http://bugzilla.opensuse.org/show_bug.cgi?id=1202120 Bug ID: 1202120 Summary: Can't update my MicroOS as shim post-install script fails with "mokutil: unrecognized option '--set-sbat-policy'" Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: aarch64 OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: MicroOS Assignee: kubic-bugs@opensuse.org Reporter: fx.houard@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 Build Identifier: I try to upgrade my microOS with "transactional-update dup", and it fails every time with code 107. Apparently the problem is that shim post-install script try to launch mokutil with the option '--set-sbat-policy' which is not available with my installation. "mokutil: unrecognized option '--set-sbat-policy'" My version of mokutil is : S | Name | Type | Version | Arch | Repository ---+---------+---------+-----------+---------+------------------------ i+ | mokutil | package | 0.5.0-1.5 | aarch64 | openSUSE-Tumbleweed-Oss I think it is the latest The upgrade is openSUSE MicroOS 20220207-0 -> 20220731-0 BTW I get the same error when trying to upgrade the shim package only (transactional-update pkg update shim). My version of shim is 15.4-7.4, I can't update it to the suggested version (15.6-3.1) Reproducible: Always Steps to Reproduce: 1.transactional-update pkg update shim or transactional-update dup 2. 3. Actual Results: Retrieving: shim-15.6-3.1.aarch64.rpm [.done (1.5 KiB/s)] (1/1) Installing: shim-15.6-3.1.aarch64 [........ mokutil: unrecognized option '--set-sbat-policy' Usage: mokutil OPTIONS [ARGS...] Options: --help Show help --list-enrolled List the enrolled keys --list-new List the keys to be enrolled --list-delete List the keys to be deleted --import <der file...> Import keys --delete <der file...> Delete specific keys --revoke-import Revoke the import request --revoke-delete Revoke the delete request --export Export keys to files --password Set MOK password --clear-password Clear MOK password --disable-validation Disable signature validation --enable-validation Enable signature validation --sb-state Show SecureBoot State --test-key <der file> Test if the key is enrolled or not --reset Reset MOK list --generate-hash[=password] Generate the password hash --ignore-db Ignore DB for validation --use-db Use DB for validation --import-hash <hash> Import a hash into MOK or MOKX --delete-hash <hash> Delete a hash in MOK or MOKX --set-verbosity <true/false> Set the verbosity bit for shim --pk List the keys in PK --kek List the keys in KEK --db List the keys in db --dbx List the keys in dbx --timeout <-1,0..0x7fff> Set the timeout for MOK prompt --sbat List the entries in SBAT Supplimentary Options: --hash-file <hash file> Use the specific password hash --root-pw Use the root password --mokx Manipulate the MOK blacklist --ca-check Check if CA of the key is enrolled/blocked --ignore-keyring Don't check if the key is the kernel keyring warning: %post(shim-15.6-3.1.aarch64) scriptlet failed, exit status 255 ........done] Executing %posttrans script 'shim-15.6-3.1.aarch64.rpm' [....done] 2022-08-03 21:19:37 Application returned with exit status 107. Expected Results: Exit with status 0 :) My system is a raspberry pi 4b. -- You are receiving this mail because: You are on the CC list for the bug.