Package: shim-signed
Version: 1.47+15.8-1
Severity: important
Tags: patch
Dear Maintainer,
When upgrading from 1.47+15.8-1 to 1.48+16.1-2, the preinst script fails
with "No valid UEFI Secure Boot signatures found, UEFI Secure Boot is
enabled on your system" even though Secure Boot is actually disabled.
Root cause: mokutil --sb-state returns two lines on this system:
```
$ mokutil --sb-state
> SecureBoot disabled
> Platform is in Setup Mode
```
The preinst script's case statement does an exact string match on
"SecureBoot disabled", but since $SB_STATE contains a newline, the match
fails. The script then falls through to DB signature checking, but
mokutil --db returns empty in Setup Mode, causing a false positive
error.
Fix: sanitize SB_STATE to only the first line before matching.
Patch:
--- a/preinst
+++ b/preinst
@@ -39,6 +39,7 @@ case "$type" in
else
# Check that we can safely boot this shim.
SB_STATE=$(mokutil --sb-state 2>&1 || true)
+ SB_STATE=$(echo "$SB_STATE" | head -1)
# If SB is not enabled (etc.) then this shim is fine
case $SB_STATE in
"SecureBoot disabled"|"This system doesn't support Secure
Boot")
-- System Information:
Debian Release: forky/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 7.0.7+deb14-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages shim-signed depends on:
ii grub-efi-amd64-bin 2.14-2
ii grub2-common 2.14-2
ii shim-helpers-amd64-signed 1+16.1+2
ii shim-signed-common 1.48+16.1-2
shim-signed recommends no packages.
shim-signed suggests no packages.
-- debconf information:
shim-signed/revoked-sig:
* shim-signed/no-valid-sigs:
