Hi Daniele, On Fri, Jun 05, 2026 at 10:21:49PM +0200, Daniele Benucci wrote: >Package: shim-signed >Version: 1.50+16.1-2 >Severity: important >X-Debbugs-Cc: [email protected] > >Dear Maintainer, >as suggested on https://wiki.debian.org/SecureBoot/CAChanges, I'm reporting an >issue with dual-signed shim on an Asus K551 laptop (same as S551).
ACK, thanks very much for reporting! >$ sudo dmidecode | grep -A 3 "System Information" >System Information > Manufacturer: ASUSTeK COMPUTER INC. > Product Name: S551LB > Version: 1.0 > >$ sudo dmidecode | grep -A 3 "Platform Firmware Information" >Platform Firmware Information > Vendor: American Megatrends Inc. > Version: S551LB.212 > Release Date: 04/25/2014 > >Starting from version 1.48 of shim-signed (that introduced the dual signature), >system refuses to boot with "Invalid signature detected" message. (I'm >currently pinned to 1.47 to keep Secure Boot enabled) > >These are my installed DB and KEK certificates (I already installed the 2023 >certificates while trying to debug myself, all other certificates were pre- >installed) > >$ mokutil --db --short >62b51ed2e6 ASUSTeK Notebook SW Key Certificate >16b36b31bb ASUSTeK MotherBoard SW Key Certificate >46def63b5c Microsoft Corporation UEFI CA 2011 >580a6f4cc4 Microsoft Windows Production PCA 2011 >76a0920658 Canonical Ltd. Master Certificate Authority >b5eeb4a670 Microsoft UEFI CA 2023 > >$ mokutil --kek --short >5c2c5f8653 ASUSTeK Notebook KEK Certificate >31590bfd89 Microsoft Corporation KEK CA 2011 >76a0920658 Canonical Ltd. Master Certificate Authority >459ab6fb5e Microsoft Corporation KEK 2K CA 2023 > >I'm reporting with "important" severity, following the severity descriptions >from reportbug, (definitely not "critical", considering this is a quite old >system). Feel free to change the severity either raising of lowering it, if >appropriate. Nod. Yours is the only report I've seen *personally* of a system with trouble like this, but via conversations with developers from other distros I've heard rumours of a small number of others. Out of interest, have you tried testing either of the single-signed versions of the new shim binary to be 100% sure that the problem is the dual-signing? If you check the current shim-signed source package, you can find them both there: * shimx64.efi.signed.MS-2011 * shimx64.efi.signed.MS-2023 That would be useful to confirm... If more such systems show up, I might try to find the time for a solution for systems like yours. But for now I think you might be stuck where you are. -- Steve McIntyre, Cambridge, UK. [email protected] < Aardvark> I dislike C++ to start with. C++11 just seems to be handing rope-creating factories for users to hang multiple instances of themselves.
