Package: shim-signed-common Version: 1.44+15.8-1 Severity: minor shim-signed-common seems to be the origin (slightly hard to tell) of a dialog during apt dist-upgrade that suggests UEFI Secure Boot must be disabled to use 3rd party drivers. It doesn't seem to check whether a Machine Owner Key is installed in the UEFI trust database and/or configured for DKMS. It should check before misleading the user into disabling a security feature. (Especially considering the amount of hoops someone had to jump through to set it up, and then take into consideration someone tech-savvy might have set this up for their tech-limited political refugee grandparent.)
Relevant config: /etc/dkms/framework.conf:mok_signing_key=/root/.mok/mok.key /etc/dkms/framework.conf:mok_certificate=/root/.mok/mok.der Output of "mokutil --list-enrolled" (abbreviated): [key 1] SHA1 Fingerprint: 53:61:0c:f8:1f:bd:7e:0c:eb:67:91:3c:9e:f3:e7:94:a9:63:3e:cb Certificate: Data: Version: 3 (0x2) Serial Number: ed:54:a1:d5:af:87:48:94:8d:9f:89:32:ee:9c:7c:34 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=Debian Secure Boot CA Subject: CN=Debian Secure Boot CA [...snip...] [key 2] SHA1 Fingerprint: ... Certificate: Data: Version: 3 (0x2) Serial Number: ... Signature Algorithm: sha256WithRSAEncryption Issuer: CN=equinox/emailAddress=equi...@diac24.net Subject: CN=equinox/emailAddress=equi...@diac24.net -- System Information: Debian Release: trixie/sid APT prefers testing APT policy: (600, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable'), (400, 'unstable'), (300, 'jammy-updates'), (300, 'jammy-security'), (300, 'jammy'), (300, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.8.7+ (SMP w/16 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages shim-signed-common depends on: ii debconf [debconf-2.0] 1.5.87 ii mokutil 0.6.0-2+b1 shim-signed-common recommends no packages. shim-signed-common suggests no packages. -- debconf information excluded