3

On a VPS server, console-only access. A few months ago I upgraded the distribution from Ubuntu 16.04 to 18.04 and had no problem since.

This morning while upgrading packages, I got the following message:

The following packages have been kept back: shim-signed The following packages will be upgraded: cloud-initramfs-copymods cloud-initramfs-dyn-netconf grub-common grub-efi-amd64 grub-efi-amd64-bin grub-efi-amd64-signed grub2-common open-iscsi overlayroot

I let the upgrade happen then tried to install shim-signed as I usually do when package upgrades are kept back. Doing so I got this error:

$ apt-get install shim-signed Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation: The following packages have unmet dependencies: shim-signed : Depends: shim (= 15+1533136590.3beb971-0ubuntu1) but 13- 0ubuntu2 is to be installed E: Unable to correct problems, you have held broken packages.

Using apt-mark showhold shows no held packages:

$ apt-mark showhold

Jean Vincent
  • 133
  • 2
    I don't know if this will help, but something funny is going on with shim and shim-signed: On my main system shim shows up in Synaptic as (local or obsolete) version 15+1533136590.3beb971-0ubuntu1. This usually happens when Canonical pushes out a bad update, I install it, and then they pull it back out of the repos. The repo version is 13-0ubuntu2. I also have an orphan version of shim-signed. It looks like you got one but not the other. Normally I would revert to the repo versions in this case but I'm afraid to for these packages. – Organic Marble Oct 11 '18 at 12:41
  • Does this suggest that if I wait a few days, Ubuntu might fix the problem and it could go away? – Jean Vincent Oct 11 '18 at 12:44
  • 1
    I don't know...this happened a few days ago to me, so I'm surprised it is still an issue. Normally I'd force-install the older version of the package but I don't want to render my system unbootable if that goes wrong. – Organic Marble Oct 11 '18 at 12:49

1 Answers1

3

This was a known issue and has been addressed on the #ubuntu-release IRC channel.

Source: #ubuntu-release IRC logs for 2018-10-11 [Archive Link]

Shortly after this answer was originally posted, the Ubuntu package archive (http://archive.ubuntu.com/ubuntu/) was updated to fix the problem.

Note: Mirrors take a variable amount of time to synchronize with the main archive, so if you are using a mirror, you may have to wait longer or change your mirror to http://archive.ubuntu.com/ubuntu/.

Run the following command to update your package list:

sudo apt update

If your mirror is up-to-date, you should now be able upgrade all your packages, including shim and shim-signed.

Relevant IRC conversation:

[13:14] cyphermox: hi, whomever promoted shim-signed to bionic-updates, please also promote shim
[13:14] cyphermox: (the two must go together)

[13:29] sil2100: cyphermox: apologies for that, it didn't have a bug so my brain missed it
[13:29] sil2100: Even though it's completely logical
[13:29] TJ- sil2100: thanks - that'll keep a user happy. Was seeing "shim-signed" in "apt list --upgradeable" but the package wasn't offered for upgrade by apt

To prevent this same issue from happening again, ~smoser has submitted the pair of packages, shim and shim-signed, to a list that is used to verify packages that need to be released together:

[13:30] rbasak: smoser had a branch to prevent such accidents. I don't see what happened to it.
[13:30] rbasak: https://code.launchpad.net/~smoser/ubuntu-archive-tools/package-sets/+merge/348334
[13:30] rbasak: Merged
[13:30] cyphermox: I was about to ask about that, should be easy to write a warning to avoid this
[13:30] rbasak: Is your ubuntu-archive-tools up to date sil2100?
[13:31] rbasak: Ah
[13:31] rbasak: shim and shim-signed need adding to the list.
[13:31] cyphermox: yup
[13:31] sil2100: seb128: hey! I'm going to request a full translation export and then a new base upload - I saw that you mentioned issues with the gnome translations, are you good now in case we do an export soon?
[13:31] sil2100: rbasak: I thought mine was
[13:32] cyphermox: sil2100: fwiw, not entirely your fault, shim didn't have any bugs linked to it either -- and I'm going to avoid that from now on by requiring a bug prior to any upload of shim to devel
[13:33] cyphermox: (since we copy shim across releases, etc.)
[13:37] seb128: sil2100, hey, I guess so, dunno who changed those settings but it screwed thing. I think I'm going to fix as much as I plan to do before cosmic, it's tedious work and we are not going to reupload all GNOME now (and import seem fine in most case, it seems the setting didn't change so long ago)
[13:40] smoser: yeah, the goal of that branch was that it if you tried to release grub2 without grub2-signed it would exit failure
[13:40] smoser: if you had > revision 1180, i'd like to figure out what you did do that didn't trip it. [13:42] sil2100: smoser: it was about shim and shim-signed, apparently that's not added to the list
[13:42] sil2100: duh
[13:42] smoser: ah. well lets add them.
[13:42] smoser: if they do in fact have to be released together.
[13:46] smoser: https://code.launchpad.net/~smoser/ubuntu-archive-tools/shim-signed/+merge/356578
[13:47] cyphermox: smoser: thanks

