Comment 6 for bug 1673817

Per my last comment on IRC, I think 'exit 1' is actually better here because we aren't taking the specified action. grub calls update-secureboot-policy || true, but that just sets the trigger anyway. shim-signed calls without the || true, and so the trigger will fail under this condition. But ultimately it's going to fail no matter what, we're better off failing immediately instead of only when someone notices the full logs and kills the process.