Your message dated Sun, 7 Jun 2026 00:16:21 +0100
with message-id <[email protected]>
and subject line Re: Bug#1136942: shim-signed: Early (!) guidance on the 2011 >
2023 KEK roll-over June 2026
has caused the Debian Bug report #1136942,
regarding shim-signed: Early (!) guidance on the 2011 > 2023 KEK roll-over June
2026
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136942: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136942
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: shim-signed
Version: 1.47+15.8-1
Severity: normal
X-Debbugs-Cc: [email protected]
Would it be possible to, as soon as possible, publish guidance for how the
June 26th 2026 expiry of the Microsoft KEK 2011 keys should be
handled - workflows, gotchyas, etc. ?
I see Microsoft has now signed shims with the 2023 UEFI CA KEK present
in the git repository.
PCs with firmware that has not received the 2023 KEK updates will presumably
refuse to execute the new shim.
PCs with firmware that has updated will refuse to execute the old shim
(bug #1112197).
This could lead to a lot of support requests and bug reports with the
attendant frustration of owner/operators starting just after June 26th
but having a long tail depending on when shim-signed package updates on
each host and/or when the firmware is updated.
It will presumably effect all releases from oldoldstable through to unstable.
-- System Information:
Debian Release: 13.4
Versions of packages shim-signed depends on:
ii shim-helpers-amd64-signed 1+15.8+1
ii shim-signed-common 1.47+15.8-1
shim-signed recommends no packages.
shim-signed suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
On Sun, May 17, 2026 at 11:41:13PM +0100, Steve McIntyre wrote:
>On Sun, May 17, 2026 at 12:42:04PM +0000, Tj wrote:
>>Package: shim-signed
>>Version: 1.47+15.8-1
>>Severity: normal
>>X-Debbugs-Cc: [email protected]
>>
>>Would it be possible to, as soon as possible, publish guidance for how the
>>June 26th 2026 expiry of the Microsoft KEK 2011 keys should be
>>handled - workflows, gotchyas, etc. ?
>
>You're mixing up KEK and DB here...
>
>>I see Microsoft has now signed shims with the 2023 UEFI CA KEK present
>>in the git repository.
>>
>>PCs with firmware that has not received the 2023 KEK updates will presumably
>>refuse to execute the new shim.
>
>Nope.
>
>>PCs with firmware that has updated will refuse to execute the old shim
>>(bug #1112197).
>>
>>This could lead to a lot of support requests and bug reports with the
>>attendant frustration of owner/operators starting just after June 26th
>>but having a long tail depending on when shim-signed package updates on
>>each host and/or when the firmware is updated.
>>
>>It will presumably effect all releases from oldoldstable through to unstable.
>
>I'm working on the shim-signed packages and docs right now; updates
>coming shortly...
And I've published docs at
https://wiki.debian.org/SecureBoot/CAChanges
now, so closing this bug. Feedback on the doc welcome!
--
Steve McIntyre, Cambridge, UK. [email protected]
"I suspect most samba developers are already technically insane... Of
course, since many of them are Australians, you can't tell." -- Linus Torvalds
--- End Message ---