For reference, this is what the two affected package listings looked like after the fix:

Package: shim
Architecture: amd64
Version: 15+1533136590.3beb971-0ubuntu1
Priority: optional
Section: admin
Origin: Ubuntu
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Steve Langasek <vorlon@debian.org>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 3744
Breaks: shim-signed (<< 1.33~)
Filename: pool/main/s/shim/shim_15+1533136590.3beb971-0ubuntu1_amd64.deb
Size: 574704
MD5sum: 57145d15f6745f2dd9a081cf39da0350
SHA1: cb39bc7bddf189ab15baaf7a087169a886dc30bc
SHA256: 3099b90ba9d7bdf705a89a936b622633fe2a5141f24aa0af046b6c629d5475c5
Description: boot loader to chain-load signed boot loaders under Secure Boot
Task: ubuntu-core
Description-md5: ba97e9b3cf7ad648ef7a4f6c9fa9a6d0
Phased-Update-Percentage: 10
Supported: 5y

Package: shim-signed
Architecture: amd64
Version: 1.37~18.04.2+15+1533136590.3beb971-0ubuntu1
Built-Using: shim (= 15+1533136590.3beb971-0ubuntu1)
Priority: optional
Section: utils
Source: shim-signed (1.37~18.04.2)
Origin: Ubuntu
Maintainer: Steve Langasek <steve.langasek@ubuntu.com>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 1354
Depends: debconf (>= 0.5) | debconf-2.0, shim (= 15+1533136590.3beb971-0ubuntu1), grub-efi-amd64-signed, grub2-common (>= 2.02-2ubuntu8.1), mokutil, sbsigntool
Recommends: secureboot-db
Breaks: grub-efi-amd64-signed (<< 1.93.7)
Filename: pool/main/s/shim-signed/shim-signed_1.37~18.04.2+15+1533136590.3beb971-0ubuntu1_amd64.deb
Size: 343204
MD5sum: 5c39a5914b36861d2a4ebf318f9ac687
SHA1: 328332977616d2a2565d546e0e0dce518d8b2829
SHA256: a53e741f63a309ee9c7330386edb74905e3632ebc334386b00ab989811b2ef61
Description: Secure Boot chain-loading bootloader (Microsoft-signed binary)
Task: ubuntu-core
Description-md5: a481805ba65b750cfdd6438a7d8539a2
Phased-Update-Percentage: 20
Supported: 5y

Notice that the Depends: section of shim-signed has shim (= 15+1533136590.3beb971-0ubuntu1), which now has a matching Package: shim version.

Deltik
  • 327
  • Is there a way to fix it? – Organic Marble Oct 11 '18 at 14:39
  • 1
    @OrganicMarble: It was actually just fixed a few minutes before you asked. A sudo apt update will now update the local package information with the correct dependencies. – Deltik Oct 11 '18 at 14:57
  • 1
    Thanks - I will check. My local mirror only updates every 12 hours so I hadn't seen it yet. edit: It looks like this will fix the orphaning of shim-signed on my system, but not shim. sigh. Anyway, great research, +1 edit: the new version of shim has not shown up in the US repos anyway. apt-policy shim gives 13-0ubuntu2 – Organic Marble Oct 11 '18 at 15:20
  • 1
    Ah, I forgot about the mirrors. I've updated my answer again to mention their delay. – Deltik Oct 11 '18 at 15:23
  • Thank you very much for your quick update @Deltik. I wait until my mirror updates, which should be tomorrow at the latest, before marking your answer as the correct answer. – Jean Vincent Oct 11 '18 at 15:56
  • 1
    Well, it works for me now, looks like my mirror was updated pretty fast. Thanks again for your thorough explanation and quick fix by the ubuntu team. – Jean Vincent Oct 11 '18 at 16:13
  • And, it's now in the US repos as well. Kudos! – Organic Marble Oct 11 '18 at 16:15