Package: grub-common Version: 2.02+dfsg1-12 Severity: normal Tags: patch Dear Maintainer,
When `check_signatures` is set to enforce, grub looks for and verifies detached GPG signatures for the kernels before loading them. These signatures have the extension .sig. When detached signatures are present `update-grub` mistakenly identifies them as kernels and creates invalid menu entries for them. Expected behaviour: admin@lpad:~$ sudo update-grub Generating grub configuration file ... Found background image: .background_cache.png Found linux image: /boot/vmlinuz-4.19.0-2-amd64 Found initrd image: /boot/initrd.img-4.19.0-2-amd64 Found linux image: /boot/vmlinuz-4.19.0-1-amd64 Found initrd image: /boot/initrd.img-4.19.0-1-amd64 done Observed behaviour: admin@lpad:~$ sudo update-grub Generating grub configuration file ... Found background image: .background_cache.png Found linux image: /boot/vmlinuz-4.19.0-2-amd64.sig Found initrd image: /boot/initrd.img-4.19.0-2-amd64.sig Found linux image: /boot/vmlinuz-4.19.0-2-amd64 Found initrd image: /boot/initrd.img-4.19.0-2-amd64 Found linux image: /boot/vmlinuz-4.19.0-1-amd64.sig Found initrd image: /boot/initrd.img-4.19.0-1-amd64.sig Found linux image: /boot/vmlinuz-4.19.0-1-amd64 Found initrd image: /boot/initrd.img-4.19.0-1-amd64 done I've attached a patch to /usr/share/grub-mkconfig_lib that fixes this. -- Package-specific info: *********************** BEGIN /proc/mounts /dev/mapper/matrix-rootvol / ext4 rw,relatime,errors=remount-ro 0 0 /dev/mapper/matrix-homevol /home ext4 rw,relatime 0 0 /dev/sda2 /boot ext4 rw,relatime 0 0 /dev/mapper/matrix-optvol /opt ext4 rw,relatime 0 0 *********************** END /proc/mounts *********************** BEGIN /boot/grub/grub.cfg # # DO NOT EDIT THIS FILE # # It is automatically generated by grub-mkconfig using templates # from /etc/grub.d and settings from /etc/default/grub # ### BEGIN /etc/grub.d/00_header ### if [ -s $prefix/grubenv ]; then set have_grubenv=true load_env fi if [ "${next_entry}" ] ; then set default="${next_entry}" set next_entry= save_env next_entry set boot_once=true else set default="0" fi if [ x"${feature_menuentry_id}" = xy ]; then menuentry_id_option="--id" else menuentry_id_option="" fi export menuentry_id_option if [ "${prev_saved_entry}" ]; then set saved_entry="${prev_saved_entry}" save_env saved_entry set prev_saved_entry= save_env prev_saved_entry set boot_once=true fi function savedefault { if [ -z "${boot_once}" ]; then saved_entry="${chosen}" save_env saved_entry fi } function load_video { if [ x$feature_all_video_module = xy ]; then insmod all_video else insmod efi_gop insmod efi_uga insmod ieee1275_fb insmod vbe insmod vga insmod video_bochs insmod video_cirrus fi } if [ x$feature_default_font_path = xy ] ; then font=unicode else insmod part_msdos insmod ext2 set root='hd0,msdos2' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos2 --hint-efi=hd0,msdos2 --hint-baremetal=ahci0,msdos2 c25115c2-53f1-4eba-a73e-48c932fa7168 else search --no-floppy --fs-uuid --set=root c25115c2-53f1-4eba-a73e-48c932fa7168 fi font="/grub/unicode.pf2" fi if loadfont $font ; then set gfxmode=auto load_video insmod gfxterm set locale_dir=$prefix/locale set lang=en_GB insmod gettext fi terminal_output gfxterm if [ "${recordfail}" = 1 ] ; then set timeout=30 else if [ x$feature_timeout_style = xy ] ; then set timeout_style=menu set timeout=5 # Fallback normal timeout code in case the timeout_style feature is # unavailable. else set timeout=5 fi fi ### END /etc/grub.d/00_header ### ### BEGIN /etc/grub.d/05_debian_theme ### insmod part_msdos insmod ext2 set root='hd0,msdos2' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos2 --hint-efi=hd0,msdos2 --hint-baremetal=ahci0,msdos2 c25115c2-53f1-4eba-a73e-48c932fa7168 else search --no-floppy --fs-uuid --set=root c25115c2-53f1-4eba-a73e-48c932fa7168 fi insmod png if background_image /grub/.background_cache.png; then set color_normal=white/black set color_highlight=black/white else set menu_color_normal=cyan/blue set menu_color_highlight=white/blue fi ### END /etc/grub.d/05_debian_theme ### ### BEGIN /etc/grub.d/10_linux ### function gfxmode { set gfxpayload="${1}" } set linux_gfx_mode= export linux_gfx_mode menuentry 'Debian GNU/Linux' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-02a861cb-d2c1-4358-8132-8dedd88fb6d0' { load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_msdos insmod ext2 set root='hd0,msdos2' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos2 --hint-efi=hd0,msdos2 --hint-baremetal=ahci0,msdos2 c25115c2-53f1-4eba-a73e-48c932fa7168 else search --no-floppy --fs-uuid --set=root c25115c2-53f1-4eba-a73e-48c932fa7168 fi echo 'Loading Linux 4.19.0-2-amd64 ...' linux /vmlinuz-4.19.0-2-amd64 root=/dev/mapper/matrix-rootvol ro intremap=off quiet echo 'Loading initial ramdisk ...' initrd /initrd.img-4.19.0-2-amd64 } submenu 'Advanced options for Debian GNU/Linux' $menuentry_id_option 'gnulinux-advanced-02a861cb-d2c1-4358-8132-8dedd88fb6d0' { menuentry 'Debian GNU/Linux, with Linux 4.19.0-2-amd64' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.19.0-2-amd64-advanced-02a861cb-d2c1-4358-8132-8dedd88fb6d0' { load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_msdos insmod ext2 set root='hd0,msdos2' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos2 --hint-efi=hd0,msdos2 --hint-baremetal=ahci0,msdos2 c25115c2-53f1-4eba-a73e-48c932fa7168 else search --no-floppy --fs-uuid --set=root c25115c2-53f1-4eba-a73e-48c932fa7168 fi echo 'Loading Linux 4.19.0-2-amd64 ...' linux /vmlinuz-4.19.0-2-amd64 root=/dev/mapper/matrix-rootvol ro intremap=off quiet echo 'Loading initial ramdisk ...' initrd /initrd.img-4.19.0-2-amd64 } menuentry 'Debian GNU/Linux, with Linux 4.19.0-2-amd64 (recovery mode)' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.19.0-2-amd64-recovery-02a861cb-d2c1-4358-8132-8dedd88fb6d0' { load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_msdos insmod ext2 set root='hd0,msdos2' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos2 --hint-efi=hd0,msdos2 --hint-baremetal=ahci0,msdos2 