Package: shim-signed Version: 1.47+15.8-1 Severity: wishlist In #1138983 we have a report of a system which won't boot a dual-signed shim. While waiting on the result of more testing there to confirm if it's dual-signing that's the problem, thinking out loud...
We now have code in the shim-signed preinst to detect whether a particular shim is likely to be supported on a given system. Could we re-use/extend the logic here? * As well as the multi-signed shim, include all the individually-signed shims too in the package. Maybe in a separate "fallback" subdirectory? * If a system is on a known-bad list for multi-signing, check to see if it will work with with one of the fallback shims instead of the main multi-signed. * If we think that should work, install that shim instead with some packaging logic. (The RedHat folks are also doing something like this with extra tooling.) * If not, fail loudly. That's the extent of my thoughts about this so far; I'm not proposing to actually do any work on this unless we get a reasonably large number of systems reported that might make this worthwhile. -- System Information: Debian Release: 13.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable'), (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.12.90+deb13-amd64 (SMP w/12 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages shim-signed depends on: ii grub-efi-amd64-bin 2.12-9+deb13u2 ii grub2-common 2.12-9+deb13u2 ii shim-helpers-amd64-signed 1+15.8+1 ii shim-signed-common 1.47+15.8-1 shim-signed recommends no packages. shim-signed suggests no packages. -- debconf information excluded
