don't install unsigned fwupd efi app by default

upstream PR: https://github.com/fwupd/fwupd/pull/4280

remove fwupd-unsigned from Recommends of fwupd-signed deb.

The attachment "deb diff for fwupd-signed" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

https://github.com/fwupd/fwupd/pull/4280 is merged!

AI: prepare a fwupd debdiff with that and another patch request by an OEM project.

YC: No need for debdiff work. I pulled it into debian packaging branch:
https://salsa.debian.org/efi-team/fwupd/-/commit/aae5c04c7a02e40eee8fe5436c93d8915360e839
https://salsa.debian.org/efi-team/fwupd/-/commit/516f86aac6d6e63afd977838b7ce2badda134dfe
And I uploaded to unstable. It can sync tomorrow to Jammy or so, and then after it migrates then I'll sponsor your fwupd-signed debdiff.

Mario: thank you!

AI: prepare SRU of the new fwupd-signed and fwupd for focal and impish

1.7.5-1 is now synced from Debian to Jammy.

sponsored debdiff from #2 for fwupd-signed as well

This bug was fixed in the package fwupd-signed - 1.43

---------------
fwupd-signed (1.43) jammy; urgency=medium

  * remove fwupd-unsigned from Recommends of fwupd-signed deb. (LP: #1960783)

 -- Yuan-Chen Cheng <email address hidden> Mon, 14 Feb 2022 14:02:19 +0000

debdiff for impish

debdiff for focal

fwupd-sign arrive jammy, fwupd still in jammy-proposed.

> fwupd-sign arrive jammy, fwupd still in jammy-proposed.

It seems that autopkgtest has a regression that needs to be dug into, happens both in Debian unstable and Ubuntu jammy.

check https://autopkgtest.ubuntu.com/results/autopkgtest-jammy/jammy/arm64/f/fwupd/20220216_061543_8c886@/log.gz

Seems failed here:

FuMain got hint locale=C.UTF-8
WARNING: The daemon has loaded 3rd party code and is no longer supported by the upstream developers!
FuMain Called GetPlugins()
WARNING: UEFI capsule updates not available or enabled in firmware setup
  See https://github.com/fwupd/fwupd/wiki/PluginFlag:capsules-unsupported for more information.
Mismatched daemon and client, use fwupdmgr instead
FuMain client connection closed: Underlying GIOStream returned 0 bytes on an async read
FAIL: fwupd/fwupdmgr-p2p.test (Child process exited with code 1)

upstream bug for autopkgtest failure: https://github.com/fwupd/fwupd/issues/4299

Note the failed case is just introduced in 1.7.5.

fwupd 1.7.5-3 arrive jammy channel (as autopkg test passed)
AI: fwupd 1.7.5-3 SRU back to focal and impish.

need SRU sponsor on fwupd-sign from #12 and #14, and fwupd from https://launchpad.net/~ycheng-twn/+archive/ubuntu/fwupd175-3-2. For the fwupd from the ppa, please remove the tailing ~p2 from the version string.

Note: please don't use fwupd-efi from the ppa above. The current one in focal-proposed and impish-proposed is good enough.

Hello Yuan-Chen, or anyone else affected,

Accepted fwupd into impish-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd/1.7.5-3~21.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-impish to verification-done-impish. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-impish. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Yuan-Chen, or anyone else affected,

Accepted fwupd-signed into impish-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd-signed/1.42~ubuntu21.10.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-impish to verification-done-impish. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-impish. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Yuan-Chen, or anyone else affected,

Accepted fwupd into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd/1.7.5-3~20.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Yuan-Chen, or anyone else affected,

Accepted fwupd-signed into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd-signed/1.27.1ubuntu7 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

test on impish:

1. remove fwupd and related deb.
2. Turn on the proposed channel.
3. Then apt-get installs fwupd. fwupd-unsigned is not installed, fwupd-signed is installed properly.
4. "fwupdmgr reinstall" and choose machine bios, as secure boot is off, this works perfectly. (for secure boot on case, that will be tested on other SRU bug, and this one will focus on the logic that fwupd-unsigned is not installed, and we still can do bios upgrade as secure boot is off.)

Given above, verification done for impish.

test on focal:

1. remove fwupd and related deb.
2. Turn on the proposed channel.
3. Then apt-get installs fwupd (1.7.5-3~20.04.1). fwupd-unsigned is not installed, fwupd-signed (1.27.1ubuntu7) is installed properly.
4. "fwupdmgr reinstall" and choose machine bios, as secure boot is off, this works perfectly.

