I’m sure it’s nothing, but this is just a little sus
I think Rufus is giving this warning because the Secure Boot shim on the F42 ISOs is signed with the “old” Microsoft signing key (albeit the key is valid until June 2026).
I can’t find this absolutely explicitly stated by Rufus - I’m inferring it from the response to this GitHub issue, and this FAQ item.
I’m not sure whether the F43 ISOs are signed with the same key. From the first linked thread, any shim signed after Sep 2025 will use the new key, but not sure if we have a new shim for F43.
1 Like
Yeah sounds plausible, just wanted to make sure I didn’t accidentally download some malware or the Fedora mirror is compromised. I did downloaded it multiple times to make sure and… yeah, it’s the same error every time
1 Like
Follow the steps at Fedora keeps you safe | The Fedora Project to make sure
3 Likes
Wasn’t there a peculiarity in the bootloader distributed with the f42 Workstation ISO? I seem to remember that it was adding UEFI bootloader targets without indicating it was doing that to users. Is it possible that this is what is triggering the message?
Yes:
I don’t think this is related, because Rufus seems to fire this warning even on Windows bootloaders signed with the older key, A good test though would be to try it with a Fedora 41 ISO (which would use the older key but doesn’t have the “self-repair” “feature” that causes that issue in F42).
1 Like
There are currently no Fedora shims signed by the new MS signing key. In fact, the shim provided by Fedora 42 is the same as is the one provided by Fedora 43. It is not even re-compiled because if the shim is re-compiled it needs to be sent to Microsoft to be signed.
1 Like