Update, October 25: The upstream issue causing the problem described in this advisory has been resolved. If you encounter this problem again during the installation, please let us know by filing a bug report.

During a SecureDrop installation against servers with with UEFI boot mode enabled, the ./securedrop-admin install command may fail with one or more Ansible messages including the following text:

The following packages have unmet dependencies: shim-signed: Depends: shim (= 13-0ubuntu2) but it is not going to be installed

This error is caused by an upstream issue with a new version of the shim package for Ubuntu 14.04.5. The root cause of the error is that the new version of this package was built using a format not supported by Ubuntu 14.04.5. The issue is being tracked upstream and should be fixed soon.

In the meantime, you can work around the issue by manually upgrading dpkg and then completing pending package installs. To do so, first log in to your Application Server, using local SSH from the Admin Workstation. Once you are logged in, run the following commands from your home directory:

sudo apt-get update
mkdir dpkg-fix-2018
cd dpkg-fix-2018
apt-get download dpkg
sudo dpkg -i dpkg_*
sudo apt-get -f install

Then, log in to your Monitor Server and repeat the process.

After completing the dpkg upgrade on both servers, you can proceed with the installation by running the ./securedrop-admin install command again from the base of the SecureDrop repository (~/Persistent/securedrop/) on your Admin Workstation.

You can also be notified when the issue is fixed by subscribing to our tracking issue on GitHub, or to the upstream issue.