#1131862 bookworm-pu: package shim/16.1-1~deb12u1

#1131862#5
Date:
2026-03-25 14:57:42 UTC
From:
To:
This is a new upstream version of shim, built for bookworm. This
includes some SBAT-based revocations, plus a range of security updates
from upstream.

We also want to get a new shim built and signed by Microsoft using
both the old and new UEFI CA root keys, to extend our Secure Boot
support to cover both older and newer machines. The old CA root
expires in June, but Microsoft have said they will happily continue to
sign with that up until the end of its life.

As always with shim, I've reviewed every upstream code change.

I'm *not* including a full debdiff as we've moved three upstream
releases from 15.8 to 16.1 here. The changes are not minimal, but in
the case of shim we need to be as close to upstream as possible for
the sake of getting stuff reviewed and signed. We have no local
patches. There are some trivial changes to packaging.

I've tested locally using CI and also by hand on various machines and
all looks good here.

Obviously, once this is accepted and autobuilt I'll need to submit
things for review and signing elsewhere. Then we'll be want
shim-signed updating too.

Please give me the go-ahead and I'll upload the new source.

#1131862#12
Date:
2026-03-26 20:21:27 UTC
From:
To:
Hey folks,

Following up on both bugs...

I know I've not given you much to go on here - is there anything I can
do to help you more?

I'm hoping to get the reviews for these builds pushed into Microsoft
shortly, for which I need these to be accepted for *-pu building at
least. Is that OK?

Cheers,

Steve

#1131862#17
Date:
2026-03-27 00:21:58 UTC
From:
To:
Control: tags -1 + confirmed

Personally I've been struggling with time for p-u stuff for a long
while now, and when I do have time it tends to be batched. 30 hours is
really not very long before chasing.

(I might have got to it a little sooner, but I've not long got back
from a $dayjob on-site maintenance. Most requests are probably not
going to be able to rely on getting a response within a day though, I'm
afraid.)

Please go ahead.

Regards,

Adam

#1131862#24
Date:
2026-04-05 20:47:45 UTC
From:
To:
Hi!

Again, following up on both bugs for a different reason.

I've ended up uploading versions of shim for bookworm and trixie with
slightly different versions to match up with the latest version I've
uploaded in unstable.

I'm not seeing any sign of builds happening in either case, so I guess
I need to ask for an update to allow that? Pretty please! :-)

I now have:

shim/16.1-2~deb13u1 in trixie (#1131861)
shim/16.1-2~deb12u1 in bookworm (#1131862)

Cheers,

Steve

#1131862#29
Date:
2026-04-06 15:00:23 UTC
From:
To:
Builds won't start until the sources are accepted, after which they will be
automatically added to {,oldstable-}proposed-updates and roll out to users
of those suites.

If I understand right, that will break secure boot for grub for those users
because of the change of sbat level?  Therefore should we get grub2
accepted and built first? Where will updating shim leave users while we
await shim-signed?

#1131862#34
Date:
2026-04-06 15:17:23 UTC
From:
To:
The change of SBAT will not take effect until we have those signed
shims for people to install, in fact. So we'll need to make sure that
the new shim-signed and signed grub packages hit bookworm together,
that's all. Trixie already contains updated grub packages so it will
be ok.

But before we get there, I need to get build logs and binaries for
these unsigned shims - we need that for the review process. So if you
could accept these sources that would be appreciated. :-)

#1131862#39
Date:
2026-04-06 20:16:07 UTC
From:
To:
package release.debian.org
tags 1131862 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: shim
Version: 16.1-2~deb12u1

Explanation: new upstream release; build with default gcc; set SBAT revocation level to 2025021800

#1131862#44
Date:
2026-04-06 20:16:07 UTC
From:
To:
package release.debian.org
tags 1131862 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: shim
Version: 16.1-2~deb12u1

Explanation: new upstream release; build with default gcc; set SBAT revocation level to 2025021800

#1131862#49
Date:
2026-04-17 10:41:39 UTC
From:
To:
Hey folks,

Update for reference...

...

We submitted the new shims for review and signing in the last couple
of weeks. Review is going very well, as expected. But there are
problems with the process of submitting to Microsoft. I'm chasing
contacts there to help, and I'll keep you updated.

#1131862#54
Date:
2026-04-30 19:57:10 UTC
From:
To:
We're making progress, but it's slow. The SPI account for shim signing
is undergoing renewed vetting now, but despite me pushing people and
saying this is urgent it's taking time. I'm really not expecting to
have signed shims back in time for the next point release.

I'll update again as and when I have more to share.

#1131862#59
Date:
2026-05-06 17:36:16 UTC
From:
To:
After a lot of chasing, we've managed to upload things *now*. Hoping
that we should get fast turnaround, let's see.

If so, I'll be asking for new shim-signed packages to go in as well of
course. Pushing it on time, I know... :-/

#1131862#64
Date:
2026-05-15 10:41:50 UTC
From:
To:
We finally received the signed shims on Wednesday 13th. I'm working on
prepping the matching shim-signed updates now so we'll have things
ready for the next point release - obviously we're way too late for
this weekend.