On Sun, 2022-09-25 at 13:05 -0700, Ansgar wrote: > On Sun, 2022-09-25 at 11:17 -0700, John Darrah wrote: > > I'm tracking testing and with my most recent update I started > > getting > > the nag to update the Secure Boot dbx. When I click the graphical > > 'update' button it appears to update something, but the update > > button > > remains as if nothing changed. > > Some firmware updates, including DBX updates, are distributed via a > different service than apt: fwupd. The fwupdmgr program provides a > command-line interface; the most helpful commands are probably > "fwupdmgr get-updates" (get list of updates, i.e., equivalent to "apt > update"), "fwupdmgr update" (install updates) and "fwupdmgr get- > history" (history of installed firmware updates). > > The system logs might also show what the graphical update tries to > install or why it might fail. > > > I'm posting here because I don't know if this is a bug or what > > facility I would even file a bug report against. > > If the graphical interface (which one?) doesn't manage to > successfully > install the update or still offers the update even though it was > installed, then that is probably a bug. > > Ansgar >
The graphical interface is the Gnome Software facility, fyi. Per your suggestion I looked at fwupdmgr get-history and see the following: Update Error: Blocked executable in the ESP, ensure grub and shim are up to date: /boot/efi/EFI/BOOT/BOOTX64.EFI Authenticode checksum [2ea4cb6a1f1eb1d3dce82d54fde26ded243ba3e18de7c6d211902a594fe56788] is present in dbx The kernel reports the secure boot is disabled, btw. I guess I'm now wondering if it will update if I'm not using secureboot. If this is the case, maybe it should check if secureboot is enabled before offering the update. Thanks -- john
