Ok, a key point here is that your dbx includes Microsoft's recent
revocations of older grub versions; and an examination of the daily
image shows that it's currently using an old grub signed with the old
key instead of the current grub:
$ sudo kpartx -a ~/devel/iso/groovy-desktop-amd64.iso
$ sudo mount /dev/mapper/loop8p2 /mnt
$ sbattach -d /tmp/grub.sig /mnt/efi/boot/grubx64.efi
$ openssl pkcs7 -noout -inform DER -in /tmp/grub.sig -print_certs
subject=C = GB, ST = Isle of Man, O = Canonical Ltd., OU = Secure Boot, CN =
Canonical Ltd. Secure Boot Signing
issuer=C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., CN =
Canonical Ltd. Master Certificate Authority
$ sudo umount /mnt
$ sudo kpartx -d ~/devel/iso/groovy-desktop-amd64.iso
$
This is not a bug in grub but in the construction of the daily images,
which apparently do not automatically track the current grub.
** Package changed: grub2 (Ubuntu) => cd-boot-images-amd64 (Ubuntu)
** Changed in: cd-boot-images-amd64 (Ubuntu)
Status: Incomplete => Triaged
** Changed in: cd-boot-images-amd64 (Ubuntu)
Status: Triaged => Fix Committed
** Changed in: cd-boot-images-amd64 (Ubuntu)
Importance: Undecided => High
** Changed in: cd-boot-images-amd64 (Ubuntu)
Assignee: (unassigned) => Steve Langasek (vorlon)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1892754
Title:
Unable to boot in UEFI+secure boot mode
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cd-boot-images-amd64/+bug/1892754/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
