update-secureboot-policy doesn't actually know the difference between added and removed modules when diffing (package shim-signed 1.37~18.04.2+15+1533136590.3beb971-0ubuntu1 failed to install/upgrade: installed shim-signed package post-installation script subprocess returned error exit status 1)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
shim-signed (Ubuntu) |
Triaged
|
Medium
|
Unassigned |
Bug Description
The gnome session crashed while installing updates leading to the login screen. The bug report automatically started when logged in again.
ProblemType: Package
DistroRelease: Ubuntu 18.04
Package: shim-signed 1.37~18.
ProcVersionSign
Uname: Linux 4.15.0-36-generic x86_64
NonfreeKernelMo
.proc.sys.
ApportVersion: 2.20.9-0ubuntu7.4
Architecture: amd64
Date: Sat Oct 27 11:38:35 2018
DistributionCha
# This is a distribution channel descriptor
# For more information see http://
canonical-
EFITables:
oct 27 11:22:42 argo kernel: efi: EFI v2.40 by American Megatrends
oct 27 11:22:42 argo kernel: efi: ACPI=0x3f0c3000 ACPI 2.0=0x3f0c3000 SMBIOS=0xf0000 SMBIOS 3.0=0xf0020 ESRT=0x3fdd9018 MEMATTR=0x3c2c8018
oct 27 11:22:42 argo kernel: secureboot: Secure boot disabled
oct 27 11:22:42 argo kernel: esrt: Reserving ESRT space from 0x000000003fdd9018 to 0x000000003fdd9050.
ErrorMessage: installed shim-signed package post-installation script subprocess returned error exit status 1
InstallationDate: Installed on 2018-07-13 (105 days ago)
InstallationMedia: Ubuntu 16.04 "Xenial" - Build amd64 LIVE Binary 20160624-10:47
Python3Details: /usr/bin/python3.6, Python 3.6.6, python3-minimal, 3.6.5-3ubuntu1
PythonDetails: /usr/bin/python2.7, Python 2.7.15rc1, python-minimal, 2.7.15~rc1-1
RelatedPackageV
dpkg 1.19.0.5ubuntu2
apt 1.6.6
SecureBoot: 6 0 0 0 1
SourcePackage: shim-signed
Title: package shim-signed 1.37~18.
UpgradeStatus: Upgraded to bionic on 2018-08-25 (62 days ago)
tags: | removed: need-duplicate-check |
The error in your log is:
Setting up linux-headers- 4.15.0- 38-generic (4.15.0-38.41) ... header_ postinst. d/dkms: 0_mjm70h/ debconf. socket: Connection refused at (eval 17) line 3.) 0_mjm70h/ debconf. socket: Connection refused at (eval 17) line 3.) shim-signed/ dkms-list 2018-10-27 11:38:13.686363404 +0200 shim-signed/ dkms-list. new 2018-10-27 11:38:13.686363404 +0200 dkms/i915- 4.8-4.4 dkms/nvme- apst dkms/oem- wifi-qualcomm- ath10k- lp1734600- 4.4 dkms/virtualbox
/etc/kernel/
debconf: unable to initialize frontend: Passthrough
debconf: (Cannot connect to /tmp/aptdaemon-
debconf: falling back to frontend: Noninteractive
debconf: unable to initialize frontend: Passthrough
debconf: (Cannot connect to /tmp/aptdaemon-
debconf: falling back to frontend: Noninteractive
Running in non-interactive mode, doing nothing.
--- /var/lib/
+++ /var/lib/
@@ -1,5 +1,2 @@
/var/lib/dkms
-/var/lib/
-/var/lib/
-/var/lib/
/var/lib/
It appears you have dkms modules installed and it was determined that you needed to be prompted to register a MOK in your firmware, but because the gnome session crashed, taking the upgrader frontend with it, you could not be prompted, leading to this error.
This does look like a bug in shim-signed, though. The intent of this code is that we should only error out if there are *added* dkms modules and we don't have a MOK. In this case, there are only *removed* modules. So it should not be considered an error, but the code doesn't actually distinguish between additions and removals.
To work around this failure, you should run 'sudo dpkg --configure -a' from a terminal to follow the prompts and fully enroll a MOK.