package shim (not installed) failed to install/upgrade: subprocess dpkg-deb --control returned error exit status 2

Status changed to 'Confirmed' because the bug affects multiple users.

In my case I have installed ubuntu 14.0.5 instead of windows 10 and got this error

The logs here are missing, but I think the likely cause is this:

$ sudo apt-get -f install
Reading package lists... Done
Building dependency tree
Reading state information... Done
Correcting dependencies... Done
The following extra packages will be installed:
  shim
The following NEW packages will be installed
  shim
0 to upgrade, 1 to newly install, 0 to remove and 207 not to upgrade.
3 not fully installed or removed.
Need to get 0 B/440 kB of archives.
After this operation, 2,448 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
dpkg-deb: error: archive '/var/cache/apt/archives/shim_13-0ubuntu2_amd64.deb' has premature member 'control.tar.xz' before 'control.tar.gz', giving up
dpkg: error processing archive /var/cache/apt/archives/shim_13-0ubuntu2_amd64.deb (--unpack):
 subprocess dpkg-deb --control returned error exit status 2
Errors were encountered while processing:
 /var/cache/apt/archives/shim_13-0ubuntu2_amd64.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)

I can't be certain that this is exactly what the reporter hit, but it seems likely enough to me that I think it's safe to assume it for now.

Thanks to sam_w on IRC for providing this and finding this bug.

Łukasz, looks like you binary published Trusty's shim built on Bionic. Please could you take a look?

Some discussion at: https://irclogs.ubuntu.com/2018/10/16/%23ubuntu-devel.html

It's correct that the shim binary that gets published to trusty is built on bionic; we only have one shim binary that's current at any given time (each must be signed separately by microsoft, we don't have separate binaries per series). But obviously the .deb published to trusty needs to be installable with trusty dpkg.

I don't understand how this SRU could ever have passed verification if the .deb isn't installable with the trusty dpkg, however.

I see; the version of dpkg in trusty-updates does support control.tar.xz (dpkg 1.17.5ubuntu5.8; LP: #1730627), but the version of dpkg in the trusty release pocket does not. So testing on an up-to-date trusty environment would not hit this bug.

This can be fixed by either a versioned pre-dependency on dpkg >= 1.17.5ubuntu5.8, or by changing the shim packaging to use gz compression for control.tar instead of the current default xz.

Either solution requires a round-trip to Microsoft for binary signing, since we must update the shim package. (Unless the reproducible binary handling of shim is now so good that we can reuse the existing signature?)

If we have to do a round-trip for shim signing, it may help as a short-term workaround to add a pre-dependency on dpkg to the shim-signed package. It's not guaranteed to give the correct ordering but it may be sufficient to solve the problem for many users.

And in fact, I see that trusty-updates currently has shim 13-0ubuntu2, but the newest version in cosmic/bionic is 15+1533136590.3beb971-0ubuntu1 which has not yet been SRUed to trusty because there are updates needed for other packages before it can land.

And the version of gnu-efi in bionic has changed in bionic-updates since shim 13-0ubuntu2 was built. There have also been updates to the toolchain in bionic since that binary was built. So I don't believe there is any possibility of a no-change rebuild of shim in bionic or cosmic resulting in a matching binary that passes signature checks.

Hello PRATIK, or anyone else affected,

Accepted shim-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.33.1~14.04.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hi, we encountered this error during installations of the SecureDrop application, which uses Ubuntu 14.0.4.5 for its server-side OS. We put out an advisory which you can find here: https://securedrop.org/news/advisory-server-installation-failure-uefi-boot-mode/ -but basically we're seeing the same error as described above.

I just tried an install using the new shim-signed package as follows:
1) installed Ubuntu 14.04.5 to servers
2) updated /etc/apt/sources.list to include the trusty-proposed repository
3) ran sudo apt-get update

Then I proceeded with the SecureDrop install, which failed at the same task and with the same error as before:

---
fatal: [app]: FAILED! => {"cache_update_time": 1540315459, "cache_updated": false, "changed": false, "msg": "'/usr/bin/apt-get -y -o \"Dpkg::Options::=--force-confdef\" -o \"Dpkg::Options::=--force-confold\" install 'securedrop-keyring'' failed: E: Unmet dependencies. Try 'apt-get -f install' with no packages (or specify a solution).\n", "rc": 100, "stderr": "E: Unmet dependencies. Try 'apt-get -f install' with no packages (or specify a solution).\n", "stderr_lines": ["E: Unmet dependencies. Try 'apt-get -f install' with no packages (or specify a solution)."], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\nYou might want to run 'apt-get -f install' to correct these:\nThe following packages have unmet dependencies:\n shim-signed : Depends: shim (= 13-0ubuntu2) but it is not going to be installed\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "You might want to run 'apt-get -f install' to correct these:", "The following packages have unmet dependencies:", " shim-signed : Depends: shim (= 13-0ubuntu2) but it is not going to be installed"]}
---
This is Ansible output - the actual apt-get command that failed is:

   apt-get -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" install 'securedrop-keyring'

I also tried installing shim-signed directly on the server with the command:
   sudo apt-get install shinm-signed/trusty-proposed

This failed with a similar error about the shim package being an unmet dependency.

Unless I'm setting up the -proposed repo incorrectly, I don't believe adding dpkg as a predependency fixes this bug.

shim 13-0ubuntu2 is present in the trusty-updates repository. Did you remove trusty-updates from your sources.list when enabling trusty-proposed?

With the correct sources.list settings, I see:

$ sudo apt install shim-signed
Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed:
  dmsetup dpkg efibootmgr grub-common grub-efi-amd64-bin grub2-common
  libdevmapper1.02.1 libefivar0 libfreetype6 libfuse2 libpci3 mokutil shim
Suggested packages:
  multiboot-doc grub-emu xorriso desktop-base console-setup fuse
Recommended packages:
  os-prober secureboot-db
The following NEW packages will be installed:
  dmsetup efibootmgr grub-common grub-efi-amd64-bin grub2-common
  libdevmapper1.02.1 libefivar0 libfreetype6 libfuse2 libpci3 mokutil shim
  shim-signed
The following packages will be upgraded:
  dpkg
1 upgraded, 13 newly installed, 0 to remove and 87 not upgraded.
Need to get 6183 kB of archives.
After this operation, 21.6 MB of additional disk space will be used.
Do you want to continue? [Y/n]

And all packages are correctly installed in the right order.

This bug was fixed in the package shim-signed - 1.33.1~14.04.3

---------------
shim-signed (1.33.1~14.04.3) trusty; urgency=medium

  * debian/control: Add a Pre-Depends on dpkg (>= 1.17.5ubuntu5.8) in order
    to help ensure upgrades have the right dpkg to be able to extract shim.
    (LP: #1792497)

 -- Mathieu Trudel-Lapierre <email address hidden> Thu, 25 Oct 2018 11:21:09 -0400

The verification of the Stable Release Update for shim-signed has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.