Package: shim-signed Version: 1.47+15.8-1 Severity: normal X-Debbugs-Cc: [email protected]
Would it be possible to, as soon as possible, publish guidance for how the June 26th 2026 expiry of the Microsoft KEK 2011 keys should be handled - workflows, gotchyas, etc. ? I see Microsoft has now signed shims with the 2023 UEFI CA KEK present in the git repository. PCs with firmware that has not received the 2023 KEK updates will presumably refuse to execute the new shim. PCs with firmware that has updated will refuse to execute the old shim (bug #1112197). This could lead to a lot of support requests and bug reports with the attendant frustration of owner/operators starting just after June 26th but having a long tail depending on when shim-signed package updates on each host and/or when the firmware is updated. It will presumably effect all releases from oldoldstable through to unstable. -- System Information: Debian Release: 13.4 Versions of packages shim-signed depends on: ii shim-helpers-amd64-signed 1+15.8+1 ii shim-signed-common 1.47+15.8-1 shim-signed recommends no packages. shim-signed suggests no packages. -- no debconf information
