Skip to content

Uncaught metadata mismatch between LVFS database and CAB file XML

Some days ago I've got an apparently malformed firmware update from Dell and it couldn't be installed. The interesting part is that fwupdmgr identified it as an update but, when attempting to download and install, complained that the release version was lower than the current one. The first message in its output displayed the version in decimal, and the last one in hexadecimal.

$ fwupdmgr update
Devices with no available firmware updates: 
 • DELL08C8:00 04F3:30C3
 • System Firmware
 • UEFI dbx
 • WDC WD10SPZX-21Z10T0
Upgrade available for CL1-3D128-Q11 NVMe SSSTC 128GB from 22301115 to 22301116
Vostro 3480 must remain plugged into a power source for the duration of the update to avoid damage. Continue with update? [Y|n]: 
Downloading…             [***************************************]
Decompressing…           [***************************************]
Specified firmware is older than installed '0x15449bc < 22301115'

Investigation showed that the metadata fetched from LVFS and the extracted from the downloaded firmware's CAB file were actually different. Relevant segment from LVFS metadata:

$ fwupdmgr get-updates --json
(...)
"Version" : "22301115",
"VersionFormat" : "plain",
(...)
"Releases" : [
  {
    "AppstreamId" : "com.dell.guid1cd7457a.firmware",
    "RemoteId" : "lvfs",
    "Summary" : "Non SED NVME",
    "Description" : "<p>Fixed the issue where the system does not reboot after enabling verifier mode.</p><p>Improved the SSD performance and enhanced the battery life by reducing the power consumption.</p>",
    "Version" : "22301116",
    "Filename" : "22301116.cab",
    "Protocol" : "org.nvmexpress",
    "Checksum" : [
      "547094bf9aaa0c0abfaaadd6737d5e20edd91f5b",
      "45eea86ce2a61581d3ebb621a4f2c9c6717b193355e23b5dc55b13c6b5434625"
    ],
    "License" : "LicenseRef-proprietary",
    "Size" : 1130496,
    "Created" : 1610616600,
    "Locations" : [
      "https://fwupd.org/downloads/45eea86ce2a61581d3ebb621a4f2c9c6717b193355e23b5dc55b13c6b5434625-22301116.cab"
    ],
    "Uri" : "https://fwupd.org/downloads/45eea86ce2a61581d3ebb621a4f2c9c6717b193355e23b5dc55b13c6b5434625-22301116.cab",
    "Homepage" : "http://support.dell.com",
    "Vendor" : "SSSTC",
    "Flags" : [
      "is-upgrade"
    ]
  }
]
(...)

and from CAB file (note the release version in hexadecimal):

(...)
"Version" : "22301115",
"VersionFormat" : "plain",
"Releases" : [
  {
    "AppstreamId" : "com.dell.guid1cd7457a.firmware",
    "RemoteId" : "lvfs",
    "Summary" : "Non SED NVME",
    "Description" : "<p>Fixed the issue where the system does not reboot after enabling verifier mode.</p><p>Improved the SSD performance and enhanced the battery life by reducing the power consumption.</p>",
    "Version" : "0x15449bc",
    "Filename" : "22301116.bin",
    "Protocol" : "org.nvmexpress",
    "Categories" : [
      "X-Device"
    ],
    "Checksum" : [
      "02943e29b4aef04eb2fc23d9a930285bf51016f9",
      "70b7110b6a14876d4b46004f7c81a178e2d95efb6676a58254fc2d70835141cf"
    ],
    "License" : "LicenseRef-proprietary",
    "Homepage" : "http://support.dell.com",
    "Vendor" : "SSSTC",
    "Flags" : [
      "trusted-payload",
      "trusted-metadata"
    ]
  }
]
(...)

Would it be possible to cross-check the release version and other critical metadata at upload time to LVFS? It would probably prevent similar problems reaching end-users.