Your message dated Sun, 10 Feb 2019 19:19:46 +0000
with message-id <[email protected]>
and subject line Bug#919067: fixed in grub2 2.02+dfsg1-11
has caused the Debian Bug report #919067,
regarding Please add a Recommends: on shim-signed
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
919067: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919067
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: grub-efi-amd64-signed
Version: 1+2.02+dfsg1+9
Severity: normal
Tags: patch
Hi!
Working through the last pieces of secure boot support for Buster, I
have a working installer build and a working netinst that boot with SB
enabled and do all the right things. Yay!
The're only one thing missing from my test installations - nothing is
causing shim-signed to be installed automatically. So I have an
installation that succeeds, but the UEFI firmware will then refuse to
boot it afterward due to the lack of a signed first-stage bootloader.
The following trivial patch should fix that:
diff --git a/debian/signing-template/control.in
b/debian/signing-template/control.in
index cb84e96c6..5bb726ff9 100644
--- a/debian/signing-template/control.in
+++ b/debian/signing-template/control.in
@@ -11,6 +11,7 @@ Rules-Requires-Root: no
Package: @pkg_signed@
Architecture: @arch@
+Recommends: shim-signed [amd64]
Built-Using: grub2 (= @version_binary@)
Description: GRand Unified Bootloader, version 2 (@arch@ UEFI signed by Debian)
GRUB is a portable, powerful bootloader. This version of GRUB is based on a
[ Disclaimer: I've not *actually* tested the complete chain with this
exact change, as that's hard to do with the signing pieces. However,
this patch applies and builds fine in the grub2 source package, and
I've built a modified grub-efi-amd64-signed binary package with the
same Recommends: locally to test with. ]
I've gone for Recommends: rather than Depends to avoid any chance of a
Depends: loop. At the point when d-i or normal package installation is
running, Recommends: is enough to pull in the extra package.
NB: Ubuntu doesn't have the depends/recommends here, so I can only
assume that some other method is used to ensure that shim-signed is
installed there. I asked Steve Langasek about this, but I've not had
an answer yet.
-- System Information:
Debian Release: 9.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Source: grub2
Source-Version: 2.02+dfsg1-11
We believe that the bug you reported is fixed in the latest version of
grub2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <[email protected]> (supplier of updated grub2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 10 Feb 2019 18:53:41 +0000
Source: grub2
Architecture: source
Version: 2.02+dfsg1-11
Distribution: unstable
Urgency: medium
Maintainer: GRUB Maintainers <[email protected]>
Changed-By: Colin Watson <[email protected]>
Closes: 741464 917117 919012 919067 919955 921018 921249 921702
Changes:
grub2 (2.02+dfsg1-11) unstable; urgency=medium
.
[ Colin Watson ]
* Apply patches from Alexander Graf to set arm64-efi code offset to
EFI_PAGE_SIZE (closes: #919012, LP: #1812317).
* Upgrade to debhelper v10.
* Set Rules-Requires-Root: no.
* Add help and ls modules to signed UEFI images (closes: #919955).
* Fix application of answers from dpkg-reconfigure to /etc/default/grub
(based loosely on a patch by Steve Langasek, for which thanks; closes:
#921702).
.
[ Steve McIntyre ]
* Make grub-efi-amd64-signed recommend shim-signed (closes: #919067).
.
[ Jeroen Dekkers ]
* Initialize keyboard in at_keyboard module init if keyboard is ready
(closes: #741464).
.
[ John Paul Adrian Glaubitz ]
* Include a.out header in assembly of sparc64 boot loader (closes:
#921249).
.
[ Hervé Werner ]
* Fix setup on Secure Boot systems where cryptodisk is in use (closes:
#917117).
.
[ Debconf translations ]
* [de] German (Helge Kreutzmann and Holger Wansing; closes: #921018).
Checksums-Sha1:
5c7deb14f9c8a0adc283756b6d65b6fdc973582d 6691 grub2_2.02+dfsg1-11.dsc
56bbc611465bccfc6353235d9cf9f9b21913ad2b 1123332
grub2_2.02+dfsg1-11.debian.tar.xz
1190feaba38a04fe4f381eb7341c454dfc5b83f9 15043
grub2_2.02+dfsg1-11_source.buildinfo
Checksums-Sha256:
4beb037156e6f3c483df7ef6a7cc3330a0874baab08b66409395483a8a0d2e07 6691
grub2_2.02+dfsg1-11.dsc
b408945db47932c1a31fc28bef7c9cb2509b72f2e62da223b132f2a824e07b7e 1123332
grub2_2.02+dfsg1-11.debian.tar.xz
cc54c62484c6cf4dd538469038a77aff2f2ceba7bc3b6a5642d946f936390c2b 15043
grub2_2.02+dfsg1-11_source.buildinfo
Files:
1eb1dac9f4561840fd0d361f99aa3e8b 6691 admin optional grub2_2.02+dfsg1-11.dsc
0a1ae849ea3fa84eb77e3f860e3666d7 1123332 admin optional
grub2_2.02+dfsg1-11.debian.tar.xz
724a61cb110eaa549016f812fa4ba77b 15043 admin optional
grub2_2.02+dfsg1-11_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAlxgc6UACgkQOTWH2X2G
UAvxAhAApC4yre1mlinXDCV6mWGX+x48XORbmY1mVtMvQVgHaDW1PCvgbWw7V37z
P7wYlbGtvEWOS/VqbByPEK4kARPT1+kE/uVZ0LhB6iZ3xL9S7y8IvIwCZv4M+29B
gK2+YWBmMZIG2pf8jOkXaiqSYUYy0tY1JqulPqdAyJdAYFwkEay5m7jUBd9CbIra
AqS1bAEw3yu1l4dDty3fjgqaJcCVVgZ7K+HEA7HDX2XiPoGw+1dAdbA+plb/zg9u
iwPvBmXwa19olHOOWG+Da/8jzLpmtV2asd2nRp5HUlxJMfnQI2UVMtddWEcn8Lt1
C9CzQuid4jHhFbuYGORTNh7wTTWC6K+NIZWOGs7u6PmtbAuquWnN5BqLGjpTh9fD
FKSVCbX04twOLIFnFUjhMzCVrbrlAqTaPgO3RHMszdJFFJnnbvbzk9sdmza+Ax/6
F8dwPHVAa40ukNObq2gMzyAwpS3eR7/ZpOQHicH6daeFQ1OATjQMB+s4EVAMp+wI
bcBXR05fpnAUnaqoF7PIVmoonG29HZ8dkYShAhCLEIbMoaG+rexMDyUsB6DvVkIQ
V+e6EOHj0NzFyJvWL+InB2IxvWXYAWfHWVXy94vmBowPGdiBc8CuUFtQhtiS+cyZ
sHAi7gpc+R4/Rkn4h8XOQdBLWBG1otZLo9ZZzldTqZyAsqAv4bg=
=Qqny
-----END PGP SIGNATURE-----
--- End Message ---
