[SRU] Rebuild cd-boot-images-{amd64,arm64} against new shim

AMD64 MP: https://code.launchpad.net/~mkukri/ubuntu/+source/cd-boot-images-amd64/+git/cd-boot-images-amd64/+merge/471419
ARM64 MP: https://code.launchpad.net/~mkukri/ubuntu/+source/cd-boot-images-arm64/+git/cd-boot-images-arm64/+merge/471420

Status changed to 'Confirmed' because the bug affects multiple users.

I see in d/control this build-dependency:

               grub-efi-amd64-signed (= 1.187.6+2.06-2ubuntu14.4),

But in jammy we have:
$ rmadison grub-efi-amd64-signed | grep jammy
 grub-efi-amd64-signed | 1.180+2.06-2ubuntu7 | jammy | amd64
 grub-efi-amd64-signed | 1.187.6+2.06-2ubuntu14.4 | jammy-security | amd64
 grub-efi-amd64-signed | 1.187.6+2.06-2ubuntu14.4 | jammy-updates | amd64
 grub-efi-amd64-signed | 1.187.8+2.06-2ubuntu14.5 | jammy-proposed | amd64

So as soon as that jammy-proposed signed is released into updates, this cd-boot-images-amd64 package here will start to fail to build?

It looks like that grub-efi-amd64-signed in jammy-proposed comes from https://bugs.launchpad.net/ubuntu/+source/grub2-unsigned/+bug/2043084, which still needs verification, btw.

Yes, it will fail to build when the proposed GRUB gets promoted, but that is likely only after the .5 release, and we need the new shim for that.

Hello Mate, or anyone else affected,

Accepted cd-boot-images-amd64 into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/cd-boot-images-amd64/20.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Mate, or anyone else affected,

Accepted cd-boot-images-arm64 into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/cd-boot-images-arm64/16.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

So this is = Depends on grub2-signed from jammy-updates, but won't build while there is a newer one in jammy-proposed. That is a non-critical update and likely wont be verified before the point release, so getting it temporarily removed so that we can build this against shim 15.8 but the 14.4 grub is probably the best course of action.

Thanks for the clarifying MM/IRC discussions Mate!
The case is indeed clear once one cleared the view of all the different grub* things that play into this and are much more clear to you than to anyone just coming by :-).

To summarize my understanding:

- bug 2043084 brought us
  - https://launchpad.net/ubuntu/+source/grub2-unsigned/2.06-2ubuntu14.5
  - https://launchpad.net/ubuntu/+source/grub2-signed/1.187.8
  - into jammy-proposed
  - Fully verifying these takes a while
  - It is non-crticial and can wait

- Now we need to quickly rebuild images against shim 15.8
  - The binaries mentioned above in -proposed block that
  - Mate drives both activities
  - He is ok to reset his bug 2043084 to unblock this more urgent one

- After this is done, bug 2043084 can re-enter proposed.
  - Mate will upload again for doing so when the time is right

As outlined in the discussion above, I removed grub2-unsigned grub2-signed from jammy-proposed to unblock you.

Removing packages from jammy-proposed:
 grub2-unsigned 2.06-2ubuntu14.5 in jammy
  grub-efi-amd64 2.06-2ubuntu14.5 in jammy amd64
  grub-efi-amd64 2.06-2ubuntu14.5 in jammy i386
  grub-efi-amd64-bin 2.06-2ubuntu14.5 in jammy amd64
  grub-efi-amd64-bin 2.06-2ubuntu14.5 in jammy i386
  grub-efi-amd64-dbg 2.06-2ubuntu14.5 in jammy amd64
  grub-efi-amd64-dbg 2.06-2ubuntu14.5 in jammy i386
  grub-efi-arm64 2.06-2ubuntu14.5 in jammy arm64
  grub-efi-arm64-bin 2.06-2ubuntu14.5 in jammy arm64
  grub-efi-arm64-dbg 2.06-2ubuntu14.5 in jammy arm64
 grub2-signed 1.187.8 in jammy
  grub-efi-amd64-signed 1.187.8+2.06-2ubuntu14.5 in jammy amd64
  grub-efi-arm64-signed 1.187.8+2.06-2ubuntu14.5 in jammy arm64
Comment: Low urgency, but blocking urgent images rebuild against shim 15.8 (LP: #2076929, #2043084)
Remove [y|N]? y
2 packages successfully removed.

Please bring back the content of bug 2043084 once it is ready.

> [ Test Plan ]
>
> * Ensure that the resulting cd-boot images contain our 15.8-0ubuntu1 MS UEFI
> CA signed shim executable.

Sorry, I just realized that the current test plan doesn't include an actual boot. Please add it.

https://launchpad.net/ubuntu/+source/cd-boot-images-amd64/20.4/+build/28901983 shows:
Get:63 http://ftpmaster.internal/ubuntu jammy-updates/main amd64 shim-signed amd64 1.51.4+15.8-0ubuntu1 [668 kB]

https://launchpad.net/ubuntu/+source/cd-boot-images-arm64/16.3/+build/28901984 shows:
Get:62 http://ftpmaster.internal/ubuntu jammy-updates/main arm64 shim-signed arm64 1.51.4+15.8-0ubuntu1 [559 kB]

Verification done.

(this was a badly-formed test case.)

Andreas: The test plan for the assets included in cd-boot-images- is ensuring that it matches the expected version of the packages; the boot tests are part of their SRUs.

We don't do any real testing of cd-boot-images per se, it only affects image builds, so what we need to do generally speaking is test it contains the expected thing and then release it such that ISOs can be built with it and ISO testing happens.