Hi,
I'm running fwupd in Trixie and expecting to get CA updates for the
machine it's running on. Unfortunately, it's not working. I've run
"fwupdtool refresh" and "fwupdtool get-updates" multiple times and
it's not happening. The latest output on this Thinkpad s
# fwupdtool get-updates
...
Devices with no available firmware updates:
• KEK CA
• KEK CA
• SBAT
• THNSF5256GPUK TOSHIBA
• ThinkPad Product CA
• UEFI CA
• UEFI CA
• UEFI dbx
• Windows Production PCA
Devices with the latest available firmware version:
• Embedded Controller
• Intel Management Engine
• System Firmware
No updates available for remaining devices
It doesn't have the 2023 CAs installed in DB:
# mokutil --db | grep Subject:.*Microsoft
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
------
On another similar Thinkpad running the backport version
2.0.20-1~bpo13+1, things worked flawlessly and I'm currently looking
at:
# fwupdtool get-updates
...
Devices with no available firmware updates:
• KEK CA
• UEFI Device Firmware
• UEFI Device Firmware
• UEFI Device Firmware
• UEFI Device Firmware
• UEFI Device Firmware
• Integrated Camera
• KEK CA
• Option ROM UEFI CA
• Prometheus (IOTA Config)
• SBAT
• ThinkPad Product CA
• UEFI CA
• WD BLACK SN850X 1000GB
• Windows Production PCA
Devices with the latest available firmware version:
• Embedded Controller
• Intel Management Engine
• System Firmware
• Prometheus
• UEFI CA
• UEFI dbx
No updates available for remaining devices
This machine updated fine on a previous run and has the latest keys in
DB:
# mokutil --db | grep Subject:.*Microsoft
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
Subject: C=US, O=Microsoft Corporation, CN=Microsoft UEFI CA 2023
Subject: C=US, O=Microsoft Corporation, CN=Microsoft Option ROM UEFI CA 2023
Although even here it's not picking up on the latest Windows CA that
I'd expect:
Subject: C=US, O=Microsoft Corporation, CN=Windows UEFI CA 2023
We believe that the bug you reported is fixed in the latest version of
fwupd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1138871@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mario Limonciello <superm1@debian.org> (supplier of updated fwupd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 25 Jun 2026 23:38:59 -0500
Source: fwupd
Built-For-Profiles: derivative.ubuntu noudeb
Architecture: source
Version: 2.0.20-1~deb13u1
Distribution: stable-updates
Urgency: medium
Maintainer: Debian EFI <debian-efi@lists.debian.org>
Changed-By: Mario Limonciello <superm1@debian.org>
Closes: 1138871
Changes:
fwupd (2.0.20-1~deb13u1) stable-updates; urgency=medium
.
* Release to stable updates to enable updating UEFI CA. (Closes: #1138871)
* Note: Fix deploying the thunderbolt controller on the X280 is now part of
the upstream release and the patch is dropped.
Checksums-Sha1:
2dca260ca5a4c14892796c07fcd1c680f4380a70 3539 fwupd_2.0.20-1~deb13u1.dsc
3e88ecd53bd333683a16df189b27a5ba18ed8389 29152 fwupd_2.0.20-1~deb13u1.debian.tar.xz
9609c01f8d81313b3e2dd91add3d90bb23e5eecf 17774 fwupd_2.0.20-1~deb13u1_source.buildinfo
Checksums-Sha256:
b70f58d2b40cf2330be6fe22e0ea7f5cab2afaba0c207618dc341d8b1ce88df2 3539 fwupd_2.0.20-1~deb13u1.dsc
ce95da58d060727c897f2c0425b9fa4f5c558cd17490f11e3138f81df8b308c6 29152 fwupd_2.0.20-1~deb13u1.debian.tar.xz
f634837a4914aa95dc4c03d8b44023f68c1e3f11d6de923fda9c7e1b7264bb6b 17774 fwupd_2.0.20-1~deb13u1_source.buildinfo
Files:
932b6d69c56e6ad1a104a3c18c015abc 3539 admin optional fwupd_2.0.20-1~deb13u1.dsc
443067c8151950ebd756e5d937d3044a 29152 admin optional fwupd_2.0.20-1~deb13u1.debian.tar.xz
2b9f0f44bef6b05ff2ac7dee68b5bbce 17774 admin optional fwupd_2.0.20-1~deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCgAxFiEECwtuSU6dXvs5GA2aLRkspiR3AnYFAmo+AosTHHN1cGVybTFA
ZGViaWFuLm9yZwAKCRAtGSymJHcCdlcVD/492GM1zvRIQVjkSMrKr0vYLB4QlnGN
YmdGPkhANyLC1Me4zloCfQEH0eG05PcAl2//cWy/sR9ay1HteeKl9XIvk2j4Hydh
ID19qvS6enC+2lVjTce6/a34niOabVuWhQFWSLY0b5GjQEjvHKWc6+dLns00Yblp
w+aqJE8mMDJdn21qkIL/M6nG1x2Y5CrpBVTDeEiHnkQfcWrW5W36YdgIG3xyDdgt
vv/yzRr4tVzqBL4YqqgDLM99Mb/jgW/ZPhbochTrsdgE/EQjYLn7VPjWWB4LYcRe
xlNzbuZxng6x8OyPwc+TRhie3dtF+Y5bcMQbL/q6ECkzC+Zb2O9dPltvqMXhYcT6
/2jXqzD5jp72Gt5RErCEgouMgMY0Fn6EnXwfcQn3IxwdjwMkttBnqZNESRw9rR9F
lxzQJVfbqnbTngL1cBwJ1c+b4E8zurEsTUOgxzdDOapb6w8qQnHeT1S/J5B1s88d
OT6mrTExTFCu8iF0TJvXrpSZcmKM6XN7caWF2/CCB4agzQJyycBluU+Bkrrc/Wgi
OBBr/WnTN64T9CoYM0MhMU7huPvax2Qu6z6XDcwm8FTIIysSomRvdburUuY33OrJ
Ke9JNuNXrWukFlTp4U7ofFNdYXKh0wEsBg2IDwJcQZEW5oJE0MP2UOZ99PtnEo+h
Xop9xDzWhUFAuQ==
=AGSp
-----END PGP SIGNATURE-----