2022v1 resigning

SRU verification (the SRUs are binary copies, so verification will remain valid once it lands in proposed).

I have downloaded the fwupd-signed from the signing PPA as well as proposed new shim and old shim for all releases:

Downloads/fwupd-signed_1.51_20.04.1+1.2-3ubuntu0.2_amd64.deb
Downloads/fwupd-signed_1.51_20.04.1+1.2-3ubuntu0.2_arm64.deb
Downloads/fwupd-signed_1.51_22.04.1+1.2-3ubuntu0.2_amd64.deb
Downloads/fwupd-signed_1.51_22.04.1+1.2-3ubuntu0.2_arm64.deb
Downloads/fwupd-signed_1.51_22.10.1+1.2-3ubuntu0.2_amd64.deb
Downloads/fwupd-signed_1.51_22.10.1+1.2-3ubuntu0.2_arm64.deb
Downloads/shim-signed_1.52_ppa7+15.7-0ubuntu1_amd64.deb
Downloads/shim-signed_1.52_ppa7+15.7-0ubuntu1_arm64.deb

I extracted the debs into a directory, renamed the files around a bit for easy testing, and then
I spawned VMS for both amd64 and arm64 and for each release ran

fwupdx64.efi.signed # this failed because not loaded by shim (showing secure boot works)
shimx64.efi.signed.latest fwupdx64.efi.signed
shimx64.efi.signed.previous fwupdx64.efi.signed

from the EFI shell. This always worked fine, the fwupd loaded successfully.

Here are some example runs from arm64; the serial console output in qemu is a bit garbled, so it's not all of it.

FS0:\> shimaa64.efi.signed.latest fwupd-arm64-focal.efi
WARNING: No updates to process, exiting in 10 seconds.
start_image() returned Invalid Parameter, falling back to default loader
Failed to open \grubaa64.efi - Not Found
FS0:\> shimaa64.efi.signed.previous fwupd-arm64-focal.efi
WARNING: No updates to process, exiting in 10 seconds.
start_image() returned Invalid Parameter, falling back to default loader
Failed to open \grubaa64.efi - Not Found
FS0:\> shimaa64.efi.signed.previous fwupd-arm64-focal.efi
WARNING: No updates to process, exiting in 10 seconds.
start_image() returned Invalid Parameter, falling back to default loader
Failed to open \grubaa64.efi - Not Found
FS0:\> shimaa64.efi.signed.previous fwupd-arm64-jammy.efi
WARNING: No updates to process, exiting in 10 seconds.
start_image() returned Invalid Parameter, falling back to default loader
Failed to open \grubaa64.efi - Not Found
FS0:\> shimaa64.efi.signed.previous fwupd-arm64-kinetic.efi
WARNING: No updates to process, exiting in 10 seconds.
start_image() returned Invalid Parameter, falling back to default loader
Failed to open \grubaa64.efi - Not Found
FS0:\> shimaa64.efi.signed.latest fwupd-arm64-kinetic.efi
WARNING: No updates to process, exiting in 10 seconds.
start_ishimaa64.efi.signed.latest fwupd-arm64-jammy.efi default loader
WARNING: No updates to process, exiting in 10 seconds.
start_image() returned Invalid Parameter, falling back to default loader
Failed to open \grubaa64.efi - Not Found

Ah yes, I also upgraded the firmware on my T14 G3 using the kinetic boot stack so we also have end-to-end-verification that the binary is behaving correctly aside from it being properly signed :)

Hello Julian, or anyone else affected,

Accepted fwupd-efi into kinetic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd-efi/1:1.2-3ubuntu0.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-kinetic to verification-done-kinetic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-kinetic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Julian, or anyone else affected,

Accepted fwupd-signed into kinetic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd-signed/1.51~22.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-kinetic to verification-done-kinetic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-kinetic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Julian, or anyone else affected,

Accepted fwupd-efi into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd-efi/1:1.2-3ubuntu0.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Julian, or anyone else affected,

Accepted fwupd-signed into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd-signed/1.51~22.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Julian, or anyone else affected,

Accepted fwupd-efi into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd-efi/1:1.2-3ubuntu0.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Julian, or anyone else affected,

Accepted fwupd-signed into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd-signed/1.51~20.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Remarking verification-done as per #1

SRU verification (the SRUs are binary copies, so verification will remain valid once it lands in proposed).

This bug was fixed in the package fwupd-signed - 1.51

---------------
fwupd-signed (1.51) lunar; urgency=medium

  * Remove i386 and armhf from the architecture list
  * Check that we are signing the correct version of fwupd and it is not revoked

fwupd-signed (1.48) lunar; urgency=medium

  [ Julian Andres Klode ]
  * Rebuild for 2022v1 resigning (LP: #2003365)

  [ Andy Whitcroft ]
  * Fix signing artifact download when faced with an authenticated archive
    pool. Switch to using common download-signed from grub2/kernel.

