package shim (not installed) failed to install/upgrade: subprocess dpkg-deb --control returned error exit status 2

Bug #1792497 reported by PRATIK PANDYA on 2018-09-14
134
This bug affects 29 people
Affects Status Importance Assigned to Milestone
shim (Ubuntu)
Critical
Unassigned
Trusty
Critical
Mathieu Trudel-Lapierre
shim-signed (Ubuntu)
Critical
Unassigned
Trusty
Critical
Mathieu Trudel-Lapierre

Bug Description

This happened just after installing ubuntu 14.04.5 LTS along side with windows 10.
The installation was complete and no login loop issue was there.

Moreover , the system stated an error due to shim not being installed. The two screen monitor is not working and the other monitor is black..

ProblemType: Package
DistroRelease: Ubuntu 14.04
Package: shim (not installed)
ProcVersionSignature: Ubuntu 4.4.0-135.161~14.04.1-generic 4.4.140
Uname: Linux 4.4.0-135-generic x86_64
.proc.sys.kernel.moksbstate.disabled: 0
ApportVersion: 2.14.1-0ubuntu3.21
Architecture: amd64
BootEFIContents:
 grub.cfg
 grubx64.efi
 mmx64.efi
 shimx64.efi
Date: Fri Sep 14 11:30:55 2018
EFITables:
 Sep 14 11:32:42 plp-ROS kernel: [ 0.000000] efi: EFI v2.50 by American Megatrends
 Sep 14 11:32:42 plp-ROS kernel: [ 0.000000] efi: ACPI 2.0=0x8ea21000 ACPI=0x8ea21000 SMBIOS=0x8f644000 SMBIOS 3.0=0x8f643000 ESRT=0x8a498698
 Sep 14 11:32:42 plp-ROS kernel: [ 0.000000] esrt: Reserving ESRT space from 0x000000008a498698 to 0x000000008a4986f8.
ErrorMessage: subprocess dpkg-deb --control returned error exit status 2
InstallationDate: Installed on 2018-09-14 (0 days ago)
InstallationMedia: Ubuntu 14.04.5 LTS "Trusty Tahr" - Release amd64 (20160803)
RelatedPackageVersions:
 dpkg 1.17.5ubuntu5.7
 apt 1.0.1ubuntu2.14
SecureBoot: 6 0 0 0 0
SourcePackage: shim
Title: package shim (not installed) failed to install/upgrade: subprocess dpkg-deb --control returned error exit status 2
UpgradeStatus: No upgrade log present (probably fresh install)

PRATIK PANDYA (pandyaji) wrote :
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in shim (Ubuntu):
status: New → Confirmed
Alon Eldi (alon.eldi) wrote :

In my case I have installed ubuntu 14.0.5 instead of windows 10 and got this error

Robie Basak (racb) wrote :

The logs here are missing, but I think the likely cause is this:

$ sudo apt-get -f install
Reading package lists... Done
Building dependency tree
Reading state information... Done
Correcting dependencies... Done
The following extra packages will be installed:
  shim
The following NEW packages will be installed
  shim
0 to upgrade, 1 to newly install, 0 to remove and 207 not to upgrade.
3 not fully installed or removed.
Need to get 0 B/440 kB of archives.
After this operation, 2,448 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
dpkg-deb: error: archive '/var/cache/apt/archives/shim_13-0ubuntu2_amd64.deb' has premature member 'control.tar.xz' before 'control.tar.gz', giving up
dpkg: error processing archive /var/cache/apt/archives/shim_13-0ubuntu2_amd64.deb (--unpack):
 subprocess dpkg-deb --control returned error exit status 2
Errors were encountered while processing:
 /var/cache/apt/archives/shim_13-0ubuntu2_amd64.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)

I can't be certain that this is exactly what the reporter hit, but it seems likely enough to me that I think it's safe to assume it for now.

Thanks to sam_w on IRC for providing this and finding this bug.

tags: added: regression-update
Changed in shim (Ubuntu):
status: Confirmed → Triaged
importance: Undecided → Critical
Robie Basak (racb) wrote :

Łukasz, looks like you binary published Trusty's shim built on Bionic. Please could you take a look?

Some discussion at: https://irclogs.ubuntu.com/2018/10/16/%23ubuntu-devel.html

Steve Langasek (vorlon) wrote :

It's correct that the shim binary that gets published to trusty is built on bionic; we only have one shim binary that's current at any given time (each must be signed separately by microsoft, we don't have separate binaries per series). But obviously the .deb published to trusty needs to be installable with trusty dpkg.

I don't understand how this SRU could ever have passed verification if the .deb isn't installable with the trusty dpkg, however.

Changed in shim (Ubuntu):
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
Steve Langasek (vorlon) wrote :

I see; the version of dpkg in trusty-updates does support control.tar.xz (dpkg 1.17.5ubuntu5.8; LP: #1730627), but the version of dpkg in the trusty release pocket does not. So testing on an up-to-date trusty environment would not hit this bug.

This can be fixed by either a versioned pre-dependency on dpkg >= 1.17.5ubuntu5.8, or by changing the shim packaging to use gz compression for control.tar instead of the current default xz.

Either solution requires a round-trip to Microsoft for binary signing, since we must update the shim package. (Unless the reproducible binary handling of shim is now so good that we can reuse the existing signature?)

If we have to do a round-trip for shim signing, it may help as a short-term workaround to add a pre-dependency on dpkg to the shim-signed package. It's not guaranteed to give the correct ordering but it may be sufficient to solve the problem for many users.