c25115c2-53f1-4eba-a73e-48c932fa7168 else search --no-floppy --fs-uuid --set=root c25115c2-53f1-4eba-a73e-48c932fa7168 fi echo 'Loading Linux 4.19.0-2-amd64 ...' linux /vmlinuz-4.19.0-2-amd64 root=/dev/mapper/matrix-rootvol ro single echo 'Loading initial ramdisk ...' initrd /initrd.img-4.19.0-2-amd64 } menuentry 'Debian GNU/Linux, with Linux 4.19.0-1-amd64' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.19.0-1-amd64-advanced-02a861cb-d2c1-4358-8132-8dedd88fb6d0' { load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_msdos insmod ext2 set root='hd0,msdos2' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos2 --hint-efi=hd0,msdos2 --hint-baremetal=ahci0,msdos2 c25115c2-53f1-4eba-a73e-48c932fa7168 else search --no-floppy --fs-uuid --set=root c25115c2-53f1-4eba-a73e-48c932fa7168 fi echo 'Loading Linux 4.19.0-1-amd64 ...' linux /vmlinuz-4.19.0-1-amd64 root=/dev/mapper/matrix-rootvol ro intremap=off quiet echo 'Loading initial ramdisk ...' initrd /initrd.img-4.19.0-1-amd64 } menuentry 'Debian GNU/Linux, with Linux 4.19.0-1-amd64 (recovery mode)' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.19.0-1-amd64-recovery-02a861cb-d2c1-4358-8132-8dedd88fb6d0' { load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_msdos insmod ext2 set root='hd0,msdos2' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos2 --hint-efi=hd0,msdos2 --hint-baremetal=ahci0,msdos2 c25115c2-53f1-4eba-a73e-48c932fa7168 else search --no-floppy --fs-uuid --set=root c25115c2-53f1-4eba-a73e-48c932fa7168 fi echo 'Loading Linux 4.19.0-1-amd64 ...' linux /vmlinuz-4.19.0-1-amd64 root=/dev/mapper/matrix-rootvol ro single echo 'Loading initial ramdisk ...' initrd /initrd.img-4.19.0-1-amd64 } } ### END /etc/grub.d/10_linux ### ### BEGIN /etc/grub.d/20_linux_xen ### ### END /etc/grub.d/20_linux_xen ### ### BEGIN /etc/grub.d/30_os-prober ### ### END /etc/grub.d/30_os-prober ### ### BEGIN /etc/grub.d/30_uefi-firmware ### ### END /etc/grub.d/30_uefi-firmware ### ### BEGIN /etc/grub.d/40_custom ### # This file provides an easy way to add custom menu entries. Simply type the # menu entries you want to add after this comment. Be careful not to change # the 'exec tail' line above. ### END /etc/grub.d/40_custom ### ### BEGIN /etc/grub.d/41_custom ### if [ -f ${config_directory}/custom.cfg ]; then source ${config_directory}/custom.cfg elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; then source $prefix/custom.cfg; fi ### END /etc/grub.d/41_custom ### *********************** END /boot/grub/grub.cfg *********************** BEGIN /proc/mdstat Personalities : [linear] [multipath] [raid0] [raid1] [raid6] [raid5] [raid4] [raid10] unused devices: <none> *********************** END /proc/mdstat *********************** BEGIN /dev/disk/by-id total 0 lrwxrwxrwx 1 root root 9 Mar 2 14:13 ata-Samsung_SSD_850_EVO_500GB_S2RBNB0HC08863E -> ../../sda lrwxrwxrwx 1 root root 10 Mar 2 14:13 ata-Samsung_SSD_850_EVO_500GB_S2RBNB0HC08863E-part1 -> ../../sda1 lrwxrwxrwx 1 root root 10 Mar 2 14:13 ata-Samsung_SSD_850_EVO_500GB_S2RBNB0HC08863E-part2 -> ../../sda2 lrwxrwxrwx 1 root root 10 Mar 2 14:13 dm-name-matrix-homevol -> ../../dm-2 lrwxrwxrwx 1 root root 10 Mar 2 14:13 dm-name-matrix-optvol -> ../../dm-3 lrwxrwxrwx 1 root root 10 Mar 2 14:13 dm-name-matrix-rootvol -> ../../dm-1 lrwxrwxrwx 1 root root 10 Mar 2 14:13 dm-name-matrix-swapvol -> ../../dm-4 lrwxrwxrwx 1 root root 10 Mar 2 14:13 dm-name-sda1_crypt -> ../../dm-0 lrwxrwxrwx 1 root root 10 Mar 2 14:13 dm-uuid-CRYPT-LUKS1-c2c4c07b56ed4e3297994be23f4c71a6-sda1_crypt -> ../../dm-0 lrwxrwxrwx 1 root root 10 Mar 2 14:13 dm-uuid-LVM-axmwTJ96KHBjRB73lZHfddPlKkI3Of6s4Kjo0jjmqO87VTCfeBfFBAD5TfXiNYeG -> ../../dm-4 lrwxrwxrwx 1 root root 10 Mar 2 14:13 dm-uuid-LVM-axmwTJ96KHBjRB73lZHfddPlKkI3Of6sUT5SUy8vnvltqRSi8GmnP9xAfXIWadec -> ../../dm-2 lrwxrwxrwx 1 root root 10 Mar 2 14:13 dm-uuid-LVM-axmwTJ96KHBjRB73lZHfddPlKkI3Of6sqziiBIv7dBQJrBH7Efj497lNXJTdDg50 -> ../../dm-3 lrwxrwxrwx 1 root root 10 Mar 2 14:13 dm-uuid-LVM-axmwTJ96KHBjRB73lZHfddPlKkI3Of6swpcQiCNBJeCJIXnsg0pNUcv1GKZ2nIUX -> ../../dm-1 lrwxrwxrwx 1 root root 10 Mar 2 14:13 lvm-pv-uuid-IAC7T9-7NPV-1I5g-3oBU-6oiB-Xlyx-Y14ac6 -> ../../dm-0 lrwxrwxrwx 1 root root 9 Mar 2 14:13 wwn-0x5002538d419b8c86 -> ../../sda lrwxrwxrwx 1 root root 10 Mar 2 14:13 wwn-0x5002538d419b8c86-part1 -> ../../sda1 lrwxrwxrwx 1 root root 10 Mar 2 14:13 wwn-0x5002538d419b8c86-part2 -> ../../sda2 *********************** END /dev/disk/by-id *********************** BEGIN /dev/disk/by-uuid total 0 lrwxrwxrwx 1 root root 10 Mar 2 14:13 02a861cb-d2c1-4358-8132-8dedd88fb6d0 -> ../../dm-1 lrwxrwxrwx 1 root root 10 Mar 2 14:13 4cb8080f-d5d7-41b5-838d-7eba041bd63a -> ../../dm-3 lrwxrwxrwx 1 root root 10 Mar 2 14:13 c25115c2-53f1-4eba-a73e-48c932fa7168 -> ../../sda2 lrwxrwxrwx 1 root root 10 Mar 2 14:13 c2c4c07b-56ed-4e32-9799-4be23f4c71a6 -> ../../sda1 lrwxrwxrwx 1 root root 10 Mar 2 14:13 d8ced9c0-e5fc-4c00-be3e-a02e3839f98f -> ../../dm-2 lrwxrwxrwx 1 root root 10 Mar 2 14:13 e1ac5127-9a30-4e51-8ea1-4e78b1d0fce6 -> ../../dm-4 *********************** END /dev/disk/by-uuid -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing'), (10, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-2-amd64 (SMP w/2 CPU cores) Kernel taint flags: TAINT_FIRMWARE_WORKAROUND, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages grub-common depends on: ii gettext-base 0.19.8.1-9 ii libc6 2.28-7 ii libdevmapper1.02.1 2:1.02.155-2 ii libfreetype6 2.9.1-3 ii libfuse2 2.9.9-1 ii liblzma5 5.2.4-1 Versions of packages grub-common recommends: ii os-prober 1.77 Versions of packages grub-common suggests: ii console-setup 1.188 ii desktop-base 10.0.0 pn grub-emu <none> pn multiboot-doc <none> pn xorriso <none> -- no debconf information
--- grub-mkconfig_lib.orig 2019-03-01 12:34:45.000000000 +0000 +++ grub-mkconfig_lib 2019-03-02 16:04:26.870791616 +0000 @@ -212,6 +212,7 @@ *.dpkg-*) return 1 ;; # debian dpkg *.rpmsave|*.rpmnew) return 1 ;; README*|*/README*) return 1 ;; # documentation + *.sig) return 1 ;; # GPG detached signature esac else return 1