 -- Julian Andres Klode <email address hidden> Thu, 26 Jan 2023 16:52:24 +0100

This bug was fixed in the package fwupd-efi - 1:1.2-3ubuntu0.2

---------------
fwupd-efi (1:1.2-3ubuntu0.2) kinetic; urgency=medium

  * No-change rebuild for 2022v1 resigning (LP: #2003365)

 -- Julian Andres Klode <email address hidden> Thu, 19 Jan 2023 18:00:56 +0100

This bug was fixed in the package fwupd-signed - 1.51~22.10.1

---------------
fwupd-signed (1.51~22.10.1) kinetic; urgency=medium

  * Remove i386 and armhf from the architecture list
  * Check that we are signing the correct version of fwupd and it is not revoked

fwupd-signed (1.48) lunar; urgency=medium

  [ Julian Andres Klode ]
  * Rebuild for 2022v1 resigning (LP: #2003365)

  [ Andy Whitcroft ]
  * Fix signing artifact download when faced with an authenticated archive
    pool. Switch to using common download-signed from grub2/kernel.

 -- Julian Andres Klode <email address hidden> Thu, 26 Jan 2023 16:52:24 +0100

The verification of the Stable Release Update for fwupd-efi has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package fwupd-efi - 1:1.2-3ubuntu0.2

---------------
fwupd-efi (1:1.2-3ubuntu0.2) kinetic; urgency=medium

  * No-change rebuild for 2022v1 resigning (LP: #2003365)

 -- Julian Andres Klode <email address hidden> Thu, 19 Jan 2023 18:00:56 +0100

This bug was fixed in the package fwupd-signed - 1.51~22.04.1

---------------
fwupd-signed (1.51~22.04.1) jammy; urgency=medium

  * Remove i386 and armhf from the architecture list
  * Check that we are signing the correct version of fwupd and it is not revoked

fwupd-signed (1.48) lunar; urgency=medium

  [ Julian Andres Klode ]
  * Rebuild for 2022v1 resigning (LP: #2003365)

  [ Andy Whitcroft ]
  * Fix signing artifact download when faced with an authenticated archive
    pool. Switch to using common download-signed from grub2/kernel.

 -- Julian Andres Klode <email address hidden> Thu, 26 Jan 2023 16:52:24 +0100

This bug was fixed in the package fwupd-efi - 1:1.2-3ubuntu0.2

---------------
fwupd-efi (1:1.2-3ubuntu0.2) kinetic; urgency=medium

  * No-change rebuild for 2022v1 resigning (LP: #2003365)

 -- Julian Andres Klode <email address hidden> Thu, 19 Jan 2023 18:00:56 +0100

This bug was fixed in the package fwupd-signed - 1.51~20.04.1

---------------
fwupd-signed (1.51~20.04.1) focal; urgency=medium

  * Remove i386 and armhf from the architecture list
  * Check that we are signing the correct version of fwupd and it is not revoked

fwupd-signed (1.48) lunar; urgency=medium

  [ Julian Andres Klode ]
  * Rebuild for 2022v1 resigning (LP: #2003365)

  [ Andy Whitcroft ]
  * Fix signing artifact download when faced with an authenticated archive
    pool. Switch to using common download-signed from grub2/kernel.

fwupd-signed (1.44) jammy; urgency=medium

  * Built-Using must reference the source package, not binary packages.
  * Manually include the epoch in the version number for Built-Using,
    since for some reason this is not included in the version file published
    for the EFI binaries.

 -- Julian Andres Klode <email address hidden> Thu, 26 Jan 2023 16:52:24 +0100

Hello Julian, or anyone else affected,

Accepted fwupd-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd-signed/1.51.1~18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

I have checked that fwupd-signed 1.51.1~18.04.1 successfully starts with both old and new shim.

This bug was fixed in the package fwupd-signed - 1.51.1~18.04.1

---------------
fwupd-signed (1.51.1~18.04.1) bionic; urgency=medium

  * Rebuild against fwupd-efi 1:1.4-0ubuntu0.1 (LP: #2011808)
  * Install binaries to /usr/lib/fwupd on bionic for compatibility with
    fwupd 1.2.

fwupd-signed (1.51) lunar; urgency=medium

  * Remove i386 and armhf from the architecture list
  * Check that we are signing the correct version of fwupd and it is not revoked

fwupd-signed (1.48) lunar; urgency=medium

  [ Julian Andres Klode ]
  * Rebuild for 2022v1 resigning (LP: #2003365)

  [ Andy Whitcroft ]
  * Fix signing artifact download when faced with an authenticated archive
    pool. Switch to using common download-signed from grub2/kernel.

fwupd-signed (1.44) jammy; urgency=medium

  * Built-Using must reference the source package, not binary packages.
  * Manually include the epoch in the version number for Built-Using,
    since for some reason this is not included in the version file published
    for the EFI binaries.

fwupd-signed (1.43) jammy; urgency=medium

  * remove fwupd-unsigned from Recommends of fwupd-signed deb. (LP: #1960783)

fwupd-signed (1.42) jammy; urgency=medium

  * Adjust dependency requirements. Since the package is decoupled from
    fwupd now, the version it needs to depend on doesn't need to match
    the package version.

fwupd-signed (1.41) jammy; urgency=medium

  * Build depends on fwupd-unsigned 1:1.1-3 (LP: #1955386)
  * Adjust download script to download candidate version instead of from
    "current" symlink

 -- Julian Andres Klode <email address hidden> Tue, 07 Mar 2023 13:32:57 +0100