On Sat, 2023-04-08 at 20:03 -0700, Samuel Sieb wrote:
It looks like there is a new version of the UEFI boot system, which
can't be installed because of signature issues. Is this correct? Is
it anything to worry about? Can anything be done to fix the issue? Is
the issue likely to be fixed upstream?

I don't use Discover. I use fwupdmgr directly. I have not seen
fwupdmgr refuse to update a component (sans no UEFI). Here's the
relevant piece of the script I run daily:

if command -v fwupdmgr >/dev/null 2>&1 ; then
    if fwupdmgr get-devices 2>&1 | grep -q -c 'UEFI ESRT device' ; then
        echo "Updating firmware"
        fwupdmgr refresh --force 1>/dev/null && \
            fwupdmgr update 1>/dev/null
    fi
fi

I also noticed the db was updated today.

Very interesting. After running by hand the parts of your script that
test whether an update is necessary (It is.), I ran the actual update
and got the following output. As you see, I replied "n"; would it be
dangerous to try "Y"?

That sounds quite safe.  Do you even use any software from those
companies?  (Things that boot directly.)
One of them may be the author my system's firmware. I don't know who wrote it.

BTW: I've been seeing the error message for about a week.

What error message?

The following message. I should have written "warning" rather than "error".

$ fwupdmgr update 
Devices with no available firmware updates:  
• System Firmware 
• WDC WD2005FBYZ-01YCBB2 
• WDC WD20EFRX-68EUZN0 
╔══════════════════════════════════════════════════════════════════════════════╗ 
║ Upgrade UEFI dbx from 217 to 220?                                            ║ 
╠══════════════════════════════════════════════════════════════════════════════╣ 
║ Insecure versions of software from Trend Micro, vmware, CPSD, Eurosoft, and  ║ 
║ New Horizon Datasys Inc were added to the list of forbidden signatures due   ║ 
║ to discovered security problems. This updates the dbx to the latest release  ║ 
║ from Microsoft.                                                              ║ 
║                                                                              ║ 
║ Before installing the update, fwupd will check for any affected executables  ║ 
║ in the ESP and will refuse to update if it finds any boot binaries signed    ║ 
║ with any of the forbidden signatures.                                        ║ 
║                                                                              ║ 
╚══════════════════════════════════════════════════════════════════════════════╝ 
Perform operation? [Y|n]: n 
Request canceled

-- 
Sincerely Jonathan Ryshpan <jonrysh@pacbell.net>

	The Website you seek
	Cannot be located, but
	Countless more exist.