search

linux-surface / surface-uefi-firmware

UEFI firmware updates for surface using fwupd. WIP, be careful.
110 stars 9 forks source link

firmware signature missing or not trusted; #23

Open Crashdummyy opened 2 years ago

Crashdummyy commented 2 years ago

I just wanted to install the latest downloadable files from here.

I ended up with these files.

|19:11:54|crashdummy@crashface:[surface-uefi-firmware]> [master ✔] | 0 | 0 | 
 $ ls -1 out/**/*.cab
out/SurfacePro7/SurfacePro7_surfaceme_13.0.1889.2.cab
out/SurfacePro7/SurfacePro7_surfacepd_3.6.1.0.cab
out/SurfacePro7/SurfacePro7_surfacesam_14.418.139.0.cab
out/SurfacePro7/SurfacePro7_surfacetouchfw_3.1.65.139.cab
out/SurfacePro7/SurfacePro7_surfacetpm_7.2.2.0.cab
out/SurfacePro7/SurfacePro7_surfaceuefi_13.101.140.0.cab

I am however not able to install it:

|19:12:21|crashdummy@crashface:[surface-uefi-firmware]> [master ✔] | 0 | 0 | 
 $ ls -1 out/**/*.cab | xargs -I {} sudo fwupdmgr install {}
Decompressing…           [***************************************]
Specified firmware is older than installed '208.7.24834 < 3490068994'
Decompressing…           [***************************************]
Specified firmware is older than installed '3.0.1537 < 50333185'
Decompressing…           [***************************************]
Specified firmware is older than installed '14.1.41611 < 234960523'
Decompressing…           [***************************************]
Specified firmware is older than installed '3.1.16779 < 50413963'
Decompressing…           [***************************************]
No supported devices found
Decompressing…           [***************************************]
Specified firmware is older than installed '13.0.25996 < 151020940'
|19:14:10|crashdummy@crashface:[surface-uefi-firmware]> [master ✔] | 0 | 0 | 
 $ ls -1 out/**/*.cab | xargs -I {} sudo fwupdmgr install --allow-older {}
[sudo] password for crashdummy: 
Decompressing…           [***************************************]
firmware signature missing or not trusted; set OnlyTrusted=false in /etc/fwupd/daemon.conf ONLY if you are a firmware developer
Decompressing…           [***************************************]
firmware signature missing or not trusted; set OnlyTrusted=false in /etc/fwupd/daemon.conf ONLY if you are a firmware developer
Decompressing…           [***************************************]
firmware signature missing or not trusted; set OnlyTrusted=false in /etc/fwupd/daemon.conf ONLY if you are a firmware developer
Decompressing…           [***************************************]
firmware signature missing or not trusted; set OnlyTrusted=false in /etc/fwupd/daemon.conf ONLY if you are a firmware developer
Decompressing…           [***************************************]
No supported devices found
Decompressing…           [***************************************]
firmware signature missing or not trusted; set OnlyTrusted=false in /etc/fwupd/daemon.conf ONLY if you are a firmware developer

Should I really make this setting? The hell is microsoft doing ?

mobedoor commented 2 years ago

Same issue here on Surface Go

nyonson commented 2 years ago

Seeing the same for SL3 intel

Tyler-2 commented 2 years ago

Same on SL4 intel.

SexyDog commented 2 years ago

Same problem on SB2

sparkie3 commented 2 years ago

SP6 has this issue.

mannp commented 2 years ago

Same issue here on Surface Go

Wondered if you managed to solve this? Having the same issue with the Sept '22 updates.

mobedoor commented 2 years ago

@mannp no, unfortunately.

mannp commented 2 years ago

@mannp no, unfortunately.

Okay, thanks for coming back to me @mobedoor

fotnite-vevo commented 1 year ago

Any updates on this? It seems to still be an issue

StollD commented 1 year ago

First of all sorry for ignoring this for so long, I was pretty busy and when I had time again I simply forgot this issue existed.

The error message about the missing signature comes from fwupd, it has nothing to do with the firmware files you are trying to flash. fwupd is designed to install firmware from LVFS, where the cab files are signed. This script doesn't sign them with a trusted key (not that we would have one, so you would need to generate your own), so fwupd refuses to flash them.

The firmware files inside the cab are signed with a Microsoft key and should be checked by the UEFI seperately before they are installed. However, this is just me guessing, so keep that in mind. As long as you only flash what is inside the MSI files you should be fine.

Since there doesnt seem to be a commandline option that disables signature verification (except maybe --force?), setting OnlyTrusted=false like it says in the output is what you should do.

Leo1998 commented 1 year ago

I flashed the newest firmware on my Surface Pro 5 without any problems using OnlyTrusted=false. Using only --force did not help. Maybe this should be added to the README?