Brew and Secure Boot key Services failing at start

I have secure boot enabled with the the correct keys enrolled.

❯ mokutil --sb-state
SecureBoot enabled

❯ mokutil --list-enrolled
2bb010e24d fedoraca
2be991e3b1 ublue kernel

My computer is booting up fine, however on start both brew update service and check-sb-key services are failing.

  UNIT                 LOAD   ACTIVE SUB    DESCRIPTION                                    
● brew-update.service  loaded failed failed Auto update brew for mutable brew installs
● check-sb-key.service loaded failed failed Service to check for secure boot key enrollment

Legend: LOAD   → Reflects whether the unit definition was properly loaded.
        ACTIVE → The high-level unit activation state, i.e. generalization of SUB.
        SUB    → The low-level unit activation state, values depend on unit type.

2 loaded units listed.

The journal logs aren’t particularly helpful for the secure boot service:

-- Boot HASH --
DATE HOST systemd[1]: Started check-sb-key.service - Service to check for secure boot key enrollment.
DATE HOST check-sb-key.sh[1558]: /etc/pki/akmods/certs/akmods-ublue.der is already enrolled
DATE HOST systemd[1]: check-sb-key.service: Main process exited, code=exited, status=1/FAILURE
DATE HOST systemd[1]: check-sb-key.service: Failed with result 'exit-code'.

Here are the logs for brew-update:

DATE HOST systemd[1]: Starting brew-update.service - Auto update brew for mutable brew installs...
DATE HOST bash[35642]: Error:
DATE HOST bash[35826]: /home/linuxbrew/.linuxbrew/Cellar is not writable. You should change the
DATE HOST bash[35826]: ownership and permissions of /home/linuxbrew/.linuxbrew/Cellar back to your
DATE HOST bash[35826]: user account:
DATE HOST bash[35826]:   sudo chown -R LOCAL_ACCOUNT /home/linuxbrew/.linuxbrew/Cellar
DATE HOST systemd[1]: brew-update.service: Main process exited, code=exited, status=1/FAILURE
DATE HOST systemd[1]: brew-update.service: Failed with result 'exit-code'.
DATE HOST systemd[1]: Failed to start brew-update.service - Auto update brew for mutable brew installs.

For the brew issue it seems it expects my local account in order for the update service to run, however, I am logged in on my enterprise account. Is there a way to make this service compatible with enterprise accounts owning the cellar path (if my enterprise account doesn’t own it then I can’t use brew). Not a huge issue, I just have to make sure I manually update brew every week but it would be a nice thing to have working again.

As for the secure boot issue, its not impeding anything I’m curious as to why it fails.

I don’t think we accounted for this when we made it, can you file an issue on this? Thanks!

We currently assume user uid 1000 owns brew as that is the default configuration. This is a compromise.

For the sb-key mokutil returns exit code 1 if the key is already enrolled which systemd propagates as a failed unit.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.