On Sun, May 17, 2026 at 12:42:04PM +0000, Tj wrote: >Package: shim-signed >Version: 1.47+15.8-1 >Severity: normal >X-Debbugs-Cc: [email protected] > >Would it be possible to, as soon as possible, publish guidance for how the >June 26th 2026 expiry of the Microsoft KEK 2011 keys should be >handled - workflows, gotchyas, etc. ?
You're mixing up KEK and DB here... >I see Microsoft has now signed shims with the 2023 UEFI CA KEK present >in the git repository. > >PCs with firmware that has not received the 2023 KEK updates will presumably >refuse to execute the new shim. Nope. >PCs with firmware that has updated will refuse to execute the old shim >(bug #1112197). > >This could lead to a lot of support requests and bug reports with the >attendant frustration of owner/operators starting just after June 26th >but having a long tail depending on when shim-signed package updates on >each host and/or when the firmware is updated. > >It will presumably effect all releases from oldoldstable through to unstable. I'm working on the shim-signed packages and docs right now; updates coming shortly... -- Steve McIntyre, Cambridge, UK. [email protected] < liw> everything I know about UK hotels I learned from "Fawlty Towers"