Steve Langasek (vorlon) wrote :

And in fact, I see that trusty-updates currently has shim 13-0ubuntu2, but the newest version in cosmic/bionic is 15+1533136590.3beb971-0ubuntu1 which has not yet been SRUed to trusty because there are updates needed for other packages before it can land.

And the version of gnu-efi in bionic has changed in bionic-updates since shim 13-0ubuntu2 was built. There have also been updates to the toolchain in bionic since that binary was built. So I don't believe there is any possibility of a no-change rebuild of shim in bionic or cosmic resulting in a matching binary that passes signature checks.

tags: added: id-5bc60ea82a981443709c5ee4
Changed in shim-signed (Ubuntu):
status: New → Triaged
importance: Undecided → Critical
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
Changed in shim (Ubuntu):
status: Triaged → Fix Released
Changed in shim-signed (Ubuntu):
status: Triaged → Fix Released
Changed in shim (Ubuntu Trusty):
status: New → Triaged
Changed in shim-signed (Ubuntu Trusty):
status: New → Triaged
Changed in shim (Ubuntu Trusty):
importance: Undecided → Critical
Changed in shim-signed (Ubuntu Trusty):
importance: Undecided → Critical
Changed in shim (Ubuntu):
assignee: Mathieu Trudel-Lapierre (cyphermox) → nobody
Changed in shim-signed (Ubuntu):
assignee: Mathieu Trudel-Lapierre (cyphermox) → nobody
Changed in shim-signed (Ubuntu Trusty):
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
Changed in shim (Ubuntu Trusty):
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)

Hello PRATIK, or anyone else affected,

Accepted shim-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.33.1~14.04.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim-signed (Ubuntu Trusty):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-trusty
Kevin O'Grman (zmkstop) wrote :

Hi, we encountered this error during installations of the SecureDrop application, which uses Ubuntu 14.0.4.5 for its server-side OS. We put out an advisory which you can find here: https://securedrop.org/news/advisory-server-installation-failure-uefi-boot-mode/ -but basically we're seeing the same error as described above.

I just tried an install using the new shim-signed package as follows:
1) installed Ubuntu 14.04.5 to servers
2) updated /etc/apt/sources.list to include the trusty-proposed repository
3) ran sudo apt-get update

Then I proceeded with the SecureDrop install, which failed at the same task and with the same error as before:

---
fatal: [app]: FAILED! => {"cache_update_time": 1540315459, "cache_updated": false, "changed": false, "msg": "'/usr/bin/apt-get -y -o \"Dpkg::Options::=--force-confdef\" -o \"Dpkg::Options::=--force-confold\" install 'securedrop-keyring'' failed: E: Unmet dependencies. Try 'apt-get -f install' with no packages (or specify a solution).\n", "rc": 100, "stderr": "E: Unmet dependencies. Try 'apt-get -f install' with no packages (or specify a solution).\n", "stderr_lines": ["E: Unmet dependencies. Try 'apt-get -f install' with no packages (or specify a solution)."], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\nYou might want to run 'apt-get -f install' to correct these:\nThe following packages have unmet dependencies:\n shim-signed : Depends: shim (= 13-0ubuntu2) but it is not going to be installed\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "You might want to run 'apt-get -f install' to correct these:", "The following packages have unmet dependencies:", " shim-signed : Depends: shim (= 13-0ubuntu2) but it is not going to be installed"]}
---
This is Ansible output - the actual apt-get command that failed is:

   apt-get -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" install 'securedrop-keyring'

I also tried installing shim-signed directly on the server with the command:
   sudo apt-get install shinm-signed/trusty-proposed

This failed with a similar error about the shim package being an unmet dependency.

Unless I'm setting up the -proposed repo incorrectly, I don't believe adding dpkg as a predependency fixes this bug.

tags: added: verification-failed-trusty
removed: verification-needed-trusty
Steve Langasek (vorlon) wrote :

shim 13-0ubuntu2 is present in the trusty-updates repository. Did you remove trusty-updates from your sources.list when enabling trusty-proposed?

Steve Langasek (vorlon) wrote :

With the correct sources.list settings, I see:

$ sudo apt install shim-signed
Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed:
  dmsetup dpkg efibootmgr grub-common grub-efi-amd64-bin grub2-common
  libdevmapper1.02.1 libefivar0 libfreetype6 libfuse2 libpci3 mokutil shim
Suggested packages:
  multiboot-doc grub-emu xorriso desktop-base console-setup fuse
Recommended packages:
  os-prober secureboot-db
The following NEW packages will be installed:
  dmsetup efibootmgr grub-common grub-efi-amd64-bin grub2-common
  libdevmapper1.02.1 libefivar0 libfreetype6 libfuse2 libpci3 mokutil shim
  shim-signed
The following packages will be upgraded:
  dpkg
1 upgraded, 13 newly installed, 0 to remove and 87 not upgraded.
Need to get 6183 kB of archives.
After this operation, 21.6 MB of additional disk space will be used.
Do you want to continue? [Y/n]

And all packages are correctly installed in the right order.

tags: added: verification-done verification-done-trusty
removed: verification-failed-trusty verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.33.1~14.04.3

---------------
shim-signed (1.33.1~14.04.3) trusty; urgency=medium

  * debian/control: Add a Pre-Depends on dpkg (>= 1.17.5ubuntu5.8) in order
    to help ensure upgrades have the right dpkg to be able to extract shim.
    (LP: #1792497)

 -- Mathieu Trudel-Lapierre <email address hidden> Thu, 25 Oct 2018 11:21:09 -0400

Changed in shim-signed (Ubuntu Trusty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for shim-signed has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers