Comment 7 for bug 1792497

I see; the version of dpkg in trusty-updates does support control.tar.xz (dpkg 1.17.5ubuntu5.8; LP: #1730627), but the version of dpkg in the trusty release pocket does not. So testing on an up-to-date trusty environment would not hit this bug.

This can be fixed by either a versioned pre-dependency on dpkg >= 1.17.5ubuntu5.8, or by changing the shim packaging to use gz compression for control.tar instead of the current default xz.

Either solution requires a round-trip to Microsoft for binary signing, since we must update the shim package. (Unless the reproducible binary handling of shim is now so good that we can reuse the existing signature?)

If we have to do a round-trip for shim signing, it may help as a short-term workaround to add a pre-dependency on dpkg to the shim-signed package. It's not guaranteed to give the correct ordering but it may be sufficient to solve the problem for many users.