#1138871 - fwupd fails to find CA updates (original) (raw)

Debian Bug report logs - #1138871

fwupd fails to find CA updates

Display info messages

Report forwardedto debian-bugs-dist@lists.debian.org, Debian EFI <debian-efi@lists.debian.org> (fwupd for {1138871}):
Bug#1138871; Package fwupd. (Fri, 05 Jun 2026 01:13:02 GMT) (full text, mbox, link).

Acknowledgement sentto Steve McIntyre <steve@einval.com>:
New Bug report received and forwarded. Copy sent to debian-efi@lists.debian.org. (Fri, 05 Jun 2026 01:13:02 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: fwupd Version: 2.0.8-3+deb13u1 Severity: important Justification: urgently needed for rolling out CA updates

Hi,

I'm running fwupd in Trixie and expecting to get CA updates for the machine it's running on. Unfortunately, it's not working. I've run "fwupdtool refresh" and "fwupdtool get-updates" multiple times and it's not happening. The latest output on this Thinkpad s

fwupdtool get-updates

... Devices with no available firmware updates: • KEK CA • KEK CA • SBAT • THNSF5256GPUK TOSHIBA • ThinkPad Product CA • UEFI CA • UEFI CA • UEFI dbx • Windows Production PCA Devices with the latest available firmware version: • Embedded Controller • Intel Management Engine • System Firmware No updates available for remaining devices

It doesn't have the 2023 CAs installed in DB:

mokutil --db | grep Subject:.*Microsoft

    Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
    Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011

On another similar Thinkpad running the backport version 2.0.20-1~bpo13+1, things worked flawlessly and I'm currently looking at:

fwupdtool get-updates

... Devices with no available firmware updates: • KEK CA • UEFI Device Firmware • UEFI Device Firmware • UEFI Device Firmware • UEFI Device Firmware • UEFI Device Firmware • Integrated Camera • KEK CA • Option ROM UEFI CA • Prometheus (IOTA Config) • SBAT • ThinkPad Product CA • UEFI CA • WD BLACK SN850X 1000GB • Windows Production PCA Devices with the latest available firmware version: • Embedded Controller • Intel Management Engine • System Firmware • Prometheus • UEFI CA • UEFI dbx No updates available for remaining devices

This machine updated fine on a previous run and has the latest keys in DB:

mokutil --db | grep Subject:.*Microsoft

    Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
    Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
    Subject: C=US, O=Microsoft Corporation, CN=Microsoft UEFI CA 2023
    Subject: C=US, O=Microsoft Corporation, CN=Microsoft Option ROM UEFI CA 2023

Although even here it's not picking up on the latest Windows CA that I'd expect:

    Subject: C=US, O=Microsoft Corporation, CN=Windows UEFI CA 2023

-- System Information: Debian Release: 13.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable'), (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386

Kernel: Linux 6.12.90+deb13-amd64 (SMP w/12 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled

Versions of packages fwupd depends on: ii libarchive13t64 3.7.4-4+deb13u1 ii libblkid1 2.41-5 ii libc6 2.41-12+deb13u3 ii libcbor0.10 0.10.2-2 ii libcurl3t64-gnutls 8.14.1-2+deb13u3 ii libdrm-amdgpu1 2.4.124-2 ii libdrm2 2.4.124-2 ii libflashrom1 1.4.0-3 ii libfwupd3 2.0.14-1 ii libglib2.0-0t64 2.84.4-3deb13u3 ii libgnutls30t64 3.8.9-3+deb13u4 ii libjcat1 0.2.3-1 ii libjson-glib-1.0-0 1.10.6+ds-2 ii liblzma5 5.8.1-1 ii libmbim-glib4 1.32.0-1 ii libmbim-proxy 1.32.0-1 ii libmm-glib0 1.24.0-1+deb13u1 ii libpolkit-gobject-1-0 126-2 ii libprotobuf-c1 1.5.1-1 ii libqmi-glib5 1.36.0-1 ii libqmi-proxy 1.36.0-1 ii libsqlite3-0 3.46.1-7+deb13u1 ii libsystemd0 257.13-1deb13u1 ii libtss2-esys-3.0.2-0t64 4.1.3-1.2 ii libusb-1.0-0 2:1.0.28-1 ii libxmlb2 0.3.22-1 ii shared-mime-info 2.4-5+b2 ii systemd [systemd-sysusers] 257.13-1~deb13u1 ii zlib1g 1:1.3.dfsg+really1.3.1-1+b1

Versions of packages fwupd recommends: ii bolt 0.9.8-1 ii dbus [default-dbus-system-bus] 1.16.2-2 ii fwupd-amd64-signed [fwupd-signed] 1:1.7+1 ii jq 1.7.1-6+deb13u2 ii python3 3.13.5-1 ii udisks2 2.10.1-12.1+deb13u1

Versions of packages fwupd suggests: pn gir1.2-fwupd-2.0

-- Configuration Files: /etc/fwupd/fwupd.conf [Errno 13] Permission denied: '/etc/fwupd/fwupd.conf' /etc/fwupd/remotes.d/lvfs-testing.conf changed [not included]

-- debconf-show failed

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified:Fri Jun 19 03:01:02 2026; Machine Name:berlioz

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.