Your message dated Mon, 23 Oct 2023 10:43:20 +0100
with message-id <[email protected]>
and subject line Re: Postinst installs unsigned (unbootable) efi on secure boot
systems
has caused the Debian Bug report #1054394,
regarding Postinst installs unsigned (unbootable) efi on secure boot systems
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1054394: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054394
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: systemd-boot
Version: 252.12-1~deb12u1
When updating systemd-boot on a system with secure-boot
enabled, the postinst calls `bootctl update --graceful` which
installs an unsigned efi. This will overwrite an existing efi
with correct signature and cause the system to not boot
anymore, because of a security violation.
The postinst should either read a config file, so users can disable
this behavior or only update the efi when it has the correct
signature.
--- End Message ---
--- Begin Message ---
Control: tags -1 wontfix
On Mon, 23 Oct 2023 09:32:49 +0000 sympathischerwal
<[email protected]> wrote:
> Package: systemd-boot
> Version: 252.12-1~deb12u1
>
> When updating systemd-boot on a system with secure-boot
> enabled, the postinst calls `bootctl update --graceful` which
> installs an unsigned efi. This will overwrite an existing efi
> with correct signature and cause the system to not boot
> anymore, because of a security violation.
>
> The postinst should either read a config file, so users can disable
> this behavior or only update the efi when it has the correct
> signature.
That's expected, Debian does not currently sign these binaries. If you
are running with secure boot, without your own keys, simply do not
install this package.
--
Kind regards,
Luca Boccassi
signature.asc
Description: This is a digitally signed message part
--- End Message ---
