surface-uefi-firmware
surface-uefi-firmware copied to clipboard
linux-surface
firmware signature missing or not trusted;
I just wanted to install the latest downloadable files from here.
I ended up with these files.
|19:11:54|crashdummy@crashface:[surface-uefi-firmware]> [master ✔] | 0 | 0 |
$ ls -1 out/**/*.cab
out/SurfacePro7/SurfacePro7_surfaceme_13.0.1889.2.cab
out/SurfacePro7/SurfacePro7_surfacepd_3.6.1.0.cab
out/SurfacePro7/SurfacePro7_surfacesam_14.418.139.0.cab
out/SurfacePro7/SurfacePro7_surfacetouchfw_3.1.65.139.cab
out/SurfacePro7/SurfacePro7_surfacetpm_7.2.2.0.cab
out/SurfacePro7/SurfacePro7_surfaceuefi_13.101.140.0.cab
I am however not able to install it:
|19:12:21|crashdummy@crashface:[surface-uefi-firmware]> [master ✔] | 0 | 0 |
$ ls -1 out/**/*.cab | xargs -I {} sudo fwupdmgr install {}
Decompressing… [***************************************]
Specified firmware is older than installed '208.7.24834 < 3490068994'
Decompressing… [***************************************]
Specified firmware is older than installed '3.0.1537 < 50333185'
Decompressing… [***************************************]
Specified firmware is older than installed '14.1.41611 < 234960523'
Decompressing… [***************************************]
Specified firmware is older than installed '3.1.16779 < 50413963'
Decompressing… [***************************************]
No supported devices found
Decompressing… [***************************************]
Specified firmware is older than installed '13.0.25996 < 151020940'
|19:14:10|crashdummy@crashface:[surface-uefi-firmware]> [master ✔] | 0 | 0 |
$ ls -1 out/**/*.cab | xargs -I {} sudo fwupdmgr install --allow-older {}
[sudo] password for crashdummy:
Decompressing… [***************************************]
firmware signature missing or not trusted; set OnlyTrusted=false in /etc/fwupd/daemon.conf ONLY if you are a firmware developer
Decompressing… [***************************************]
firmware signature missing or not trusted; set OnlyTrusted=false in /etc/fwupd/daemon.conf ONLY if you are a firmware developer
Decompressing… [***************************************]
firmware signature missing or not trusted; set OnlyTrusted=false in /etc/fwupd/daemon.conf ONLY if you are a firmware developer
Decompressing… [***************************************]
firmware signature missing or not trusted; set OnlyTrusted=false in /etc/fwupd/daemon.conf ONLY if you are a firmware developer
Decompressing… [***************************************]
No supported devices found
Decompressing… [***************************************]
firmware signature missing or not trusted; set OnlyTrusted=false in /etc/fwupd/daemon.conf ONLY if you are a firmware developer
Should I really make this setting? The hell is microsoft doing ?
Same issue here on Surface Go
Wondered if you managed to solve this? Having the same issue with the Sept '22 updates.
First of all sorry for ignoring this for so long, I was pretty busy and when I had time again I simply forgot this issue existed.
The error message about the missing signature comes from fwupd, it has nothing to do with the firmware files you are trying to flash. fwupd is designed to install firmware from LVFS, where the cab files are signed. This script doesn't sign them with a trusted key (not that we would have one, so you would need to generate your own), so fwupd refuses to flash them.
The firmware files inside the cab are signed with a Microsoft key and should be checked by the UEFI seperately before they are installed. However, this is just me guessing, so keep that in mind. As long as you only flash what is inside the MSI files you should be fine.
Since there doesnt seem to be a commandline option that disables signature verification (except maybe --force?), setting OnlyTrusted=false like it says in the output is what you should do.
I flashed the newest firmware on my Surface Pro 5 without any problems using OnlyTrusted=false. Using only --force did not help. Maybe this should be added to the README?
