[Bug 2139611] Re: snapd fails to prepare db update, giving BadRequest

Launchpad Bug Tracker 2139611 at bugs.launchpad.net
Mon Mar 30 16:21:14 UTC 2026 

This bug was fixed in the package fwupd - 2.0.20-1ubuntu2~25.10.1

---------------
fwupd (2.0.20-1ubuntu2~25.10.1) questing; urgency=medium

  * Backport to questing.
  * Fixes UOD behavior on some Dell docks (LP: #2143688)
  * d/control: Drop passim b-d

 -- Mario Limonciello <superm1 at gmail.com>  Thu, 12 Mar 2026 22:51:33
-0500

** Changed in: fwupd (Ubuntu Questing)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to fwupd in Ubuntu.
https://bugs.launchpad.net/bugs/2139611

Title:
  snapd fails to prepare db update, giving BadRequest

Status in Fwupd:
  Fix Released
Status in snapd:
  Fix Committed
Status in fwupd package in Ubuntu:
  Fix Released
Status in snapd package in Ubuntu:
  Fix Released
Status in fwupd source package in Questing:
  Fix Released

Bug description:
  [SRU] 2.74.1:
  https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/2138629

  [ Impact ]

  On FDE installation, an official firmware updated (consisting of
  multiple updates) fails.

  [ Test Plan ]

  1. Reproduce with snapd deb < 2.74.1

  Steps to reproduce:
   - Download the daily resolute image from https://cdimages.ubuntu.com/ubuntu/daily-live/pending/.
   - Install the iso in a VM and enable TPM-backed encryption, using swtpm and the OVMF vars provided by test-snapd-ovmf.
   - Refresh firmware updates:
   - fwupdmgr refresh
   - Update firmware with "fwupdmgr update"
   - On the update "UEFI CA from 2011 to 2023", choose "Y" and continue.
   - snapd gives BadRequest

  2. Prove fixed with snapd deb 2.74.1

  Some steps as above, but do not expect the bad request, update must
  succeed.

  ---original---

  Performing a db update on fwupdmgr results in a BadRequest response
  from snapd in the "Prepare" stage.

  Using snapd version 2.74

  snapd logs the following error:

  (Prepare for external EFI DB update) failed: cannot perform initial reseal of keys for Secureboot Key Database update:
  cannot add EFI secure boot and boot manager policy profiles: cannot process host variable modifier 0 for initial branch 0: cannot compute signature database update 0:
  cannot decode EFI_VARIABLE_AUTHENTICATION_2 structure of update:
  cannot check WIN_CERTIFICATE_UEFI_GUID.Hdr:
  unexpected WIN_CERTIFICATE.Revision (0x0)

  Notably snapd versions prior to 2.74 do not handle db updates, however
  I would arguably see this as a regression.

  ---

  Steps to reproduce:

  1. Download the daily resolute image from
  https://cdimages.ubuntu.com/ubuntu/daily-live/pending/.

  2. Install the iso in a VM and enable TPM-backed encryption, using
  swtpm and the OVMF vars provided by test-snapd-ovmf.

  3. Refresh firmware updates:

  $ fwupdmgr refresh

  4. Update firmware:

  $ fwupdmgr update

  5. On the update "UEFI CA from 2011 to 2023", choose "Y" and continue.

  6. (snapd gives BadRequest)

  ---

  Machine specification:
  - Resolute Daily amd64 image (Pending, 2026-02-03 06:50) running on QEMU
  - swtpm with OVMF vars generated by test-snapd-ovmf version edk2-stable202411 (https://snapcraft.io/test-snapd-ovmf)

  [SRU] fwupd 2.0.20-1ubuntu2~25.10.1 for questing -
  https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/2143688

  [ Impact ]
  For 2023 UEFI db update, fu-snapd-uefi-plugin sends to snapd a firmware that is zip containing both DBUpdate3P2023.bin and DBUpdateOROM2023.bin. However snapd expects a signature list here. The update will be failed.

  [ Test Plan ]
  1. On desktop or laptop with Ubuntu 25.10 installed
  2. Update the snapd to 2.74.1 or later.
  3. Update the fwupd to the version mentioned in LP: #2143688
  4. Refresh fwupd by $ fwupdmgr refresh
  5. Perform fwupd by $ fwupdmgr update
  6. On the update "UEFI CA from 2011 to 2023", choose "Y" and continue
  7. The update can be performed successfully

  [ Where problems could occur ]
  Snapd needs to be given the firmware updates in the right order. The change of API will come in snapd 2.74.1 or 2.74.2. Though since giving the composite update at once as zip does not work on any version. So it is safe to just try to use the new API when multiple updates are to be applied.

  [ Additional information ]
  The SRU denote the prerequisite for LP: #2143688, which needs to be performed for questing fwupd update.

To manage notifications about this bug go to:
https://bugs.launchpad.net/fwupd/+bug/2139611/+subscriptions

More information about the foundations-bugs mailing list