You are not logged in.
It appears that the sbctl install hook tries to sign an older kernel image that no longer exists. I had to boot off of a recovery disk to fix the problem by manually signing the kernel image.
I'm using sbctl and systemd-boot, and dracut.
When running pacman -Syu linux
it fails with this result:
==> Generating module dependencies
==> Creating zstd-compressed initcpio image: '/boot/initramfs-linux-fallback.img'
==> Image generation successful
(5/5) Signing EFI binaries...
Generating EFI bundles....
File has already been signed /efi/EFI/BOOT/BOOTX64.EFI
failed signing /efi/EFI/Linux/linux-6.2.8-arch1-1-[machine-id]-rolling.efi: /efi/EFI/Linux/linux-6.2.8-arch1-1-[machine-id]-rolling.efi does not exist
error: command failed to execute correctlyThe newly installed kernel is /efi/EFI/Linux/linux-6.2.9-arch1-1-[machine-id]-rolling.efi and does exist but not 6.2.8.
I noticed that /usr/lib/kernel/install.d/91-sbctl.install doesn't use hard coded versions--so that's not the issue. I did find that /usr/share/secureboot/files.db still has the older versions listed:
share/secureboot/files.db: "/efi/EFI/Linux/linux-6.2.8-arch1-1-[machine-id]-rolling.efi": {
share/secureboot/files.db: "file": "/efi/EFI/Linux/linux-6.2.8-arch1-1-[machine-id]-rolling.efi",
share/secureboot/files.db: "output_file": "/efi/EFI/Linux/linux-6.2.8-arch1-1-[machine-id]-rolling.efi",I suspect that either sbctl should remove these entries on a new install, or if the previous version is meant as a backup that the old kernel image should remain in the /efi/ directory (and the error is caused by not finding the first file and exiting). Any ideas?
Offline
I am observing the same issue. Have you ever found a solution?
Offline
Hey Specialist,
Unfortunately I have not. I'm planning on redoing my installation without Dracut and following guides on the Arch wiki instead of user wiki pages. I no longer receive the error
failed signing /efi/EFI/Linux/linux-6.2.8-arch1-1-[machine-id]-rolling.efi: /efi/EFI/Linux/linux-6.2.8-arch1-1-[machine-id]-rolling.efi does not exist
error: command failed to execute correctlyIt must fail silently, but the new image is never signed unless I run
sudo pacman -Syu linuxafter each kernel upgrade.
Tried changing the order in both the
/usr/share/libalpm/hooksas well as
/etc/pacman.d/hooks/to no avail.
Offline
I had the same issue. sbctl always tried to sign and verify old and nonexisting kernels and old efi configurations. It all went away after I removed the entries from the files.db file
# sbctl sign-all
File has already been signed /boot/efi/EFI/Boot/fbx64.efi
failed signing /boot/vmlinuz-6.2.9-300.fc38.x86_64: /boot/vmlinuz-6.2.9-300.fc38.x86_64 does not exist
✓ Signed /boot/efi/EFI/BOOT/BOOTX64.EFI
✓ Signed /boot/efi/EFI/Boot/bootx64.efi
File has already been signed /boot/efi/EFI/Boot/fbia32.efi
File has already been signed /boot/efi/EFI/arch/grubx64.efi
File has already been signed /boot/vmlinuz-0-rescue-d47b9040cef64cdda0706849745ead0c
File has already been signed /boot/vmlinuz-linux
File has already been signed /boot/vmlinuz-linux-g14
File has already been signed /boot/efi/EFI/Boot/BOOTIA32.EFI
failed signing /boot/vmlinuz-6.3.11-200.fc38.x86_64: /boot/vmlinuz-6.3.11-200.fc38.x86_64 does not exist
failed signing /boot/efi/EFI/Grub-Arch/grubx64.efi: /boot/efi/EFI/Grub-Arch/grubx64.efi does not exist
failed signing /boot/vmlinuz-6.3.8-200.fc38.x86_64: /boot/vmlinuz-6.3.8-200.fc38.x86_64 does not exist
File has already been signed /boot/vmlinuz-linux-lts
File has already been signed /boot/vmlinuz-linux-zenLast edited by 4ft3rburner (2024-07-24 16:54:41)
Offline