search

ublue-os / bluefin

The next generation Linux workstation, designed for reliability, performance, and sustainability.
https://projectbluefin.io
Apache License 2.0
1.03k stars 140 forks source link

Bad shim signature after updating #1521

Closed archhaze24 closed 1 month ago

archhaze24 commented 1 month ago

Describe the bug

I am using ostree-unverified-registry:ghcr.io/ublue-os/silverblue-main:latest image and after updating to 40.20240719.0 I got this when trying to boot my PC:

Screenshot from 2024-07-20 15-57-55

What did you expect to happen?

I expected my system to boot up.

Output of rpm-ostree status

State: idle
AutomaticUpdates: stage; rpm-ostreed-automatic.timer: no runs since boot
Deployments:
  ostree-unverified-registry:ghcr.io/ublue-os/silverblue-main:latest
                   Digest: sha256:b9935ec8bea5e0254e906783c0e228fcfb62203777f2dc3b1430d779e59f94fc
                  Version: 40.20240719.0 (2024-07-19T03:12:43Z)
            SecAdvisories: 1 moderate
                     Diff: 10 upgraded
          LayeredPackages: android-tools clang containerd.io corectrl docker-buildx-plugin docker-ce docker-ce-cli docker-compose-plugin
                           firewall-config gcc git realtime-setup waydroid
            LocalPackages: opentabletdriver-0.6.4.0-1.x86_64 veracrypt-1.26.7-1.x86_64 vesktop-1.5.3-1.x86_64
                Initramfs: regenerate

● ostree-unverified-registry:ghcr.io/ublue-os/silverblue-main:latest
                   Digest: sha256:753e92474fb04777fe2bc44199a39d6e4bfe710d3959b5093aadb5f11eb6f8d9
                  Version: 40.20240718.0 (2024-07-18T03:13:11Z)
          LayeredPackages: android-tools clang containerd.io corectrl docker-buildx-plugin docker-ce docker-ce-cli docker-compose-plugin
                           firewall-config gcc git realtime-setup waydroid
            LocalPackages: opentabletdriver-0.6.4.0-1.x86_64 veracrypt-1.26.7-1.x86_64 vesktop-1.5.3-1.x86_64
                Initramfs: regenerate
                   Pinned: yes

Output of groups

archhaze wheel realtime docker pipewire

Extra information or context

I already tried to do this, but it didn't help. Also I tried enrolling secure boot key using ujust, it didn't help too.

m2Giles commented 1 month ago

please rollback to the previous image. The kernel images that built yesterday were not signed with our keys and we are waiting for rpm-fusion to unskew.

Additionally, we are signing our images with our keys now since grub does not update on its own. Recently, Fedora rotated keys and your grub does not have the current fedora key.

m2Giles commented 1 month ago

Clean builds occurred last night. If using our MOK, it will work.

spacimek commented 1 month ago

Still doesn't work for me... (working on Aurora DX) Any specific step to fix that key?

ostree-image-signed:docker://ghcr.io/ublue-os/aurora-dx:latest Digest: sha256:aabc22883d235c4e03862c002896f820a391850c65d5a319023589d40d65158b Version: 40.20240721.0 (2024-07-21T19:57:48Z) Diff: 300 upgraded, 8 removed, 13 added

● ostree-image-signed:docker://ghcr.io/ublue-os/aurora-dx:latest Digest: sha256:37e3ccc5650db96a7f76dbf4e71d679fe6c80cbab6a884308697e6c558318d28 Version: 40.20240712.0 (2024-07-12T04:57:14Z)

m2Giles commented 1 month ago

Enroll the secureboot key using ujust enroll-secureboot-key.

spacimek commented 1 month ago

Works now, thanks a lot! Just needed to be careful to use ublue-os as a phrase, otherwise all was smooth.

● ostree-image-signed:docker://ghcr.io/ublue-os/aurora-dx:latest Digest: sha256:ddae6305aba8d7a2c9ab066b9ea717990107f8b4d2d357249a24473da3791da1 Version: 40.20240722.0 (2024-07-22T04:51:43Z)