Ubuntu
secureboot-db package

Error message during upgrade: "Error writing key update: Permission denied"

Bug #1800750 reported by Mike
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
secureboot-db (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

New keys in filesystem:
 /usr/share/secureboot/updates/dbx/MS-2016-08-08.bin
Inserting key update /usr/share/secureboot/updates/dbx/MS-2016-08-08.bin into dbx
Error writing key update: Permission denied
Error syncing keystore file /usr/share/secureboot/updates/dbx/MS-2016-08-08.bin

This resulted from invoking "apt update" and "apt upgrade" from the command line (sudo'ed as root). The only package being upgraded was "secureboot-db".

The system is running currently maintained 18.04.1 LTS.

Secureboot is in fact disabled in the EFI.

# apt-cache policy secureboot-db
secureboot-db:
  Installed: 1.4~ubuntu0.18.04.1
  Candidate: 1.4~ubuntu0.18.04.1
  Version table:
 *** 1.4~ubuntu0.18.04.1 500
        500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1.1 500
        500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: secureboot-db 1.4~ubuntu0.18.04.1
ProcVersionSignature: Ubuntu 4.15.0-38.41-generic 4.15.18
Uname: Linux 4.15.0-38-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.4
Architecture: amd64
Date: Tue Oct 30 21:04:26 2018
InstallationDate: Installed on 2015-09-06 (1150 days ago)
InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422)
ProcEnviron:
 LANGUAGE=en_US
 TERM=xterm-256color
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: secureboot-db
UpgradeStatus: Upgraded to bionic on 2018-04-23 (190 days ago)

Revision history for this message
Mike (mikebw) wrote :
Seth Arnold (seth-arnold)
information type: Private Security → Public
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in secureboot-db (Ubuntu):
status: New → Confirmed
Revision history for this message
Adrian Kalla (adrian-kalla) wrote :

Trying to do sudo dpkg-reconfigure secureboot-db ends with the same error...

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Did you modify the allowed Secure Boot certificates in your machine's firmware? What hardware did this error show up on?

Changed in secureboot-db (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Did the upgrade process fail?

If you run 'sudo apt -f install' is any change suggested there?

Revision history for this message
Adrian Kalla (adrian-kalla) wrote :

> Did the upgrade process fail? If you run 'sudo apt -f install' is any change suggested there?

No.

> Did you modify the allowed Secure Boot certificates in your machine's firmware?

No.

> What hardware did this error show up on?

Lenovo Thinkpad W520 notebook

Revision history for this message
Rasmus Wriedt Larsen (rasmuswl) wrote :

This also happened to me.

> Did the upgrade process fail?

no

> If you run 'sudo apt -f install' is any change suggested there?

no

> Did you modify the allowed Secure Boot certificates in your machine's firmware?

$ mokutil --sb-state
This system does't support Secure Boot

I could have disabled secure boot altogether to get my dual boot setup to work, I honestly can't remember all the details. But given that I haven't even enabled secure boot, this error seems all the more strange to me.

> What hardware did this error show up on?

MacBookPro 12,1 [Intel Core i7-5557U] (early 2015)

Revision history for this message
Boggy (kowalczykb) wrote :

And here as well

> Did the upgrade process fail?

no

> If you run 'sudo apt -f install' is any change suggested there?

no

> Did you modify the allowed Secure Boot certificates in your machine's firmware?

$ mokutil --sb-state
This system does't support Secure Boot

product: MacBookPro11,4

Revision history for this message
Mike (mikebw) wrote :

This is an Asus Q202E laptop.

Package management is normal and stable:

$ sudo apt -f install
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

SecureBoot is disabled by me in the UEFI settings:

$ mokutil --sb-state
SecureBoot disabled

I apparently did add the Canonical certificate at some point:

$ mokutil --list-enrolled --db | egrep '(Issuer|Subject):'
        Issuer: CN=ASUSTeK Notebook SW Key Certificate
        Subject: CN=ASUSTeK Notebook SW Key Certificate
        Issuer: CN=ASUSTeK MotherBoard SW Key Certificate
        Subject: CN=ASUSTeK MotherBoard SW Key Certificate
        Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
        Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
        Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010
        Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
        Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
        Subject: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for secureboot-db (Ubuntu) because there has been no activity for 60 days.]

Changed in secureboot-db (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.