arch-secure-boot icon indicating copy to clipboard operation
arch-secure-boot copied to clipboard
verified publisher icon maximbaz

sbctl error: couldn't access /usr/share/secureboot/keys/db/db.pem: no such file or directory

Open haplo opened this issue 1 year ago • 1 comments

I'm seeing signing errors when the hook runs:

==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'default'
==> Using default configuration file: '/etc/mkinitcpio.conf'
-> -k /boot/vmlinuz-linux -g /boot/initramfs-linux.img
==> Starting build: '6.9.1-arch1-1'
-> Running build hook: [systemd]
-> Running build hook: [autodetect]
-> Running build hook: [microcode]
-> Running build hook: [modconf]
-> Running build hook: [kms]
-> Running build hook: [keyboard]
==> WARNING: Possibly missing firmware for module: 'xhci_pci'
-> Running build hook: [sd-vconsole]
-> Running build hook: [block]
-> Running build hook: [sd-encrypt]
==> WARNING: Possibly missing firmware for module: 'qat_420xx'
-> Running build hook: [filesystems]
-> Running build hook: [fsck]
==> WARNING: Possibly missing '/bin/sh' for script: /usr/bin/fsck.btrfs
==> Generating module dependencies
==> Decompressing zstd-compressed firmware files
-> Fixing firmware file symlinks
==> Creating zstd-compressed initcpio image: '/boot/initramfs-linux.img'
-> Early uncompressed CPIO image generation successful
==> Initcpio image generation successful
==> Running post hooks
-> Running post hook: [sbctl]
Signing /boot/vmlinuz-linux
couldn't access /usr/share/secureboot/keys/db/db.pem: no such file or directory
==> ERROR: '/usr/lib/initcpio/post/sbctl' failed with exit code 1

couldn't access /usr/share/secureboot/keys/db/db.pem: no such file or directory repeats for every image, both linux and linux-lts, regular and fallback.

Configuration hasn't changed for weeks, I have just been upgrading daily.

Any idea what the problem might be?

haplo avatar May 21 '24 09:05 haplo

Looks like it's sbctl issue 311.

haplo avatar May 21 '24 09:05 haplo

Hello! Given that the linked issue is closed, could you confirm whether this issue is fixed for you as well?

max-baz avatar Jun 06 '24 08:06 max-baz

I still see the error, but it has to be a red herring because my system boots fine, and yes secure boot is enabled.

haplo avatar Jun 06 '24 08:06 haplo

I suppose it's because there was no release of sbctl since the fix was merged. In any case, since the boot works and the error comes from a /usr/lib/initcpio/post/sbctl in the first place which we don't control in this project, I suppose we can close the issue?

max-baz avatar Jun 06 '24 08:06 max-baz

Whatever you prefer @maximbaz. If you leave it open I will close it after a new sbctl is released and I can test it. If you close it I will reopen if it still happens.

haplo avatar Jun 06 '24 08:06 haplo

Okay cool, let's close it then, I don't think it's actionable for me even if the error in the hook persist, since the hook comes from another project.

max-baz avatar Jun 06 '24 08:06 max-baz