[Bug 2139611] Re: snapd fails to prepare db update, giving BadRequest

Tue Feb 24 00:43:53 UTC 2026

This bug was fixed in the package fwupd - 2.0.19-1ubuntu2

---------------
fwupd (2.0.19-1ubuntu2) resolute; urgency=medium

  * Fix snapd bad request on db updates (LP: #2139611):
    - d/p/db-update-snapd-bad-request.patch: On TPM/FDE systems, db updates
      require notifying snapd for preparation. However, the payload uses an
      incorrect format for composite updates. Change the format to align
      with snapd.

 -- Simon Johnsson <simon.johnsson at canonical.com>  Mon, 23 Feb 2026
12:12:45 +0100

** Changed in: fwupd (Ubuntu)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to fwupd in Ubuntu.
https://bugs.launchpad.net/bugs/2139611

Title:
  snapd fails to prepare db update, giving BadRequest

Status in Fwupd:
  Fix Released
Status in snapd:
  Fix Committed
Status in fwupd package in Ubuntu:
  Fix Released
Status in snapd package in Ubuntu:
  New

Bug description:
  [SRU] 2.74.1:
  https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/2138629

  [ Impact ]

  On FDE installation, an official firmware updated (consisting of
  multiple updates) fails.

  [ Test Plan ]

  1. Reproduce with snapd deb < 2.74.1

  Steps to reproduce:
   - Download the daily resolute image from https://cdimages.ubuntu.com/ubuntu/daily-live/pending/.
   - Install the iso in a VM and enable TPM-backed encryption, using swtpm and the OVMF vars provided by test-snapd-ovmf.
   - Refresh firmware updates:
   - fwupdmgr refresh
   - Update firmware with "fwupdmgr update"
   - On the update "UEFI CA from 2011 to 2023", choose "Y" and continue.
   - snapd gives BadRequest

  2. Prove fixed with snapd deb 2.74.1

  Some steps as above, but do not expect the bad request, update must
  succeed.

  ---original---

  Performing a db update on fwupdmgr results in a BadRequest response
  from snapd in the "Prepare" stage.

  Using snapd version 2.74

  snapd logs the following error:

  (Prepare for external EFI DB update) failed: cannot perform initial reseal of keys for Secureboot Key Database update:
  cannot add EFI secure boot and boot manager policy profiles: cannot process host variable modifier 0 for initial branch 0: cannot compute signature database update 0:
  cannot decode EFI_VARIABLE_AUTHENTICATION_2 structure of update:
  cannot check WIN_CERTIFICATE_UEFI_GUID.Hdr:
  unexpected WIN_CERTIFICATE.Revision (0x0)

  Notably snapd versions prior to 2.74 do not handle db updates, however
  I would arguably see this as a regression.

  ---

  Steps to reproduce:

  1. Download the daily resolute image from
  https://cdimages.ubuntu.com/ubuntu/daily-live/pending/.

  2. Install the iso in a VM and enable TPM-backed encryption, using
  swtpm and the OVMF vars provided by test-snapd-ovmf.

  3. Refresh firmware updates:

  $ fwupdmgr refresh

  4. Update firmware:

  $ fwupdmgr update

  5. On the update "UEFI CA from 2011 to 2023", choose "Y" and continue.

  6. (snapd gives BadRequest)

  ---

  Machine specification:
  - Resolute Daily amd64 image (Pending, 2026-02-03 06:50) running on QEMU
  - swtpm with OVMF vars generated by test-snapd-ovmf version edk2-stable202411 (https://snapcraft.io/test-snapd-ovmf)

To manage notifications about this bug go to:
https://bugs.launchpad.net/fwupd/+bug/2139611/+subscriptions