Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:shim-signed
User: [email protected]
Usertags: pu
Hey folks,
As mentioned in #1131862...
We've had new signed shim binaries back from Microsoft for some
time. I've been waiting on the fix for #1137247 (hang/crash
chainloading Windows from grub) in case that might have been shim bug,
but it's now been fixed in grub and we're good.
So, it's time to get a new shim-signed package into bookworm, for the
last point release. I've backported the logic from 1.51 in unstable:
* Add support for verifying and then combining signatures from
multiple signed shims.
+ Existing sbverify versions in Debian are buggy when verifying.
+ Switch to using a python script verify_combine_sigs to fill in
the gaps.
* In preinst, try to verify that the signed shim we're trying to
install will actually boot on this system - let's not break
systems on upgrade.
and imported the signed shim binaries which resulted from the bookworm
shim update in #1131862.
We need this new signed shim to allowe bookworm to install and run on
newer systems which may ship with *only* the new 2023 UEFI CA included
in firmware.
See https://wiki.debian.org/SecureBoot/CAChanges for more background.
.
