[Bug 2139611] Re: snapd fails to prepare db update, giving BadRequest

Simon Johnsson 2139611 at bugs.launchpad.net
Mon Feb 23 12:58:36 UTC 2026 

** Also affects: fwupd (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: fwupd (Ubuntu)
     Assignee: (unassigned) => Simon Johnsson (bamf0)

** Changed in: fwupd (Ubuntu)
   Importance: Undecided => High

** Changed in: fwupd (Ubuntu)
       Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to fwupd in Ubuntu.
https://bugs.launchpad.net/bugs/2139611

Title:
  snapd fails to prepare db update, giving BadRequest

Status in Fwupd:
  Fix Released
Status in snapd:
  Fix Committed
Status in fwupd package in Ubuntu:
  In Progress
Status in snapd package in Ubuntu:
  New

Bug description:
  [SRU] 2.74.1:
  https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/2138629

  [ Impact ]

  On FDE installation, an official firmware updated (consisting of
  multiple updates) fails.

  [ Test Plan ]

  1. Reproduce with snapd deb < 2.74.1

  Steps to reproduce:
   - Download the daily resolute image from https://cdimages.ubuntu.com/ubuntu/daily-live/pending/.
   - Install the iso in a VM and enable TPM-backed encryption, using swtpm and the OVMF vars provided by test-snapd-ovmf.
   - Refresh firmware updates:
   - fwupdmgr refresh
   - Update firmware with "fwupdmgr update"
   - On the update "UEFI CA from 2011 to 2023", choose "Y" and continue.
   - snapd gives BadRequest

  2. Prove fixed with snapd deb 2.74.1

  Some steps as above, but do not expect the bad request, update must
  succeed.

  
  ---original---

  Performing a db update on fwupdmgr results in a BadRequest response
  from snapd in the "Prepare" stage.

  Using snapd version 2.74

  snapd logs the following error:

  (Prepare for external EFI DB update) failed: cannot perform initial reseal of keys for Secureboot Key Database update:
  cannot add EFI secure boot and boot manager policy profiles: cannot process host variable modifier 0 for initial branch 0: cannot compute signature database update 0:
  cannot decode EFI_VARIABLE_AUTHENTICATION_2 structure of update:
  cannot check WIN_CERTIFICATE_UEFI_GUID.Hdr:
  unexpected WIN_CERTIFICATE.Revision (0x0)

  Notably snapd versions prior to 2.74 do not handle db updates, however
  I would arguably see this as a regression.

  ---

  Steps to reproduce:

  1. Download the daily resolute image from
  https://cdimages.ubuntu.com/ubuntu/daily-live/pending/.

  2. Install the iso in a VM and enable TPM-backed encryption, using
  swtpm and the OVMF vars provided by test-snapd-ovmf.

  3. Refresh firmware updates:

  $ fwupdmgr refresh

  4. Update firmware:

  $ fwupdmgr update

  5. On the update "UEFI CA from 2011 to 2023", choose "Y" and continue.

  6. (snapd gives BadRequest)

  ---

  Machine specification:
  - Resolute Daily amd64 image (Pending, 2026-02-03 06:50) running on QEMU
  - swtpm with OVMF vars generated by test-snapd-ovmf version edk2-stable202411 (https://snapcraft.io/test-snapd-ovmf)

To manage notifications about this bug go to:
https://bugs.launchpad.net/fwupd/+bug/2139611/+subscriptions

More information about the foundations-bugs mailing list