RAOF | slangasek: You're busy, but at some point I want to pick your brains about why I can't seem to get Ubuntu to secure-boot on this laptop. Just a heads up. | 00:15 |
---|---|---|
slangasek | RAOF: ASUS? | 00:43 |
RAOF | slangasek: System76 | 00:44 |
RAOF | So this is purely opt-in. | 00:44 |
slangasek | hmm! | 00:44 |
slangasek | which keys does System76 ship in KEK? | 00:44 |
slangasek | +db | 00:44 |
RAOF | None; I've added my own. | 00:44 |
slangasek | oh. your own personal keys, or the Canonical key? | 00:44 |
RAOF | Personal key in the PK, personal, Canonical, and MS keys in KEK & DB | 00:45 |
RAOF | Roughly following https://wiki.ubuntu.com/SecurityTeam/SecureBoot and http://jk.ozlabs.org/docs/sbkeysync-maintaing-uefi-key-databases/ | 00:46 |
slangasek | and what's the behavior you're seeing? | 00:47 |
RAOF | Windows boots fine, but Ubuntu fails to verify. | 00:47 |
RAOF | sbverify claims that /boot/efi/EFI/ubuntu/grubx64.whatever has a valid signature from the Canonical public key, though. | 00:48 |
slangasek | and you're booting grub directly, or via shim? | 00:52 |
RAOF | Booting to grub directly | 00:53 |
slangasek | well hmm | 00:53 |
slangasek | and you're sure you have the signing key in db, not the CA key? | 00:54 |
RAOF | Hm. I may have the CA key in db. | 00:55 |
slangasek | RAOF: you can dump the var via /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f | 01:00 |
RAOF | Ah, yeah. Got the CA key in there. | 01:05 |
RAOF | I need the signing key instead, I take it? | 01:06 |
slangasek | RAOF: yep | 01:09 |
darkxst | infinity, stgraber, can I get ddebs enabled on ppa:gnome3-team/gnome3-next | 01:10 |
infinity | darkxst: I suspect the people who can twiddle that are all gone for the week. | 01:11 |
RAOF | slangasek: Ta. I'll give that a try after I finish bashing my head on X | 01:11 |
slangasek | :-) | 01:11 |
darkxst | infinity, ok, will try again next week then | 01:12 |
RAOF | To be clear - I'd need the CA key in KEK and the signing key in db, right? | 01:12 |
RAOF | Or just the signing key everywhere? | 01:12 |
infinity | darkxst: Asking through answers.lp.net may get someone to see it if/when they're bored, or just poke me on Monday, and I'll get someone to do it. | 01:12 |
darkxst | infinity, ok thanks, Monday is fine | 01:14 |
slangasek | RAOF: yep, CA key in KEK, signing key in db | 01:17 |
slangasek | that's the standard config | 01:17 |
phillw | If there is someone available, could you tell me the difference between sudo do-release-upgrade and the apt-get update & dist-upgrade route? | 01:54 |
phillw | brian intimated that they are not the same. | 01:55 |
ScottK | They aren't. The first one uses ubuntu-release-upgrader. To really understand the difference you probably need to look at the code, but the simple version is it does lots of special casing to make release upgrades smoother. | 02:09 |
ScottK | You could ask that on -devel. It's nothing to do with the release team. | 02:09 |
phillw | ScottK: thanks, heading there now :) | 02:13 |
=== Ursinha is now known as Ursinha-afk | ||
=== Ursinha-afk is now known as Ursinha | ||
Laney | please to promote ubuntu-wallpapers-saucy | 08:10 |
infinity | Laney: Iz done. | 08:35 |
RAOF | slangasek: Thanks; now that I've got the Canonical signing key in db everything works marvelously. | 09:37 |
xnox | Please reject ocaml-estrings from saucy new queue, its orig tarball is full of .... upstream .git/objects | 14:55 |
xnox | slangasek: thanks. | 15:13 |
slangasek | wasna me | 15:13 |
slangasek | some other archive admin working on the weekend and not fessing up :) | 15:13 |
infinity | If only it emailed the uploader so you knew who rejected it. | 15:13 |
xnox | =) | 15:29 |
=== Ursinha-afk is now known as Ursinha | ||
=== charles_ is now known as charles |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!