0

Currently I am using Ubuntu 24.04, but I am also wondering if the same could be applied to 22.04.

On my machine I have a Secure Boot certificate that is invalid after Oct. 19, 2026. From my research I've found that this should be automatically updated with the shim-signed-package. And running sudo apt full-upgrade should take care of this issue.

Sadly none of the above seem to work on my computers since shim-signed is already at the latest version.

I understand that it is a while until the certificate is invalid and that the machine will keep booting after the certificate is expired until the kernel or grub is updated, but since my newly installed machines come with the newer certificates I feel like there should be a way to update my older machines as well. And not updating is sort of like gambling that I will receive an update before Oct. 19.

sudo fwupdmgr update does not update the certificates either.

The commands that I'm using to check which certificates are installed are mokutil --db and mokutil --kek.

Improve this question
2
  • 2
    its more likely the certs will be updated closer to october. the certificate is a Canonical/Ubuntu issued cert for the signatures and that only is available by Canonical, so they have to update the package and certs. (Right now most people are focused at the Ubuntu/Canonical side of the development of 26.04 which releases in about a month) Commented Mar 19 at 14:53
  • 3
    @user68186 true, but this is pure speculation, so I can't use it as an answer as I"m not part of the teams involved in handling shim-signed Commented Mar 19 at 15:45

1 Answer 1

Reset to default
3

Not sure what you researched (providing a link is always helpful), but shim never updated the standard Secure Boot variables. It only ever supported managing its own custom variables (like MokList) and never did it automatically - any change required user confirmation.

KEK must be signed by PK and PK is normally owned by the system's vendor (e.g. on my Lenovo it comes from Lenovo). Which means that only system (hardware) vendor can provide binary payload for KEK update. The LVFS database does provide KEK updates signed by various vendors but AFAIU they are supported starting with fwupdmgr version 2.0.10. So, my Ubuntu 24.04 installation does not show or offer these updates. Normally, they are distributed by vendors as part of BIOS/System firmware updates.

db must be signed by either PK or KEK. As long as you have Microsoft KEK you can install db updates which too are available via fwupdmgr. Again, you need the recent enough version. None of my Ubuntu 24.04/22.04 installations (physical or VM) offers these updates. The 25.10 VM successfully installed updated Microsoft CA.

Devices that have been updated successfully:
 * UEFI CA (2011 -> 2023)
 * UEFI dbx (20230501 -> 20250902)

Again, they are normally distributed as part of BIOS updates.

So, if your system is still supported by your vendor you should check for BIOS updates which will likely contain updated certificates. If your system is too old, you can still install updated db provided by Microsoft. These files are signed by the current KEK. The same site also offers KEK updates signed by various vendors. The problem is, if your system is no more supported it may also have too old PK for which no updates exist. Updating using files from this site is not difficult but requires some experience, so consider simply booting live Ubuntu 25.10 and using fwupdmgr to update UEFI db.

Finally, you may be interested in this blog from Mathew Garrett which talks in depth about impact of Microsoft certificates expiration. It may be less scary than you think :)

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.