Bug#1138871: fwupd fails to find CA updates

Steve McIntyre Thu, 04 Jun 2026 18:13:17 -0700

Package: fwupd
Version: 2.0.8-3+deb13u1
Severity: important
Justification: urgently needed for rolling out CA updates


Hi,

I'm running fwupd in Trixie and expecting to get CA updates for the
machine it's running on. Unfortunately, it's not working. I've run
"fwupdtool refresh" and "fwupdtool get-updates" multiple times and
it's not happening. The latest output on this Thinkpad s

# fwupdtool get-updates
...
Devices with no available firmware updates: 
 • KEK CA
 • KEK CA
 • SBAT
 • THNSF5256GPUK TOSHIBA
 • ThinkPad Product CA
 • UEFI CA
 • UEFI CA
 • UEFI dbx
 • Windows Production PCA
Devices with the latest available firmware version:
 • Embedded Controller
 • Intel Management Engine
 • System Firmware
No updates available for remaining devices

It doesn't have the 2023 CAs installed in DB:

# mokutil --db | grep Subject:.*Microsoft
        Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, 
CN=Microsoft Corporation UEFI CA 2011
        Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, 
CN=Microsoft Windows Production PCA 2011

------

On another similar Thinkpad running the backport version
2.0.20-1~bpo13+1, things worked flawlessly and I'm currently looking
at:

# fwupdtool get-updates
...
Devices with no available firmware updates:
 • KEK CA
 • UEFI Device Firmware
 • UEFI Device Firmware
 • UEFI Device Firmware
 • UEFI Device Firmware
 • UEFI Device Firmware
 • Integrated Camera
 • KEK CA
 • Option ROM UEFI CA
 • Prometheus (IOTA Config)
 • SBAT
 • ThinkPad Product CA
 • UEFI CA
 • WD BLACK SN850X 1000GB
 • Windows Production PCA
Devices with the latest available firmware version:
 • Embedded Controller
 • Intel Management Engine
 • System Firmware
 • Prometheus
 • UEFI CA
 • UEFI dbx
No updates available for remaining devices

This machine updated fine on a previous run and has the latest keys in
DB:

# mokutil --db | grep Subject:.*Microsoft
        Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, 
CN=Microsoft Corporation UEFI CA 2011
        Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, 
CN=Microsoft Windows Production PCA 2011
        Subject: C=US, O=Microsoft Corporation, CN=Microsoft UEFI CA 2023
        Subject: C=US, O=Microsoft Corporation, CN=Microsoft Option ROM UEFI CA 
2023

Although even here it's not picking up on the latest Windows CA that
I'd expect:

        Subject: C=US, O=Microsoft Corporation, CN=Windows UEFI CA 2023

-- System Information:
Debian Release: 13.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 
'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.12.90+deb13-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages fwupd depends on:
ii  libarchive13t64             3.7.4-4+deb13u1
ii  libblkid1                   2.41-5
ii  libc6                       2.41-12+deb13u3
ii  libcbor0.10                 0.10.2-2
ii  libcurl3t64-gnutls          8.14.1-2+deb13u3
ii  libdrm-amdgpu1              2.4.124-2
ii  libdrm2                     2.4.124-2
ii  libflashrom1                1.4.0-3
ii  libfwupd3                   2.0.14-1
ii  libglib2.0-0t64             2.84.4-3~deb13u3
ii  libgnutls30t64              3.8.9-3+deb13u4
ii  libjcat1                    0.2.3-1
ii  libjson-glib-1.0-0          1.10.6+ds-2
ii  liblzma5                    5.8.1-1
ii  libmbim-glib4               1.32.0-1
ii  libmbim-proxy               1.32.0-1
ii  libmm-glib0                 1.24.0-1+deb13u1
ii  libpolkit-gobject-1-0       126-2
ii  libprotobuf-c1              1.5.1-1
ii  libqmi-glib5                1.36.0-1
ii  libqmi-proxy                1.36.0-1
ii  libsqlite3-0                3.46.1-7+deb13u1
ii  libsystemd0                 257.13-1~deb13u1
ii  libtss2-esys-3.0.2-0t64     4.1.3-1.2
ii  libusb-1.0-0                2:1.0.28-1
ii  libxmlb2                    0.3.22-1
ii  shared-mime-info            2.4-5+b2
ii  systemd [systemd-sysusers]  257.13-1~deb13u1
ii  zlib1g                      1:1.3.dfsg+really1.3.1-1+b1

Versions of packages fwupd recommends:
ii  bolt                               0.9.8-1
ii  dbus [default-dbus-system-bus]     1.16.2-2
ii  fwupd-amd64-signed [fwupd-signed]  1:1.7+1
ii  jq                                 1.7.1-6+deb13u2
ii  python3                            3.13.5-1
ii  udisks2                            2.10.1-12.1+deb13u1

Versions of packages fwupd suggests:
pn  gir1.2-fwupd-2.0  <none>

-- Configuration Files:
/etc/fwupd/fwupd.conf [Errno 13] Permission denied: '/etc/fwupd/fwupd.conf'
/etc/fwupd/remotes.d/lvfs-testing.conf changed [not included]

-- debconf-show failed

Bug#1138871: fwupd fails to find CA updates

Reply via email to