2026-01-12 Multi-signed shim

multi-signed shim test day


Date	2026-01-12 to 2026-01-16
Time	all week

Website	QA/Test Days
Matrix	#test-day:fedoraproject.org^{(other clients\|?)}
Mailing list	test

Can't make the date?
If you come to this page after the test day is completed, your testing is still valuable, and you can use the information on this page to test, file any bugs you find, and add your results to the results section. If this page is more than a month old when you arrive here, please check the current schedule and see if a similar but more recent Test Day is planned or has already happened.

What to test?[edit]

This Test Day will focus on booting shims that are signed by different Microsoft certificates.

UEFI Secure Boot is a chain of trust that originates in firmware, goes through the boot loaders, and to the kernel and kernel modules, ensuring that only signed, trusted components are loaded and malicious code is not executed. It is realized using asymmetric cryptography such that private keys are used to sign executable programs and public certificates are used to verify proper signatures. Microsoft acts as the Signing Authority, signing a primitive boot loader, called the shim, whose purpose is to verify and load further trusted components.

In June 2026, Microsoft will no longer be signing shim with the 2011 key, which is the key they have always used. As a result, firmware is being updated to also include the new 2023 certificate, and shim is currently being signed with both the 2011 and the 2023 keys.

The point of the test days is to find out how various hardware and firmware will deal with a shim that is signed with multiple signatures in order to make this transition as smooth as possible.

Who's available[edit]

The following cast of characters will be available testing, workarounds, bug fixes, and general discussion:

Development - Peter Jones (pjones), Nicolas Frayer (@nfrayer:fedora.im), Marta Lewandowska (@marta-lewandowska:matrix.org)
Quality - Lukáš Růžička (lruzicka), Kamil Paral (kparal), Adam Williamson (adamw), Petr Sklenář (psklenar), Jaroslav Groman (jgroman)

You can chat with us on Matrix. See the infobox on top of the page to learn where to join.

Prerequisite for Test Day[edit]

A virtual machine or [preferably] a bare metal machine on which you are able and willing to toggle the Secure Boot state. Secure Boot needs to be enabled for test results to be relevant. (Use a test machine if possible.)
There are two ways to test, so choose whichever one seems simplest or most comfortable.
- Fresh boot test: If you don't have fedora installed or you don't want to install additional packages, you can download these installer images, write them to a USB stick and try to boot each one:
  - signed by the 2023 key only: Fedora-Server-netinst-x86_64-43-1.6.msft2023.img
  - signed first by the 2011 and then by the 2023 key: Fedora-Server-netinst-x86_64-43-1.6.msft2011.msft2023.img
  - signed first by the 2023 and then by the 2011 key: Fedora-Server-netinst-x86_64-43-1.6.msft2023.msft2011.img
- Boot from rpm: If you have a recent fedora installed, you can install the following rpms and try to boot each of them:
  - signed by the 2023 key only: shimx64.msft2023-1-1.x86_64.rpm
  - signed first by the 2011 and then by the 2023 key: shimx64.msft2011.msft2023-1-1.x86_64.rpm
  - signed first by the 2023 and then by the 2011 key: shimx64.msft2023.msft2011-1-1.x86_64.rpm

How to test?[edit]

Visit the results page and click on the column title links to see the tests that need to be run: most column titles are links to a specific test case. Follow the instructions there, then enter your results by clicking the ➕ (plus) button for that test case.

Please also try to experiment and explore and perform tasks not mentioned in any of the pre-defined test cases.

Test cases[edit]

Make sure you've read the prerequisites section.

There are two possible ways to test. Please choose the method that is most comfortable for you. In both cases, please make sure that Secure Boot is enabled and make sure the option Allow Microsoft 3rd Party UEFI CA is enabled if present.

Fresh boot test[edit]

Download each installation image, write it to a USB stick and try to boot your machine
- If you see the GRUB menu, the test succeeded.
- If you don't see the GRUB menu and instead see a Security Violation, the test has failed.
- Enter the results of each test on the results page.
Boot to your installed OS
- Download and run show-trusted.sh: bash show-trusted.sh
- Install lshw: sudo dnf install -y lshw
- Run sudo lshw -short
- Post the results of the above commands to pastebin with Paste Expiration set to Never. Copy the final URL to the Comments column on the results page.

Boot from rpm[edit]

Download the three rpms and install them: sudo rpm -Uvh shimx64.msft*.rpm
- They will install themselves in /boot/efi/EFI/shimx64.msft* and copy grubx64.efi and grub.cfg from /boot/efi/EFI/fedora so that the system can boot.
- EFI boot entries will also be created for them: efibootmgr, please see the screenshot below
- Set the first entry you want to test to BootNext: sudo efibootmgr -n 0003
- Reboot your machine
- When your machine comes back up, check if the correct entry actually booted: sudo efibootmgr | grep BootCurrent
  - If BootCurrent is the same as the entry you previously set to BootNext, then the test succeeded.
  - If a different entry booted instead, like your Fedora installation, then the test failed.
- Enter your results on the results page.
Boot to your installed OS
- Download and run show-trusted.sh: source show-trusted.sh
- Install lshw: sudo dnf install -y lshw
- Run sudo lshw -short
- Post the results of the above commands to pastebin with Paste Expiration set to Never. Copy the final URL to the Comments column on the results page.

Reporting bugs[edit]

All new bugs should be reported into Red Hat Bugzilla, in most cases against the shim component.

We really need bug reports!
Please note that just mentioning your problem into the comments section on the results page is not very helpful. Very often those problems only happen in specific circumstances, or with specific steps taken. We need the logs and screenshots, and we need to be able to ask you followup questions. Please file bug reports, it's much more useful than a short comment. Thank you!

When filing the bug, it's very helpful to include:

exact steps you've performed (and whether you can reproduce it again)
screenshots or videos, if applicable
system journal (log), which you can retrieve by journalctl -b > journal.txt
your system description

If you are unsure about exactly how to file the report or what other information to include, just ask us.

Please make sure to link to the bug when submitting your test result, thanks!

Test Results[edit]

Basic Tests[edit]

User	Short system description, e.g. a desktop motherboard name, or laptop manufacturer + model name	2023 only	first 2011 then 2023	first 2023 then 2011	References
Brandon Nielsen	Dell XPS 9360	pass ^[1]	pass	pass	↑ https://pastebin.com/HiVZFhS8
Brandon Nielsen	Gigabyte B550 Eagle	pass ^[1]	pass	pass	↑ https://pastebin.com/6hD79EUN
develux	TECNO MEGABOOK K16SDA (Ryzen 5 5625U model)	pass ^[1]	pass	pass ^[2]	↑ https://pastebin.com/mjr0jTMu ↑ Microsoft 2023 certificate is enrolled
Frank Liang	AWS EC2 t3.small with UEFI DB CA 2011 and 2023 enrolled	pass	pass	pass
Frank Liang	AWS EC2 t3.small with UEFI DB CA 2011 enrolled	pass ^[1] pass ^[2]	pass	pass	↑ Cannot boot, it reported "LoadImage failed: Security Policy Violation" ↑ Cannot boot, it reported "LoadImage failed: Security Policy Violation"
Frank Liang	AWS EC2 t3.small with UEFI DB CA 2023 enrolled	pass	pass	pass
Geraldo S. Simião Kutz	F43 KDE on ACER Aspire A515-45 AMD Ryzen 7 5700U with Radeon Graphics + MEDIATEK MT7921 802.11ax	pass ^[1]	pass	pass	↑ https://pastebin.com/SmaFk0HL
Insyde	Intel ADL CRB + Insyde BIOS with CA 2011	fail	pass	pass
Insyde	Intel ADL CRB + Insyde BIOS with CA 2011 and 2023	pass	pass	pass
Insyde	Intel ADL CRB + Insyde BIOS with CA 2023	pass	pass	pass
Jaroslav Groman	Beelink SER7 MiniPC (Ryzen 7 Pro, 32 GB RAM)	fail ^[1]	pass	pass ^[2]	↑ Microsoft 2023 certificate is not enrolled ↑ https://pastebin.com/c78DeRZk
Jaroslav Groman	Fujitsu D5344-Sx (Celeron J4105. 8 GB RAM)	fail ^[1]	pass	pass ^[2]	↑ Microsoft 2023 certificate is not enrolled ↑ https://pastebin.com/9abEwkc0
Jaroslav Groman	Gigabyte J3455N-D3H (Celeron J3455, 16 GB RAM)	fail ^[1]	pass	pass ^[2]	↑ Microsoft 2023 certificate is not enrolled ↑ https://pastebin.com/cdjT8YsB
Jaroslav Groman	Lenovo Thinkpad P16v Gen 1	pass	pass	pass ^[1]	↑ https://pastebin.com/jzqgPhar
Kamil Páral	Gigabyte X870 AORUS ELITE WIFI7	pass ^[1]	pass	pass	↑ https://pastebin.com/raw/KBFhjwsv
Kamil Páral	Lenovo Thinkpad P1 Gen3	fail ^[1]	pass ^[2]	pass	↑ flashes black and returns to the boot menu, no error, but doesn't boot ↑ https://pastebin.com/raw/hwpWL2yu
Kamil Páral	Lenovo Thinkpad P1 Gen4	pass ^[1]	pass	pass	↑ https://pastebin.com/raw/nkBPLrTF
Kamil Páral	Lenovo Thinkpad T14 Gen5	pass ^[1]	pass	pass	↑ https://pastebin.com/raw/i115wuig
Leo Sandoval	ThinkPad Lenovo P16s Gen1 - CPU 12th Gen Intel Core i7-1260p - SB on	pass	pass	pass
Marta Lewandowska	Dell PowerEdge R640	fail ^[1]	pass ^[2]	pass ^[3]	↑ Microsoft 2023 certificate not enrolled ↑ https://pastebin.com/RRfsZdG2 ↑ BIOS Version: 2.16.1
Marta Lewandowska	Dell PowerEdge R7425	pass	pass ^[1]	pass ^[2]	↑ https://pastebin.com/cu7Tf3fi ↑ BIOS Version: 1.24.0
Marta Lewandowska	HP ml150gen9	fail ^[1]	pass ^[2]	pass ^[3]	↑ Microsoft 2023 certificate not enrolled ↑ https://pastebin.com/rEk8fMRN ↑ BIOS Version: P95 v3.40 (08/29/2024)
Marta Lewandowska	HPE DL120 gen10	fail ^[1]	pass ^[2]	pass ^[3]	↑ Microsoft 2023 certificate not enrolled ↑ https://pastebin.com/0J6uZTfB ↑ BIOS U36 v1.42 (06/20/2018)
Marta Lewandowska	HPE ProLiant BL460c Gen9	fail ^[1]	pass ^[2]	pass ^[3]	↑ Microsoft 2023 certificate not enrolled ↑ https://pastebin.com/w3PipEuD ↑ BIOS I36 v3.40 (08/29/2024)
Marta Lewandowska	HPE Proliant BL660Gen9	fail ^[1]	pass ^[2]	pass ^[3]	↑ Microsoft 2023 certificate not enrolled ↑ https://pastebin.com/wGki4CrX ↑ BIOS Version: I38 v3.30 (09/21/2023)
Marta Lewandowska	HPE ProLiant DL20 Gen9	fail ^[1]	pass ^[2]	pass ^[3]	↑ Microsoft 2023 certificate not enrolled ↑ https://pastebin.com/rM75YQ0U ↑ BIOS Version: U22 v3.00 (04/01/2021)
Marta Lewandowska	HPE TM200, Kaby Lake	fail ^[1]	pass ^[2]	pass ^[3]	↑ Microsoft 2023 certificate not enrolled ↑ https://pastebin.com/q9Za7qae ↑ BIOS Version: U26 v2.66 (07/19/2019)
Marta Lewandowska	Intel Whitley, Wilson City 2S, Ice Lake (ICX), D1, QS, 36c, 2.40Ghz	fail ^[1]	pass ^[2]	pass ^[3]	↑ Microsoft 2023 certificate not enrolled ↑ https://pastebin.com/RMTzXLT0 ↑ BIOS WLYDCRB1.SYS.0020.P21.2012150710 12/15/2020
Nicolas Frayer	Dell XPS 15 9570	pass ^[1]	pass	pass ^[2]	↑ Had to enroll MSFT 2023 CA ↑ https://pastebin.com/raw/b8AKz1m2
Nicolas Frayer	Dell XPS 8910	pass ^[1]	pass	pass	↑ https://pastebin.com/raw/1xxnredR
Nicolas Frayer	Lenovo ThinkPad P1 Gen 3	pass ^[1]	pass	pass	↑ https://pastebin.com/raw/4G7TzHj3
Nicolas Frayer	PRIME H310M-A R2.0	pass ^[1]	pass	pass ^[2]	↑ Had to enroll MSFT 2023 CA ↑ https://pastebin.com/raw/Tte0Zk2h
Nie Lili	ThinkPad P1 Gen 7	pass ^[1]	pass	pass	↑ https://pastebin.com/jRCJk8ag
Nie Lili	ThinkPad T14s Gen 2i	pass ^[1]	pass	pass	↑ https://pastebin.com/2ExnVzTQ
Nie Lili	ThinkPad T490s	fail ^[1]	pass ^[2]	pass	↑ flashes black and returns to the boot menu, no error, but doesn't boot ↑ https://pastebin.com/edXjb4js
norbertj	Lenovo Ideapad V110-15ISK	pass ^[1]	pass	pass	↑ https://pastebin.com/0UhHSM1y
norbertj	MoBo Asus Prime B450M-A	pass ^[1]	pass	pass	↑ https://pastebin.com/JWLzuAna
Peter Jones	ASUS Prime TRX40-PRO no 2023 cert	fail	pass	pass
Peter Jones	Dell Inc. XPS 13 9320	pass	pass	pass
Peter Jones	Dell Inc. XPS 13 9380	pass	pass	pass
Peter Jones	Dell Inc. XPS 13 9380 no 2023 cert	fail	pass	pass
Petr Janda	Lenovo T430s	fail ^[1]	fail	fail	↑ Does not load firmware menu when USB with installer image is connected, UEFI BIOS version G7ET29WW(1.11), UEFI BIOS date 2012-05-24, I'm not going to fill any bugs as the harware is not in a good shape so it can be a different issue.
Petr Janda	T14s gen1	fail ^[1]	pass	pass	↑ No error message, but returns to the boot menu (boot drive selection) MS2023 not enroled https://pastebin.com/Kuuchhig
Petr Sklenar	Lenovo X1 Carbon	pass	pass	pass
Petr Sklenar	thinkpad P16V GEN1	fail ^[1]			↑ there is at screen: "Secure Boot violation-----" Invalid signature detected, https://pastebin.com/cbxkdk4w ; tried today (Jan 15 2026) img file
Rob Kraker	Dell Optiplex XE2 i5-4570S 16GB DDR3 Fedora 43 Workstation GNOME	pass ^[1]	pass	pass	↑ https://pastebin.com/DHcHsgKX
Sherif Nagy	Dell Inc. XPS 15 9510	pass ^[1]	pass	pass	↑ https://pastebin.com/Sv3nbFsw
Sherif Nagy	Penguin Computing Relion XE2112GT GPU	fail ^[1]	pass	pass	↑ https://pastebin.com/trxeAbrN

[1] ttps://pastebin.com/HiVZFhS8

[2] ttps://pastebin.com/6hD79EUN

[3] ttps://pastebin.com/mjr0jTMu

[4] Microsoft 2023 certificate is enrolled

[5] Cannot boot, it reported "LoadImage failed: Security Policy Violation"

[6] Cannot boot, it reported "LoadImage failed: Security Policy Violation"

[7] ttps://pastebin.com/SmaFk0HL

[8] Microsoft 2023 certificate is not enrolled

[9] ttps://pastebin.com/c78DeRZk

[10] Microsoft 2023 certificate is not enrolled

[11] ttps://pastebin.com/9abEwkc0

[12] Microsoft 2023 certificate is not enrolled

[13] ttps://pastebin.com/cdjT8YsB

[14] ttps://pastebin.com/jzqgPhar

[15] ttps://pastebin.com/raw/KBFhjwsv

[1]

[1]

[1]

[2]

[1]

[2]

[1]

[1]

[2]

[1]

[2]

[1]

[2]

[1]

[1]

[1]

[2]

[1]

[1]

[1]

[2]

[3]

[1]

[2]

[1]

[2]

[3]

[1]

[2]

[3]

[1]

[2]

[3]

[1]

[2]

[3]

[1]

[2]

[3]

[1]

[2]

[3]

[1]

[2]

[3]

[1]

[2]

[1]

[1]

[1]

[2]

[1]

[1]

[1]

[2]

[1]

[1]

[1]

[1]

[1]

[1]

[1]

[1]

Search

Test Day:2026-01-12 Multi-signed shim

Contents