Your message dated Mon, 18 May 2026 13:33:58 +0000
with message-id <[email protected]>
and subject line Bug#1064102: fixed in shim-signed 1.48
has caused the Debian Bug report #1064102,
regarding shim-signed: Shim needs to be updated to latest version for Microsoft
Surface devices
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1064102: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064102
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: shim-signed
Version: 1.40+15.7-1
Severity: normal
Tags: upstream
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate
***
I tried to install Debian on a Surface Pro 9, but it doesn't boot even with
a
disabled SecureBoot (secured core must be disabled in any case).
In order to have a bootable Linux you need to hack into /efi/boot/debian and
overwrite mmx64.efi with grubx64.efi or even try more exotic actions.
Here you can find a more detailed explanation on this bug and possible
working
solutions:
https://github.com/linux-surface/linux-surface/issues/1274
[...]The good news is: This issue is fixed on the shim main branch, so once
the
distributions update their shim, this issue should disappear. The bad news
is,
that it is not possible for us to fix this, since we can't get a signed
shim /
MokManager from Microsoft.
For now there are three possible solutions:
Disable secureboot and don't enroll any certificates. This is certainly
the
easiest.
There is a Linux Mint installation image (21.2) that contains a working
MokManager. When you are trapped in the bugged state, you can use this to
finish the enrollment process. After the certificate is enrolled, you
should be
able to boot normally.
Downgrading the firmware.
[...]
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.7.2-surface-1 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages shim-signed depends on:
ii grub-efi-amd64-bin 2.12-1
ii grub2-common 2.12-1
ii shim-helpers-amd64-signed 1+15.7+1
ii shim-signed-common 1.40+15.7-1
shim-signed recommends no packages.
shim-signed suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: shim-signed
Source-Version: 1.48
Done: Steve McIntyre <[email protected]>
We believe that the bug you reported is fixed in the latest version of
shim-signed, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steve McIntyre <[email protected]> (supplier of updated shim-signed package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 17 May 2026 22:47:06 +0100
Source: shim-signed
Architecture: source
Version: 1.48
Distribution: unstable
Urgency: medium
Maintainer: Debian EFI Team <[email protected]>
Changed-By: Steve McIntyre <[email protected]>
Closes: 1064102 1112197
Changes:
shim-signed (1.48) unstable; urgency=medium
.
* Add support for verifying and then combining signatures from
multiple signed shims.
+ Existing sbverify versions in Debian are buggy when verifying.
+ Switch to using a python script verify_combine_sigs to fill in
the gaps.
* In preinst, try to verify that the signed shim we're trying to
install will actually boot on this system - let's not break
systems on upgrade.
* We now include a dual-signed shim including the 2023 CA.
Closes: #1112197
* The shim included is now NX-capable. Closes: #1064102
Checksums-Sha1:
07c44b7c30573429a76a13043871207cb1ff2a17 1915 shim-signed_1.48.dsc
b9f75ff283a59562435c4b1d2a07b205235067fa 823812 shim-signed_1.48.tar.xz
bd7440dc08887c7626ddd0022fcc06b4a31925d1 6069 shim-signed_1.48_source.buildinfo
Checksums-Sha256:
2a445a17665bae50c88e66d1ff414f90156c0eae8042186a64b1433d09f3c8ff 1915
shim-signed_1.48.dsc
bf6a380e29c8291539db6902d2794fa841b6b546f4bf760b10c5fa13c42880f6 823812
shim-signed_1.48.tar.xz
029173ff3681b8a5bb8ba4f8f1990b5822e26c89a679f602c8892387148f2d43 6069
shim-signed_1.48_source.buildinfo
Files:
61c6adafdf38a6d44165b0598c2dbba7 1915 utils optional shim-signed_1.48.dsc
8d9812cf852b3d682e774c5d2a1f7b67 823812 utils optional shim-signed_1.48.tar.xz
41824bba1284a785951bc02d43a915d8 6069 utils optional
shim-signed_1.48_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEzrtSMB1hfpEDkP4WWHl5VzRCaE4FAmoLESERHDkzc2FtQGRl
Ymlhbi5vcmcACgkQWHl5VzRCaE69pg/+KTItRsIGRV1ySoIz0nGW8K917IEQJu/O
m470oT74QODltetkUf8m95hAIZWkaDHVZov791J8yUV3QsnI9cBZ4pTVOqRkwQXo
uNB9NWOVcQMG91UH9MgscCelQ1tLPzoO4dzqY7/zO0QRxnGZ1QjVOum7xq0gHwvW
wnaW2YNY0FMU2Ya1aqKlI2WC4BuNJPwboQvy/hxfN2hVx5LGH396+Vnux6nqPaFt
zRMBfF3RCmQmTOdnXeBNvP3NOLozS/L63o8//3he6Ne6t9WomEZJhRlnWXG628iC
4/2j3ihWijknP8W6PgrlZb0Ku7bAqwzLqkWn5E1o6RYJLa/RGcAnmKKKDd6PXNVx
aHISSkt/ktMWdjRYca5IHwllzT6p6/p43SCBeKtrFXUSySr/OAFBKIopNiIZMus0
muCicmJ4vUNXr1FbCn/Gu4W5kR8bxF3+uajPetKcgJGCz0wquzFN4JonZZ+fClW9
UmEgcJlnIb3baklvVqlW0iENBXVj+yWxxbeEULYn6TKLfoiOEdEIeIk24ryqSTkn
VBbs8vztl6gkXgYCufl5vqLWMD25VNvzjv9DM/QTM8Kcn9+03HlOuihXc3RIzoMN
L951iRs+MCLPzY9V3dQiwinNMRH71gw6v5FBNxvrQDXf13QU/+GGEgQlCMrMEH5Z
6E+DvgpJf2c=
=Ija/
-----END PGP SIGNATURE-----
pgpzfnrvaSnGH.pgp
Description: PGP signature
--- End Message ---