Given above, mark verification done for focal.

This bug was fixed in the package fwupd - 1.7.5-3~21.10.1

---------------
fwupd (1.7.5-3~21.10.1) impish; urgency=medium

  * Backport 1.7.5-3 from jammy to impish.
  * Support several new devices (LP: #1949412, LP: #1954965, LP: #1953573)
  * fwupd / fwupd-efi source package split (LP: #1955386)
  * Don't install new fwupd-unsiged by default. (LP: #1960783)

 -- Yuan-Chen Cheng <email address hidden> Mon, 21 Feb 2022 00:12:49 +0000

This bug was fixed in the package fwupd-signed - 1.42~ubuntu21.10.2

---------------
fwupd-signed (1.42~ubuntu21.10.2) impish; urgency=medium

  * remove fwupd-unsigned from the Recommends of fwupd-signed.
    This is backported from v1.43 (LP: #1960783)

 -- Yuan-Chen Cheng <email address hidden> Wed, 16 Feb 2022 19:14:12 +0800

The verification of the Stable Release Update for fwupd has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package fwupd - 1.7.5-3~20.04.1

---------------
fwupd (1.7.5-3~20.04.1) focal; urgency=medium

  * Backport 1.7.5-3 from jammy to focal.
  * Support several new devices (LP: #1949412, LP: #1954965, LP: #1953573)
  * fwupd / fwupd-efi source package split (LP: #1955386)
  * Don't install new fwupd-unsiged by default. (LP: #1960783)
  * Disable flashrom in focal as it was not enabled in focal.
  * Downgrade libgusb from 0.3.5 to 0.3.4 which used in focal after
    checking through all commits between. Just what we did on previous
    focal version 1.5.11.

 -- Yuan-Chen Cheng <email address hidden> Mon, 21 Feb 2022 11:06:00 +0800

This bug was fixed in the package fwupd-signed - 1.27.1ubuntu7

---------------
fwupd-signed (1.27.1ubuntu7) focal; urgency=medium

  * remove fwupd-unsigned from the Recommends of fwupd-signed.
    This is backported from v1.43 (LP: #1960783)

 -- Yuan-Chen Cheng <email address hidden> Wed, 16 Feb 2022 19:14:12 +0800

Hello Yuan-Chen, or anyone else affected,

Accepted fwupd-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd-signed/1.51.1~18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Performed verification for bionic 1.51.1~18.04.1. Removing fwupd and reinstalling it installs the signed binary, not fwupd-unsigned.

This bug was fixed in the package fwupd-signed - 1.51.1~18.04.1

---------------
fwupd-signed (1.51.1~18.04.1) bionic; urgency=medium

  * Rebuild against fwupd-efi 1:1.4-0ubuntu0.1 (LP: #2011808)
  * Install binaries to /usr/lib/fwupd on bionic for compatibility with
    fwupd 1.2.

fwupd-signed (1.51) lunar; urgency=medium

  * Remove i386 and armhf from the architecture list
  * Check that we are signing the correct version of fwupd and it is not revoked

fwupd-signed (1.48) lunar; urgency=medium

  [ Julian Andres Klode ]
  * Rebuild for 2022v1 resigning (LP: #2003365)

  [ Andy Whitcroft ]
  * Fix signing artifact download when faced with an authenticated archive
    pool. Switch to using common download-signed from grub2/kernel.

fwupd-signed (1.44) jammy; urgency=medium

  * Built-Using must reference the source package, not binary packages.
  * Manually include the epoch in the version number for Built-Using,
    since for some reason this is not included in the version file published
    for the EFI binaries.

fwupd-signed (1.43) jammy; urgency=medium

  * remove fwupd-unsigned from Recommends of fwupd-signed deb. (LP: #1960783)

fwupd-signed (1.42) jammy; urgency=medium

  * Adjust dependency requirements. Since the package is decoupled from
    fwupd now, the version it needs to depend on doesn't need to match
    the package version.

fwupd-signed (1.41) jammy; urgency=medium

  * Build depends on fwupd-unsigned 1:1.1-3 (LP: #1955386)
  * Adjust download script to download candidate version instead of from
    "current" symlink

 -- Julian Andres Klode <email address hidden> Tue, 07 Mar 2023 13:32:57 +0100