- Package:
- release.debian.org
- Source:
- release.debian.org
- Submitter:
- Steve McIntyre
- Date:
- 2026-05-15 10:43:01 UTC
- Severity:
- normal
- Tags:
This is a new upstream version of shim, built for bookworm. This includes some SBAT-based revocations, plus a range of security updates from upstream. We also want to get a new shim built and signed by Microsoft using both the old and new UEFI CA root keys, to extend our Secure Boot support to cover both older and newer machines. The old CA root expires in June, but Microsoft have said they will happily continue to sign with that up until the end of its life. As always with shim, I've reviewed every upstream code change. I'm *not* including a full debdiff as we've moved three upstream releases from 15.8 to 16.1 here. The changes are not minimal, but in the case of shim we need to be as close to upstream as possible for the sake of getting stuff reviewed and signed. We have no local patches. There are some trivial changes to packaging. I've tested locally using CI and also by hand on various machines and all looks good here. Obviously, once this is accepted and autobuilt I'll need to submit things for review and signing elsewhere. Then we'll be want shim-signed updating too. Please give me the go-ahead and I'll upload the new source.
Hey folks, Following up on both bugs... I know I've not given you much to go on here - is there anything I can do to help you more? I'm hoping to get the reviews for these builds pushed into Microsoft shortly, for which I need these to be accepted for *-pu building at least. Is that OK? Cheers, Steve
Control: tags -1 + confirmed Personally I've been struggling with time for p-u stuff for a long while now, and when I do have time it tends to be batched. 30 hours is really not very long before chasing. (I might have got to it a little sooner, but I've not long got back from a $dayjob on-site maintenance. Most requests are probably not going to be able to rely on getting a response within a day though, I'm afraid.) Please go ahead. Regards, Adam
Hi! Again, following up on both bugs for a different reason. I've ended up uploading versions of shim for bookworm and trixie with slightly different versions to match up with the latest version I've uploaded in unstable. I'm not seeing any sign of builds happening in either case, so I guess I need to ask for an update to allow that? Pretty please! :-) I now have: shim/16.1-2~deb13u1 in trixie (#1131861) shim/16.1-2~deb12u1 in bookworm (#1131862) Cheers, Steve
Builds won't start until the sources are accepted, after which they will be
automatically added to {,oldstable-}proposed-updates and roll out to users
of those suites.
If I understand right, that will break secure boot for grub for those users
because of the change of sbat level? Therefore should we get grub2
accepted and built first? Where will updating shim leave users while we
await shim-signed?
The change of SBAT will not take effect until we have those signed shims for people to install, in fact. So we'll need to make sure that the new shim-signed and signed grub packages hit bookworm together, that's all. Trixie already contains updated grub packages so it will be ok. But before we get there, I need to get build logs and binaries for these unsigned shims - we need that for the review process. So if you could accept these sources that would be appreciated. :-)
package release.debian.org tags 1131862 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: shim Version: 16.1-2~deb12u1 Explanation: new upstream release; build with default gcc; set SBAT revocation level to 2025021800
package release.debian.org tags 1131862 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: shim Version: 16.1-2~deb12u1 Explanation: new upstream release; build with default gcc; set SBAT revocation level to 2025021800
Hey folks, Update for reference... ... We submitted the new shims for review and signing in the last couple of weeks. Review is going very well, as expected. But there are problems with the process of submitting to Microsoft. I'm chasing contacts there to help, and I'll keep you updated.
We're making progress, but it's slow. The SPI account for shim signing is undergoing renewed vetting now, but despite me pushing people and saying this is urgent it's taking time. I'm really not expecting to have signed shims back in time for the next point release. I'll update again as and when I have more to share.
After a lot of chasing, we've managed to upload things *now*. Hoping that we should get fast turnaround, let's see. If so, I'll be asking for new shim-signed packages to go in as well of course. Pushing it on time, I know... :-/
We finally received the signed shims on Wednesday 13th. I'm working on prepping the matching shim-signed updates now so we'll have things ready for the next point release - obviously we're way too late for this weekend.