Rajan Patel
on 1 July 2025
Update Livepatch Client for the newest kernel module signing certificate
- Share on:
- X (formerly Twitter)
The kernel engineering team at Canonical has generated a new module signing certificate on May 16, 2025, and it is embedded in all Ubuntu kernels published after that date. Livepatch Client version 10.11.2 published on June 13, 2025 includes this new certificate. Livepatch Client 10.11.2 or greater is required to successfully Livepatch all kernels published by Canonical after July 2026.
What is Canonical Livepatch?
Canonical Livepatch is a security patching automation tool which supports rebootless security updates for the Linux kernel. Livepatch remediates high and critical common vulnerabilities and exposures (CVEs) with in-memory patches, until the next package upgrade and reboot window. System administrators rely on Livepatch to secure mission-critical Ubuntu servers where security is of paramount importance.
Livepatch Client is an auto-updating snap
When software is published as a snap, it has to be classified by channel and revision. Beta, stable, edge, or long term support are possible channel classifications, but every software publisher has the ability to create their own channel names. Revision numbers correspond to the software as it was published in a channel at a specific point in time, and is decoupled from the version number of the software. If a software publisher reverted their software to a previous version in a channel, the revision number would increment by one, and their version number would decrement accordingly. Snaps will auto-upgrade to the latest revision available in their channel, by default.
The software publisher is in control of the snap package’s upgrade timelines, and when they publish a new version in snapcraft.io, the update is visible to machines everywhere in the world. This is ideal for high-risk software where security updates need to be rolled out in a time-sensitive manner, such as in web browsers and email clients.
The Livepatch snap package provides a critical security patching service, and is published in stable, candidate, beta, and edge channels for a variety of platforms. Livepatch Client version 10.11.2 arrived to the latest/beta channel on June 10, 2025, was promoted to latest/candidate on June 13, 2025, and reached latest/stable on June 16, 2025. Ubuntu Pro users who have enabled the Livepatch entitlement using Pro Client, with the `pro enable livepatch` command, will all be on the latest/stable channel.
Where or when might Livepatch Client not auto-update?
Special consideration needs to be made for environments where Livepatch Client auto-updates have been disabled, or are not possible without additional intervention.
Landscape introduced snap management capabilities in 2024, giving system administrators granular control over auto-updating snap packages. Livepatch Client will need to be manually upgraded in environments where automatic upgrades have been disabled, or in airgapped environments where snap packages have to be manually updated.
How to make the snap available, and progressively update each environment
In airgapped environments, Canonical customers will have deployed a Snap Store internally, and either the Snap Store or Landscape can control the upgrades in those environments. It would be necessary to update the Landscape Client package in the Snap Store so that it is available across the entire estate, and ensure Landscape’s snap management rules for each environment in the estate are not blocking the Livepatch Client from updating to the latest version published in the self-hosted Snap Store. It is expected that the airgapped production environment tracks behind the airgapped staging and testing environments.
Conclusion
Canonical Livepatch prioritizes both protection and operational continuity through its self-updating and confined client. By leveraging the snap packaging system’s automatic update capabilities, the Livepatch client runs on the latest stable version, with the latest security, bugfix, and feature updates. In environments where Livepatch Client updates must be applied manually due to organizational policy or network connectivity constraints typically found in airgapped environments, Livepatch Client must be updated to version 10.11.2 or later for security patching continuity beyond July 2026.
