Fabre

#1140761 bookworm-pu: package shim-signed/1.51~1+deb12u1 #1140761

Package:: release.debian.org

Source:: release.debian.org

Submitter:: Steve McIntyre

Date:: 2026-06-26 20:53:03 UTC

Severity:: normal

Tags:

#1140761#5

Date:: 2026-06-25 23:14:14 UTC

From:

To:

Hey folks,

As mentioned in #1131862...

We've had new signed shim binaries back from Microsoft for some
time. I've been waiting on the fix for #1137247 (hang/crash
chainloading Windows from grub) in case that might have been shim bug,
but it's now been fixed in grub and we're good.

So, it's time to get a new shim-signed package into bookworm, for the
last point release. I've backported the logic from 1.51 in unstable:

  * Add support for verifying and then combining signatures from
    multiple signed shims.
    + Existing sbverify versions in Debian are buggy when verifying.
    + Switch to using a python script verify_combine_sigs to fill in
      the gaps.
  * In preinst, try to verify that the signed shim we're trying to
    install will actually boot on this system - let's not break
    systems on upgrade.

and imported the signed shim binaries which resulted from the bookworm
shim update in #1131862.

We need this new signed shim to allowe bookworm to install and run on
newer systems which may ship with *only* the new 2023 UEFI CA included
in firmware.

See https://wiki.debian.org/SecureBoot/CAChanges for more background.
.

#1140761#12

Date:: 2026-06-26 20:51:11 UTC

From:

To:

package release.debian.org
tags 1140761 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: shim-signed
Version: 1.51~1+deb12u1

Explanation: ensure Secure Boot compatibility with 2023 Microsoft UEFI CA; check for likely boot issues before installation; combine and verify multiple shim signatures; update signed shim binaries

#1140761#17

Date:: 2026-06-26 20:51:11 UTC

From:

To:

package release.debian.org
tags 1140761 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: shim-signed
Version: 1.51~1+deb12u1

Explanation: ensure Secure Boot compatibility with 2023 Microsoft UEFI CA; check for likely boot issues before installation; combine and verify multiple shim signatures; update signed shim binaries

#1140761 bookworm-pu: package shim-signed/1.51~1+deb12u1 #1140761

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)