Hi Steve, thanks for the reply (and approving my wiki account) Quoting Steve McIntyre (2025-08-27 15:49:23) > On Wed, Aug 27, 2025 at 01:26:37PM +0200, Anton Khirnov wrote: > >Package: shim-signed > >Version: 1.47+15.8-1 > >Severity: important > > > >Dear Maintainer(s), > >my new laptop (ASUS EXPERTBOOK B9403CVAR) fails to boot with Secure Boot > >enabled, with the UEFI firmware showing a "Secure Boot violation" > >message. This seems to be caused by the fact that shim is signed by > >"Microsoft Corporation UEFI CA 2011", which is not present in the > >laptop's db list. Instead it has the newer "Windows UEFI CA 2023" (full > >mokutil --db output below). > > > >Manually adding the 2011 CA to db does make it boot, but it is not > >straightforward or particularly user-friendly. > > > >Would it be possible to get shim signed by one of the keys that are > >preloaded on this machine? > > That's coming soon-ish, yes. Microsoft have not yet started signing > shims using the new UEFI CA; we're in regular contact about the key > rollover, as are people from other distros.
I suppose we can expect that to happen some time before the old CA expires in 2026? > This is very much a vendor mistake IMHO - the guidance is to continue > shipping the old UEFI CA as well as the new UEFI CA. This is likely to > bite a lot of people. :-( Yeah...I've already got one email asking how to work around this, so I added a quick guide to https://wiki.debian.org/SecureBoot Hopefully it becomes obsolete before too long. Cheers, -- Anton Khirnov
