What you need to know about the Microsoft Secure Boot certficate expiration: Don't Panic!

Article Summary:

Secure Boot root of trust certificates are expiring, new certificates are being rolled out, and dual-signed shims are already in rawhide for compatibility.

Article Description:

General and technical description of the changes to the original Microsoft Secure Boot signing certificates, which are expiring in June 2026. Machines will continue to boot. Microsoft simply can no longer sign with the same certificates.

Fedora rawhide already contains dual-signed first stage shim boot loaders, which are signed by both the old and the new keys. The firmware Secure Boot db will need updating in order to boot new shims after June.

All of this will be calmly and clearly described, including what to do and what not to do.

I have read and understand the Ai-Assisted Contributions Policy

For Editor Use Only

Editor:

Image Editor:

Publication Date:

Preview Link:

This sounds like an excellent article for Fedora Magazine. +1!

Personally, I would like to see example commands that Fedora Linux users can run to verify the status of their systems (e.g. maybe how to run sbverify --list ... to show the certs that the shim is actually signed with, etc.). Just a suggestion.

Thanks!

P.S. In case you haven’t found the documentation yet, the place to upload your article for review and publication is here.

Thank you for the link

And yes, there will be commands to show what’s enrolled, what’s signed with what, etc.