Package: grub-efi-amd64-signed
At the moment grub-efi-amd64-signed vs grub-efi-amd64-unsigned have
package descriptions that are identical except one says...
--
This package contains the binaries signed by the Debian UEFI CA to be
used by shim-signed.
--
... and the other says ...
--
This package contains GRUB images that have been built for use with the
EFI-AMD64 architecture, as used by Intel Macs (unless a BIOS interface
has been activated). It can be installed in parallel with other
flavours, but will not automatically install GRUB as the active boot
loader nor automatically update grub.cfg on upgrade unless
grub-efi-amd64 is also installed.
--
But these are not just the only critical differences.
Currently the signed version lacks particular modules which are included
in unsigned.
So when I was recently debootstrap'ing a new system with recommends
enabled (as they are by default)... installing grub-efi-amd64 depends
grub-efi-amd64-bin... which depends grub-efi-amd64-unsigned but
**recommends** grub-efi-amd64-signed.
Which means 'grub-install' alone prefers the signed... and thus my
attempt at using normal cryptsetup format (which defaults to argon2 and
luks2) get me nothing more than a GRUB rescue prompt. (this is a system
with just an EFI partition and a single LUKS2 encrypted ext4 for
*everything* else including boot... something now FINALLY possible with
grub 2.14).
EVENTUALLY I figured out that somehow preventing recommends fixed the
appearance of the GRUB rescue prompt... but it was a lot of trial and error.
I'd say the description for the signed package needs to say
a) what modules aren't included vs. unsigned
b) that having this installed knocks out unsigned by default if you
didn't specify --no-uefi-secure-boot with grub-install
It would have saved me a lot of time :)
