Bug#1112197: fails to boot on a laptop without Microsoft 2011 UEFI CA
Hi Steve,
thanks for the reply (and approving my wiki account)
Quoting Steve McIntyre (2025-08-27 15:49:23)
> On Wed, Aug 27, 2025 at 01:26:37PM +0200, Anton Khirnov wrote:
> >Package: shim-signed
> >Version: 1.47+15.8-1
> >Severity: important
> >
> >Dear Maintainer(s),
> >my new laptop (ASUS EXPERTBOOK B9403CVAR) fails to boot with Secure Boot
> >enabled, with the UEFI firmware showing a "Secure Boot violation"
> >message. This seems to be caused by the fact that shim is signed by
> >"Microsoft Corporation UEFI CA 2011", which is not present in the
> >laptop's db list. Instead it has the newer "Windows UEFI CA 2023" (full
> >mokutil --db output below).
> >
> >Manually adding the 2011 CA to db does make it boot, but it is not
> >straightforward or particularly user-friendly.
> >
> >Would it be possible to get shim signed by one of the keys that are
> >preloaded on this machine?
>
> That's coming soon-ish, yes. Microsoft have not yet started signing
> shims using the new UEFI CA; we're in regular contact about the key
> rollover, as are people from other distros.
I suppose we can expect that to happen some time before the old CA
expires in 2026?
> This is very much a vendor mistake IMHO - the guidance is to continue
> shipping the old UEFI CA as well as the new UEFI CA. This is likely to
> bite a lot of people. :-(
Yeah...I've already got one email asking how to work around this, so I
added a quick guide to https://wiki.debian.org/SecureBoot
Hopefully it becomes obsolete before too long.
Cheers,
--
Anton Khirnov
Reply to: