tronde
February 18, 2026, 5:09pm
1
Dear Community,
I found the discussion regarding Test Day: Multi-signed shims and the wiki page Test Day:2026-01-12 Multi-signed shim . On the latter this sentence caught my eye:
…shim is currently being signed with both the 2011 and the 2023 keys.
This is contrary to my knowledge that Microsoft would return to shim binaries for a signing request. On signed by with the 2011 and one signed with the 2023 key. See slide 12 of this presentation . Now I’m a little confused and do not know whether Mircrosoft has re-considered their decision from October 2025.
Can someone confirm that Microsoft returns one multi-signed shim binary instead two as stated in the referenced presentation?
Best regards,
Tronde
glb
February 18, 2026, 7:05pm
2
I’m not sure if this is conclusive, but it looks like it is signed by both keys:
$ wget https://pjones.fedorapeople.org/secureboot.test0.2025/Fedora-Server-netinst-x86_64-43-1.6.msft2011.msft2023.img
Saving 'Fedora-Server-netinst-x86_64-43-1.6.msft2011.msft2023.img'
HTTP response 200 OK [https://pjones.fedorapeople.org/secureboot.test0.2025/Fedora-Server-netinst-x86_64-43-1.6.msft2011.msft2023.img]
Fedora-Server-netins 100% [==================================================================================================================================================================>] 5.78M 6.40MB/s
[Files: 1 Bytes: 5.78M [3.92MB/s] Redirects: 0 Todo: 0 Errors: 0 ]
$ sgdisk -p Fedora-Server-netinst-x86_64-43-1.6.msft2011.msft2023.img
Disk Fedora-Server-netinst-x86_64-43-1.6.msft2011.msft2023.img: 34816 sectors, 17.0 MiB
Sector size (logical): 512 bytes
Disk identifier (GUID): DFE85AE1-7252-4607-BB12-317E3A8A40A6
Partition table holds up to 128 entries
Main partition table begins at sector 2 and ends at sector 33
First usable sector is 34, last usable sector is 34782
Partitions will be aligned on 2048-sector boundaries
Total free space is 6077 sectors (3.0 MiB)
Number Start (sector) End (sector) Size Code Name
1 2048 30719 14.0 MiB 8300 fat32
$ sudo mount -o ro,loop,offset=$((2048*512)) Fedora-Server-netinst-x86_64-43-1.6.msft2011.msft2023.img /mnt
$ find /mnt
/mnt
/mnt/EFI
/mnt/EFI/BOOT
/mnt/EFI/BOOT/fonts
/mnt/EFI/BOOT/fonts/unicode.pf2
/mnt/EFI/BOOT/BOOT.conf
/mnt/EFI/BOOT/BOOTIA32.EFI
/mnt/EFI/BOOT/BOOTX64.EFI
/mnt/EFI/BOOT/grub.cfg
/mnt/EFI/BOOT/grubia32.efi
/mnt/EFI/BOOT/grubx64.efi
/mnt/EFI/BOOT/mmia32.efi
/mnt/EFI/BOOT/mmx64.efi
$ sbverify --list /mnt/EFI/BOOT/BOOTX64.EFI
warning: data remaining[908000 vs 1036008]: gaps between PE/COFF sections?
signature 1
image signature issuers:
- /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
image signature certificates:
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root
signature 2
image signature issuers:
- /C=US/O=Microsoft Corporation/CN=Microsoft UEFI CA 2023
image signature certificates:
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft UEFI CA 2023 signer
issuer: /C=US/O=Microsoft Corporation/CN=Microsoft UEFI CA 2023
- subject: /C=US/O=Microsoft Corporation/CN=Microsoft UEFI CA 2023
issuer: /C=US/O=Microsoft Corporation/CN=Microsoft RSA Devices Root CA 2021
$
1 Like