
    fwupd-amd64-signed-template:
      /usr/share/doc/fwupd-amd64-signed-template/copyright / changelog.z

- Source pkg: fwupd-signed
    How the EFI get signed: it downloads the properly signed EFI from
    http://archive.ubuntu.com/ubuntu/dists/focal-updates/main/uefi/fwupd-amd64/current/
    There shall have something behind the scene to sign the EFI pkg and upload it there.
- Binary pkg: fwupd-signed
      /usr/libexec/fwupd/efi/fwupdx64.efi.signed
      /usr/libexec/fwupd/efi/version
      /usr/share/doc/fwupd-signed/*

Per fwupd 1.7.x, the source pkg for fwupd and fwupd-efi are split.
If we forget all those details in the first place, here is a proposal:

fwupd: only userspace files, no EFI app.
fwupd-unsigned:
  /usr/libexec/fwupd/efi/fwupdx64.efi
fwupd-amd64-signed-template:
  /usr/share/doc/fwupd-amd64-signed-template/*
fwupd-signed:
  /usr/libexec/fwupd/efi/fwupdx64.efi.signed
  /usr/libexec/fwupd/efi/version
  /usr/share/doc/fwupd-signed/*

With this, the fwupd and fwupd-efi it kind of totally de-couple. For today, fwupd-efi does cover all existing fwupd versions. We don't know when the dependency will change for now.

AI: check the one Sebastien upload (was rejected by Steve), seems to be what Mario uploaded to debian.

It's uploaded to Debian and synced to Ubuntu, but Launchpad seems to barf on it when uploading.

https://launchpad.net/ubuntu/+source/fwupd-efi/1:1.1-1/+build/22993680
https://launchpadlibrarian.net/576959645/upload_22993680_log.txt

Reported the failed to upload problem here: https://bugs.launchpad.net/launchpad/+bug/1956247

1:1.1-3 has that fix, and fwupd-efi binaries are in NEW queue now for archive admin to review.

perhaps the dependency of fwupd-signed should be to fwupd-unsigned instead of fwupd itself?

the fwupd-signed/jammy-proposed 1.41+1.1-3 amd64 version required fwupd 1.1-3 but only the fwupd-unsigned package has that version..

> perhaps the dependency of fwupd-signed should be to fwupd-unsigned instead of fwupd itself?

Yeah you're right - I was just looking at this for why it wasn't migrating and found the same myself earlier. I uploaded a fix here:

https://launchpad.net/ubuntu/+source/fwupd-signed/1.42

Everything has migrated to the release pocket now. The only thing pending is that the fwupd-efi package needs to promote to main: https://bugs.launchpad.net/ubuntu/+source/fwupd-efi/+bug/1956768

MIR is also done.

temporary change back to in progress as we are working on the split for focal and impish.

To SRU the fwupd-efi split back to impish and focal:

the source pkg fwupd-efi generate several binary pkg: fwupd-unsigned / fwupd-amd64-signed-template / fwupd-unsiged-dev. Plus the fwupd-signed that's created latter.

I don't know much about how exactly binary copy between series works. I think we need to copy binary pkg: fwupd-signed, fwupd-unsiged and fwupd-unsigned-dev as minimal.

Because:

fwupd build-dep on fwupd-unsigned-dev
fwupd-unsigned-dev depends on fwupd-unsiged.

Btw, I once thought that we did that on fwupd-signed before, but check the fwupd-signed efi binary in focal and impish, they have different md5sum, which means they are not the same binary. Not sure if should do that this time.

If we are not going to do binary deb copy from jammy back to impish and focal, then we need fwupd-signed source pkg for impish and focal.

fwupd-signed for impish

fwupd-signed source pkg for focal

Hello Yuan-Chen, or anyone else affected,

Accepted fwupd-signed into impish-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd-signed/1.42~ubuntu21.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-impish to verification-done-impish. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-impish. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Yuan-Chen, or anyone else affected,

Accepted fwupd-signed into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd-signed/1.27.1ubuntu6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

install the fwupd 1.7.4-1~20.04.1 / fwupd-signed 1.27.1ubntu6+1.2-2~20.04.1 from focal-proposed

Target machine: Dell Latitude 5300.
Secure boot: On

do a "fwupdmgr reinstall", and reply "y" as ask for reboot.

confirmed that
1. it reboot properly to run the fwupd efi app to re-install the bios
2. it show bios install success and then reboot.
3. it reboot into ubuntu successfully.

Given so, I'll mark verified done for focal.

Hello Yuan-Chen, or anyone else affected,

Accepted fwupd into impish-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd/1.7.5-3~21.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-impish to verification-done-impish. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-impish. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Yuan-Chen, or anyone else affected,

Accepted fwupd into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd/1.7.5-3~20.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

per https://bugs.launchpad.net/oem-priority/+bug/1960783/comments/25, the updated fwupd from the proposed channel works fine on impish after efi split. So I'll change this to verification done for impish.

per https://bugs.launchpad.net/oem-priority/+bug/1960783/comments/26, the updated fwupd from the proposed channel works fine on jocal after efi split. So I'll change this to verification done for focal.

This bug was fixed in the package fwupd - 1.7.5-3~21.10.1

---------------
fwupd (1.7.5-3~21.10.1) impish; urgency=medium

  * Backport 1.7.5-3 from jammy to impish.
  * Support several new devices (LP: #1949412, LP: #1954965, LP: #1953573)
  * fwupd / fwupd-efi source package split (LP: #1955386)
  * Don't install new fwupd-unsiged by default. (LP: #1960783)

 -- Yuan-Chen Cheng <email address hidden> Mon, 21 Feb 2022 00:12:49 +0000

The verification of the Stable Release Update for fwupd has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package fwupd - 1.7.5-3~20.04.1

---------------
fwupd (1.7.5-3~20.04.1) focal; urgency=medium

  * Backport 1.7.5-3 from jammy to focal.
  * Support several new devices (LP: #1949412, LP: #1954965, LP: #1953573)
  * fwupd / fwupd-efi source package split (LP: #1955386)
  * Don't install new fwupd-unsiged by default. (LP: #1960783)
  * Disable flashrom in focal as it was not enabled in focal.
  * Downgrade libgusb from 0.3.5 to 0.3.4 which used in focal after
    checking through all commits between. Just what we did on previous
    focal version 1.5.11.

 -- Yuan-Chen Cheng <email address hidden> Mon, 21 Feb 2022 11:06:00 +0800

This bug was fixed in the package fwupd-signed - 1.27.1ubuntu7

---------------
fwupd-signed (1.27.1ubuntu7) focal; urgency=medium

  * remove fwupd-unsigned from the Recommends of fwupd-signed.
    This is backported from v1.43 (LP: #1960783)

 -- Yuan-Chen Cheng <email address hidden> Wed, 16 Feb 2022 19:14:12 +0800

Ubuntu 21.10 (Impish Indri) has reached end of life, so this bug will not be fixed for that specific release.

Hello Yuan-Chen, or anyone else affected,

Accepted fwupd-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd-signed/1.51.1~18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Yuan-Chen, or anyone else affected,

Accepted fwupd into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd/1.2.14-0~18.04.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

I have checked that fwupd-signed 1.51.1~18.04.1 successfully starts with both old and new shim.

> Install fwupd-signed built from fwupd-efi and the new fwupd and check that it creates boot entry. We patched out building the UEFI binary only but kept the plugin, so we need to ensure the plugin still works correctly.

I have done that too, in fact I removed and reinstalled fwupd first anyhow due to the other SRU bug and there was no entry before.

This bug was fixed in the package fwupd - 1.2.14-0~18.04.3

---------------
fwupd (1.2.14-0~18.04.3) bionic; urgency=medium

  * Do not submit fwupd tarballs for signing (LP: #1955386).
    We still build and install the unsigned binaries so that if you do not
    have fwupd-signed installed (which is not possible on i386 and armhf
    anymore) your fwupd continues to function (on insecure boot, as before).
  * Remove -signed-template helpers, they are owned by fwupd-efi now

 -- Julian Andres Klode <email address hidden> Tue, 23 May 2023 17:46:42 +0200

This bug was fixed in the package fwupd-signed - 1.51.1~18.04.1

---------------
fwupd-signed (1.51.1~18.04.1) bionic; urgency=medium

  * Rebuild against fwupd-efi 1:1.4-0ubuntu0.1 (LP: #2011808)
  * Install binaries to /usr/lib/fwupd on bionic for compatibility with
    fwupd 1.2.

fwupd-signed (1.51) lunar; urgency=medium

  * Remove i386 and armhf from the architecture list
  * Check that we are signing the correct version of fwupd and it is not revoked

fwupd-signed (1.48) lunar; urgency=medium

  [ Julian Andres Klode ]
  * Rebuild for 2022v1 resigning (LP: #2003365)

  [ Andy Whitcroft ]
  * Fix signing artifact download when faced with an authenticated archive
    pool. Switch to using common download-signed from grub2/kernel.

fwupd-signed (1.44) jammy; urgency=medium

  * Built-Using must reference the source package, not binary packages.
  * Manually include the epoch in the version number for Built-Using,
    since for some reason this is not included in the version file published
    for the EFI binaries.

fwupd-signed (1.43) jammy; urgency=medium

  * remove fwupd-unsigned from Recommends of fwupd-signed deb. (LP: #1960783)

fwupd-signed (1.42) jammy; urgency=medium

  * Adjust dependency requirements. Since the package is decoupled from
    fwupd now, the version it needs to depend on doesn't need to match
    the package version.

fwupd-signed (1.41) jammy; urgency=medium

  * Build depends on fwupd-unsigned 1:1.1-3 (LP: #1955386)
  * Adjust download script to download candidate version instead of from
    "current" symlink

 -- Julian Andres Klode <email address hidden> Tue, 07 Mar 2023 13:32:57 +0100