[Bug 2139611] Re: snapd fails to prepare db update, giving BadRequest
Launchpad Bug Tracker
2139611 at bugs.launchpad.net
Tue Feb 24 04:40:23 UTC 2026
This bug was fixed in the package snapd - 2.74.1+ubuntu26.04
---------------
snapd (2.74.1+ubuntu26.04) resolute; urgency=medium
* New upstream release, LP: #2138629
- FDE: measure DeployedMode and AuditMode variables if they appear
as disabled in the event log to avoid a potential reseal-failure
boot loop
- LP: #2141328 FDE: reuse preinstall check context during install to
account for user-ignored errors
- LP: #2139611 FDE: fix db updates by allowing multiple payloads
- LP: #2139300 snap-confine: add CAP_SYS_RESOURCE to allow raising
memory lock limit when required
- LP: #2139099 snap-confine: bump the max element count of the BPF
map used to store IDs of allowed/matched devices to 1000
- LP: #2141607 Desktop: revert change that caused user daemons
declaring the desktop plug to implicitly depend on graphical-
session.target
- Interfaces: Added pidfd_open and memfd_secret to seccomp template
- Interfaces: camera | add locking permission for /dev/video
-- Ernest Lotter <ernest.lotter at canonical.com> Thu, 12 Feb 2026
21:27:23 +0200
** Changed in: snapd (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to fwupd in Ubuntu.
https://bugs.launchpad.net/bugs/2139611
Title:
snapd fails to prepare db update, giving BadRequest
Status in Fwupd:
Fix Released
Status in snapd:
Fix Committed
Status in fwupd package in Ubuntu:
Fix Released
Status in snapd package in Ubuntu:
Fix Released
Bug description:
[SRU] 2.74.1:
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/2138629
[ Impact ]
On FDE installation, an official firmware updated (consisting of
multiple updates) fails.
[ Test Plan ]
1. Reproduce with snapd deb < 2.74.1
Steps to reproduce:
- Download the daily resolute image from https://cdimages.ubuntu.com/ubuntu/daily-live/pending/.
- Install the iso in a VM and enable TPM-backed encryption, using swtpm and the OVMF vars provided by test-snapd-ovmf.
- Refresh firmware updates:
- fwupdmgr refresh
- Update firmware with "fwupdmgr update"
- On the update "UEFI CA from 2011 to 2023", choose "Y" and continue.
- snapd gives BadRequest
2. Prove fixed with snapd deb 2.74.1
Some steps as above, but do not expect the bad request, update must
succeed.
---original---
Performing a db update on fwupdmgr results in a BadRequest response
from snapd in the "Prepare" stage.
Using snapd version 2.74
snapd logs the following error:
(Prepare for external EFI DB update) failed: cannot perform initial reseal of keys for Secureboot Key Database update:
cannot add EFI secure boot and boot manager policy profiles: cannot process host variable modifier 0 for initial branch 0: cannot compute signature database update 0:
cannot decode EFI_VARIABLE_AUTHENTICATION_2 structure of update:
cannot check WIN_CERTIFICATE_UEFI_GUID.Hdr:
unexpected WIN_CERTIFICATE.Revision (0x0)
Notably snapd versions prior to 2.74 do not handle db updates, however
I would arguably see this as a regression.
---
Steps to reproduce:
1. Download the daily resolute image from
https://cdimages.ubuntu.com/ubuntu/daily-live/pending/.
2. Install the iso in a VM and enable TPM-backed encryption, using
swtpm and the OVMF vars provided by test-snapd-ovmf.
3. Refresh firmware updates:
$ fwupdmgr refresh
4. Update firmware:
$ fwupdmgr update
5. On the update "UEFI CA from 2011 to 2023", choose "Y" and continue.
6. (snapd gives BadRequest)
---
Machine specification:
- Resolute Daily amd64 image (Pending, 2026-02-03 06:50) running on QEMU
- swtpm with OVMF vars generated by test-snapd-ovmf version edk2-stable202411 (https://snapcraft.io/test-snapd-ovmf)
To manage notifications about this bug go to:
https://bugs.launchpad.net/fwupd/+bug/2139611/+subscriptions
More information about the foundations-bugs
mailing list