[00:15] <RAOF> slangasek: You're busy, but at some point I want to pick your brains about why I can't seem to get Ubuntu to secure-boot on this laptop. Just a heads up.
[00:43] <slangasek> RAOF: ASUS?
[00:44] <RAOF> slangasek: System76
[00:44] <RAOF> So this is purely opt-in.
[00:44] <slangasek> hmm!
[00:44] <slangasek> which keys does System76 ship in KEK?
[00:44] <slangasek> +db
[00:44] <RAOF> None; I've added my own.
[00:44] <slangasek> oh. your own personal keys, or the Canonical key?
[00:45] <RAOF> Personal key in the PK, personal, Canonical, and MS keys in KEK & DB
[00:46] <RAOF> Roughly following https://wiki.ubuntu.com/SecurityTeam/SecureBoot and http://jk.ozlabs.org/docs/sbkeysync-maintaing-uefi-key-databases/
[00:47] <slangasek> and what's the behavior you're seeing?
[00:47] <RAOF> Windows boots fine, but Ubuntu fails to verify.
[00:48] <RAOF> sbverify claims that /boot/efi/EFI/ubuntu/grubx64.whatever has a valid signature from the Canonical public key, though.
[00:52] <slangasek> and you're booting grub directly, or via shim?
[00:53] <RAOF> Booting to grub directly
[00:53] <slangasek> well hmm
[00:54] <slangasek> and you're sure you have the signing key in db, not the CA key?
[00:55] <RAOF> Hm. I may have the CA key in db.
[01:00] <slangasek> RAOF: you can dump the var via  /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
[01:05] <RAOF> Ah, yeah. Got the CA key in there.
[01:06] <RAOF> I need the signing key instead, I take it?
[01:09] <slangasek> RAOF: yep
[01:10] <darkxst> infinity, stgraber, can I get ddebs enabled on ppa:gnome3-team/gnome3-next
[01:11] <infinity> darkxst: I suspect the people who can twiddle that are all gone for the week.
[01:11] <RAOF> slangasek: Ta. I'll give that a try after I finish bashing my head on X
[01:11] <slangasek> :-)
[01:12] <darkxst> infinity, ok, will try again next week then
[01:12] <RAOF> To be clear - I'd need the CA key in KEK and the signing key in db, right?
[01:12] <RAOF> Or just the signing key everywhere?
[01:12] <infinity> darkxst: Asking through answers.lp.net may get someone to see it if/when they're bored, or just poke me on Monday, and I'll get someone to do it.
[01:14] <darkxst> infinity, ok thanks, Monday is fine
[01:17] <slangasek> RAOF: yep, CA key in KEK, signing key in db
[01:17] <slangasek> that's the standard config
[01:54] <phillw> If there is someone available, could you tell me the difference between sudo do-release-upgrade and the apt-get update & dist-upgrade route?
[01:55] <phillw> brian intimated that they are not the same.
[02:09] <ScottK> They aren't.  The first one uses ubuntu-release-upgrader.  To really understand the difference you probably need to look at the code, but the simple version is it does lots of special casing to make release upgrades smoother.
[02:09] <ScottK> You could ask that on -devel.  It's nothing to do with the release team.
[02:13] <phillw> ScottK: thanks, heading there now :)
[08:10] <Laney> please to promote ubuntu-wallpapers-saucy
[08:35] <infinity> Laney: Iz done.
[09:37] <RAOF> slangasek: Thanks; now that I've got the Canonical signing key in db everything works marvelously.
[14:55] <xnox> Please reject ocaml-estrings from saucy new queue, its orig tarball is full of .... upstream .git/objects
[15:13] <xnox> slangasek: thanks.
[15:13] <slangasek> wasna me
[15:13] <slangasek> some other archive admin working on the weekend and not fessing up :)
[15:13] <infinity> If only it emailed the uploader so you knew who rejected it.
[15:29] <xnox> =)