Verified shim-signed 1.27~16.10.1 on yakkety:

Processing triggers for systemd (231-9ubuntu3) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up grub-efi-amd64-bin (2.02~beta2-36ubuntu11.2) ...
Setting up grub2-common (2.02~beta2-36ubuntu11.2) ...
Setting up shim-signed (1.27~16.10.1+0.9+1474479173.6c180c6-1ubuntu1) ...
Installing for x86_64-efi platform.
Installation finished. No error reported.
Running in non-interactive mode, doing nothing.
dpkg: error processing package shim-signed (--configure):
 subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
 shim-signed
E:Sub-process /usr/bin/dpkg returned an error code (1)
Exception happened during upgrade.
Traceback (most recent call last):
  File "/usr/bin/unattended-upgrade", line 410, in cache_commit
    res = cache.commit(install_progress=iprogress)
  File "/usr/lib/python3/dist-packages/apt/cache.py", line 529, in commit
    raise SystemError("installArchives() failed")
SystemError: installArchives() failed
Installing the upgrades failed!
error message: 'installArchives() failed'
dpkg returned a error! See 
'/var/log/unattended-upgrades/unattended-upgrades-dpkg.log' for details
InstCount=0 DelCount=0 BrokenCount=0
Extracting content from 
'/var/log/unattended-upgrades/unattended-upgrades-dpkg.log' since '2017-03-31 
11:51:24'

This failure is the expected result of unattended upgrades where shim-
signed needs to apply a policy change (or prompt the user for one).
Unattended Secure Boot policy changes are not possible as a password is
required that will be entered on reboot.

** Description changed:

  [Impact]
  Any user with unattended upgrades enabled and DKMS packages in a Secure Boot 
environment might be prompted to change Secure Boot policy, which will fail and 
crash in unattended-upgrades.
  
  [Test case]
- 1) Install new package
- 2) Create /var/lib/dkms/TEST-DKMS
- 3) Reboot triggering unattended-upgrades:
- <process TBD>
+ = unattended upgrade =
+ 1) Create /var/lib/dkms/TEST-DKMS
+ 2) Install new package
+ 3) Trigger unattended-upgrades: unattended-upgrades -d
  
- Upgrade should run smoothly and complete without issue (see original
- description).
+ Upgrade should run smoothly for all the processing but fail to complete;
+ shim-signed should end the unattended upgrade with a error as unattended
+ change of the Secure Boot policy can not be done. Upgrade should not
+ hang in high CPU usage.
+ 
+ = standard upgrade =
+ 1) Create /var/lib/dkms/TEST-DKMS
+ 2) install new package.
+ 3) Verify that the upgrade completes normally. 
+ 
  
  [Regression Potential]
- Any failure to prompt for or change Secure Boot policy in mokutil (crashes of 
update-secureboot-policy, higher CPU usage, etc.) would constitute a regression 
of this SRU.
+ Any failure to prompt for or change Secure Boot policy in mokutil while in an 
*attended* upgrade scenario would constitute a regression of this SRU.
  
  Any other issues related to booting in Secure Boot mode should instead
  be directed to bug 1637290 (shim update).
  
  ---
  
  Currently, unattended-upgrades will automatically install all updates
  for those running development releases of Ubuntu (LP: #1649709)
  
  Today, my computer was acting very sluggish. Looking at my process list,
  I saw/ usr/sbin/update-secureboot-policy was using a log of CPU.
  
  I killed the process. I have a /var/crash/shim-signed.0.crash but since
  it's 750 MB, I didn't bother submitting it or looking at it more. Maybe
  it crashed because I killed the process. Also, I see that unattended-
  upgrades-dpkg.log is 722 MB.
  
  Today's update included both VirtualBox and the linux kernel.
  
  I am attaching an excerpt of /var/log/unattended-upgrades/unattended-
  upgrades-dpkg.log
  
  This message was repeated a very large number of times (but I only
  included it once in the attachment:
  
  "Invalid password
  
  The Secure Boot key you've entered is not valid. The password used must be
  between 8 and 16 characters."
  
  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: shim-signed 1.23+0.9+1474479173.6c180c6-0ubuntu1
  ProcVersionSignature: Ubuntu 4.10.0-11.13-generic 4.10.1
  Uname: Linux 4.10.0-11-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.4-0ubuntu2
  Architecture: amd64
  CurrentDesktop: GNOME
  Date: Fri Mar 17 11:15:04 2017
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2017-02-23 (21 days ago)
  InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Alpha amd64 (20170219)
  SourcePackage: shim-signed
  UpgradeStatus: No upgrade log present (probably fresh install)

** Tags added: verification-done-yakkety

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1673817

Title:
  update-secure-boot-policy behaving badly with unattended-upgrades

Status in shim-signed package in Ubuntu:
  Fix Released
Status in unattended-upgrades package in Ubuntu:
  Invalid
Status in shim-signed source package in Trusty:
  New
Status in unattended-upgrades source package in Trusty:
  New
Status in shim-signed source package in Xenial:
  Fix Committed
Status in unattended-upgrades source package in Xenial:
  New
Status in shim-signed source package in Yakkety:
  Fix Committed
Status in unattended-upgrades source package in Yakkety:
  New

Bug description:
  [Impact]
  Any user with unattended upgrades enabled and DKMS packages in a Secure Boot 
environment might be prompted to change Secure Boot policy, which will fail and 
crash in unattended-upgrades.

  [Test case]
  = unattended upgrade =
  1) Create /var/lib/dkms/TEST-DKMS
  2) Install new package
  3) Trigger unattended-upgrades: unattended-upgrades -d

  Upgrade should run smoothly for all the processing but fail to
  complete; shim-signed should end the unattended upgrade with a error
  as unattended change of the Secure Boot policy can not be done.
  Upgrade should not hang in high CPU usage.

  = standard upgrade =
  1) Create /var/lib/dkms/TEST-DKMS
  2) install new package.
  3) Verify that the upgrade completes normally. 

  
  [Regression Potential]
  Any failure to prompt for or change Secure Boot policy in mokutil while in an 
*attended* upgrade scenario would constitute a regression of this SRU.

  Any other issues related to booting in Secure Boot mode should instead
  be directed to bug 1637290 (shim update).

  ---

  Currently, unattended-upgrades will automatically install all updates
  for those running development releases of Ubuntu (LP: #1649709)

  Today, my computer was acting very sluggish. Looking at my process
  list, I saw/ usr/sbin/update-secureboot-policy was using a log of CPU.

  I killed the process. I have a /var/crash/shim-signed.0.crash but
  since it's 750 MB, I didn't bother submitting it or looking at it
  more. Maybe it crashed because I killed the process. Also, I see that
  unattended-upgrades-dpkg.log is 722 MB.

  Today's update included both VirtualBox and the linux kernel.

  I am attaching an excerpt of /var/log/unattended-upgrades/unattended-
  upgrades-dpkg.log

  This message was repeated a very large number of times (but I only
  included it once in the attachment:

  "Invalid password

  The Secure Boot key you've entered is not valid. The password used must be
  between 8 and 16 characters."

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: shim-signed 1.23+0.9+1474479173.6c180c6-0ubuntu1
  ProcVersionSignature: Ubuntu 4.10.0-11.13-generic 4.10.1
  Uname: Linux 4.10.0-11-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.4-0ubuntu2
  Architecture: amd64
  CurrentDesktop: GNOME
  Date: Fri Mar 17 11:15:04 2017
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2017-02-23 (21 days ago)
  InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Alpha amd64 (20170219)
  SourcePackage: shim-signed
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1673817/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to