Ubuntu
grub2 package

  1. Trusty (14.04)
  2. Bug #1789918
  3. Comment #22

Comment 22 for bug 1789918

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Verification-done on cosmic with grub2 / grub2-signed.

Forcing an unsigned copy of the kernel, or one signed by an unknown key leads to the system failing to upgrade, as expected:

ubuntu@ubuntu:~$ dpkg -l grub-efi\* | grep ii | awk '{ print $2" "$3 }'
grub-efi-amd64 2.02+dfsg1-5ubuntu8.1
grub-efi-amd64-bin 2.02+dfsg1-5ubuntu8.1
grub-efi-amd64-signed 1.110.1+2.02+dfsg1-5ubuntu8.1
ubuntu@ubuntu:~$ sudo apt install --reinstall grub-efi-amd64-signed
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 295 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://us.archive.ubuntu.com/ubuntu cosmic-proposed/main amd64 grub-efi-amd64-signed amd64 1.110.1+2.02+dfsg1-5ubuntu8.1 [295 kB]
Fetched 295 kB in 0s (742 kB/s)
(Reading database ... 106062 files and directories currently installed.)
Preparing to unpack .../grub-efi-amd64-signed_1.110.1+2.02+dfsg1-5ubuntu8.1_amd64.deb ...
Unpacking grub-efi-amd64-signed (1.110.1+2.02+dfsg1-5ubuntu8.1) over (1.110.1+2.02+dfsg1-5ubuntu8.1) ...
Setting up grub-efi-amd64-signed (1.110.1+2.02+dfsg1-5ubuntu8.1) ...
/boot/vmlinuz-4.18.0-14-matt is unsigned.
E: Your kernels are not signed with a key known to your firmware. This system will fail to boot in a Secure Boot environment.
dpkg: error processing package grub-efi-amd64-signed (--configure):
 installed grub-efi-amd64-signed package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
 grub-efi-amd64-signed
E: Sub-process /usr/bin/dpkg returned an error code (1)
ubuntu@ubuntu:~$
ubuntu@ubuntu:~$ sudo sbsign --key ~/uefi-keys/uefi.
uefi.crt uefi.key
ubuntu@ubuntu:~$ sudo sbsign --key ~/uefi-keys/uefi.key --cert ~/uefi-keys/uefi.crt /boot/vmlinuz-4.18.0-14-matt
ubuntu@ubuntu:~$ sudo apt install grub-efi-amd64-signed
Reading package lists... Done
Building dependency tree
Reading state information... Done
grub-efi-amd64-signed is already the newest version (1.110.1+2.02+dfsg1-5ubuntu8.1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n]
Setting up grub-efi-amd64-signed (1.110.1+2.02+dfsg1-5ubuntu8.1) ...
/boot/vmlinuz-4.18.0-14-matt.signed is signed, but using an unknown key:
        Subject: CN = PPA cyphermox efi
/boot/vmlinuz-4.18.0-14-matt is unsigned.
E: Your kernels are not signed with a key known to your firmware. This system will fail to boot in a Secure Boot environment.
dpkg: error processing package grub-efi-amd64-signed (--configure):
 installed grub-efi-amd64-signed package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
 grub-efi-amd64-signed
E: Sub-process /usr/bin/dpkg returned an error code (1)