Apt upgrade: shim package kept back

I have six computers running Zorin 15.3 Lite.
I regularly update the installations with "apt -y upgrade" or "apt -y full-upgrade".
It usually works pretty nicely.
Now, there is one of the six, which has been complaing recently (translated from German):

The following packages have been kept back:
shim

To figure out the reason for this I ran "apt install shim shim-signed". This resulted in the following output (translated from German):

The following packages have unfulfilled dependencies:
shim-signed : Depends on: grub-efi-amd64-signed (>= 1.167~) but 1.93.24+zorin3+2.02-2ubuntu8.21 should be installed or
grub-efi-arm64-signed (>= 1.167~) is not installable
Depends on: grub2-common (>= 2.02-2ubuntu8.23)

I'd appreciate some explanation and maybe solution to solve this issue. I have no clue, if the missing update might be critical at some point.

One more issue to mention: I recently discovered that this computer's hard drive was almost at 100% usage. So, I removed some data and uninstalled some packages I had tested on this machine. There might be a connection - I don't know.

Hello, could you explain how you had removed those system files?
Manually or using system optimizer like Bleach bit?

In addition to FrenchPress's question above- any modifications to your /etc/default/grub file?
You might check and compare it against working ones from one of the other computers.
If all is well then you might try:

sudo apt-get install -y grub-pc 'grub-efi*-'

To replace the buggy shim and shim-signed packages.

1 Like

Thank you for your quick responses.

@ FrenchPress: I didn't mess around with system files. I was just checking out different software packages, which I had installed with either apt or PlayOnLinux.
The apt packages I uninstalled with "apt-get autoremove --purge " and the wine packages with the remove function in PlayOnLinux.
However, the error message appeared before I cleaned out the harddrive. The error was one of the reasons I looked at the hard drive.

@Aravision: As said above, I didn't test with system files on this computer, so no changes in /etc/default/grub.
I don't know if the bug description fits here. Zorin 15.3 is based on Ubuntu 18.04, isn't it? I looked into /var/lib/dpkg/info/grub-efi-amd64-signed.postinst, but there is no line "target=x86_64-efi ;;". The closest match lokks like this: "grub-install --target=x86_64-efi --auto-nvram".

What made me think about asking in this forum was actually the reference of "1.93.24+zorin3+2.02-2ubuntu8.21" in the output of "apt install shim shim-signed". Maybe the addition of Zorin is the culprit?

1 Like

Just as additional information: The computer with the issue is an Laptop ASUS SonicMaster F540LA. Maybe it is just a hardware issue.

This is a patch for Gnome Control Center or Settings in your app menu.

I am going by the Kernel, which suggests applicability.
However...

Is Secure Boot Enabled?

When you installed Zorin OS, did you use rEFInd?

1 Like

Yes, Secure Boot is enabled in the BIOS settings.

I have not conciously used rEFInf. When installing Zorin OS Lite, I just used the install routine offered by the GUI of the installation DVD. What's hidden behind, I don't know.

This combined with NVRAM can cause problems - which is why I asked. Are you dual booting Windows?
If not, I highly recommend disabling secure boot.

You would know if you used rEFInd as it is a third party application.

You might try the steps I outlined above after disabling Secure Boot. Be sure to run sudo update-grub when finished. You may try reinstalling grub with the --no-nvram parameter

1 Like

I am not dual booting. So I'd love to disable Secure Boot if it helps Zorin to run smoother. I should be able to do the BIOS part although it looks weird. I remember it differently from other BIOSes.

However, I am not sure what you mean with

I assume that grub needs to be adjusted so that the computer will boot properly afterward. But I don't understand what actually needs to be done - except for

A guide would be a much better way to go...:wink:

https://webcache.googleusercontent.com/search?q=cache:0AHQFVwfI90J:https://itectec.com/ubuntu/ubuntu-how-to-get-grub-efi-amd64-signed-to-not-automatically-overwrite-nvram-on-update/+&cd=2&hl=en&ct=clnk&gl=us&client=ubuntu

Do not worry about the disclaimer:

I've never used refind so I don't know the possible side effects to my suggestion, caveat emptor, don't blame me if this bricks your system, etc.

You are not using rEFInd and the answer provided does not deal with rEFInd, so you are in the clear. (And it wouldn't have bricked the O.P.'s system, either.)