Hi, On Tue, May 19, 2026 at 02:17:53PM +1200, jfp wrote: >Package: shim-signed >Version: 1.47+15.8-1 (Actually 1.48+16.1-2) >Severity: serious >Justification: unsure >X-Debbugs-Cc: [email protected] >User: [email protected] >Usertags: amd64 > >Dear Maintainer, > >Running apt update with tries to install shim-signed_1.48+16.1-2_amd64.deb but >fails with the following: > >No valid UEFI Secure Boot signatures found > > │ > │ UEFI Secure Boot is enabled on your system, but the signed shim binary in >this package is not signed with a key that your system trusts. This is a FATAL >ERROR - your system will not currently boot with this > │ signed shim installed. > │ > │ To fix this error, you probably need to update the trusted certificates list >(DB) on your system. See > │ > │ https://wiki.debian.org/SecureBoot/CAChanges > │ > │ for more information about how to do this. > >mokutil --sb-state >SecureBoot disabled >Platform is in Setup Mode
Thanks - that is all the information I needed to debug this. When developing this change, none of my test systems showed the "Platform is in Setup Mode" message so I didn't handle that. Fixing that now. > >mokutil --list-enrolled >#Only have >Subject: CN=Debian Secure Boot CA > >Points to https://wiki.debian.org/SecureBoot/CAChanges >Which just says: >"More to come soon..." And I'm working on this too - thanks! -- Steve McIntyre, Cambridge, UK. [email protected] "Further comment on how I feel about IBM will appear once I've worked out whether they're being malicious or incompetent. Capital letters are forecast." Matthew Garrett, http://www.livejournal.com/users/mjg59/30675.html
