RSS

It's dead, Jim – the old Microsoft UEFI CA from 2011 expired yesterday

zdw1 pts0 comments

Steve's blog

-->

Steve's blog

About

Steve's blog,<br>The Words of the Sledge

steve@einval.com

Subscribe

Subscribe to the RSS feed.

Links

Home

Debian

PlanetDebian

Search PlanetDebian

Friends

Matthew Garrett

Jonathan McDowell

Jo McIntyre

Martin Michlmayr

Andrew Mobbs

Mike Pitt

Daniel Silverstone

Andy Simpkins

Neil Williams

Saturday, 27 June 2026

It's dead, Jim!

I previously wrote about the<br>upcoming UEFI<br>CA rollover. Well, it's happened now - the old Microsoft UEFI<br>CA from 2011 expired yesterday :

Third Party Marketplace Root (used for signing option ROMs and other software)

Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011<br>Validity<br>Not Before: Jun 27 21:22:45 2011 GMT<br>Not After : Jun 27 21:32:45 2026 GMT

It's dead - it's not coming back...

The world doesn't seem to have ended yesterday, so I guess we did<br>ok? :-)

How did we do?

After a lot of prodding behind the scenes, Debian and many other<br>distributions managed to get new shim binaries dual-signed with both<br>the old and new CAs. The members of the shim-review team did a<br>sterling job with reviews in the last few weeks. Since I started<br>pushing people in May, we've had 21 reviews accepted successfully -<br>see here<br>for the list. Great stuff! Microsoft have also been working quickly -<br>many of those shim submissions were accepted and signed by Microsoft<br>very quickly too, with a turnaround time of less than 1 day in some<br>cases.

Not all of those signed shims have been published and used by the<br>distros involved yet, but expect to see them in the wild in the coming<br>weeks and months.

These binaries should be good for people to use for the foreseeable<br>future, until either we need to do another CA rollover or (sadly, more<br>likely) we find an issue in shim that necessitates a new release.

What's next?

We already have one of our new dual-signed shim<br>binaries in place in Debian, in unstable and testing (Forky) right<br>now. In a couple of weeks from now, we'll be rolling out very similar<br>new dual-signed shim binaries in the next point releases for Debian 12<br>(bookworm) and Debian 13 (trixie). We'll also be<br>upgrading fwupd in both those point releases, to make DB<br>and KEK updates work better.

For more information about these updates,<br>see https://wiki.debian.org/SecureBoot/CAChanges. For<br>your own safety, validate that your systems are updated when<br>possible. If you don't, they may fail to boot in future.

22:33 ::<br># ::<br>/debian/efi ::<br>0 comments

debian microsoft shim signed uefi steve

Related Articles

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

How to Earn a Billion Dollars

kingstoned15 ptsmonth become startup growth years billionaire

Italy's Meloni says Trump 'made up' story that she 'begged' him for photo at G7

root-parent13 ptsmeloni trump italy said italian begged
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.