Arch Linux User Repository

shim 15.4 requires SBAT. It will not launch EFI binaries without a .sbat section.

shimx64.efi is signed with Microsoft key, they also have a hardcoded Ubuntu key inside. MokManager (mmx64.efi) is signed with Ubuntu's key.

shimx64.efi can launch any EFI binary signed with Microsoft keys.

More information is available on the wiki: Secure Boot#shim.

fbx64.efi scan the ESP for CSV files with bootloader information and adds boot entries to the NVRAM. Read README.fallback.

Alternative signed shim sources:

• Debian shim: https://tracker.debian.org/pkg/shim-signed
• Fedora shim: https://koji.fedoraproject.org/koji/packageinfo?packageID=14502

Apparently Fedora now updated it's certificate in their shim package, according to previously mentioned bug report: https://bugzilla.redhat.com/show_bug.cgi?id=2198977 It is also a newer version (15.8)

Using Debian's shim would require adding an epoch to the PKGBUILD. :(

If anyone wants to try, here's an untested diff (without the epoch):

diff --git a/PKGBUILD b/PKGBUILD
index e7fa104647005d6d752191f627ea13da9168cb1b..fdac313830baef1be4a7dab0482e89e3be93339a 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,25 +1,50 @@
 # Maintainer: nl6720 <nl6720@archlinux.org>

 pkgname='shim-signed'
-pkgver='15.7+ubuntu+1.56'
+pkgver='15.7+debian+1.40'
 pkgrel='1'
-pkgdesc='Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments (prebuilt x64 binaries from Ubuntu)'
-url='https://packages.ubuntu.com/noble/shim-signed'
+pkgdesc='Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments (prebuilt x64, IA32 and AA64 binaries from Debian)'
+url='https://tracker.debian.org/pkg/shim-signed'
 arch=('any')
 license=('BSD')
 options=('!strip')
 install="${pkgname}.install"
-source=("http://archive.ubuntu.com/ubuntu/pool/main/s/shim-signed/shim-signed_${pkgver##*+ubuntu+}+${pkgver%%+ubuntu*}-0ubuntu1_amd64.deb")
-sha256sums=('b2d84b300e68ac2139afee3f9a609857ef80f12eed9218087ced4b31ecb7fd76')
-sha512sums=('43ee11ec0ed04f224fb7452b2baaca45882a719063879f423c4118b6b99e99fd3fb20fa1a7de02af7b885f4d5c5e86e9868fb41557e74c52fbf04e3988199bd6')
+source=("http://deb.debian.org/debian/pool/main/s/shim-signed/shim-signed_${pkgver##*+debian+}.tar.xz"
+        "http://ftp.debian.org/debian/pool/main/s/shim-helpers-amd64-signed/shim-helpers-amd64-signed_1+${pkgver%%+debian+*}+1_amd64.deb"
+        "http://ftp.debian.org/debian/pool/main/s/shim-helpers-i386-signed/shim-helpers-i386-signed_1+${pkgver%%+debian+*}+1_i386.deb"
+        "http://ftp.debian.org/debian/pool/main/s/shim-helpers-arm64-signed/shim-helpers-arm64-signed_1+${pkgver%%+debian+*}+1_arm64.deb")
+noextract=("shim-helpers-amd64-signed_1+${pkgver%%+debian+*}+1_amd64.deb"
+           "shim-helpers-i386-signed_1+${pkgver%%+debian+*}+1_i386.deb"
+           "shim-helpers-arm64-signed_1+${pkgver%%+debian+*}+1_arm64.deb")
+md5sums=('1dcbbb922e650db660c773227cbe9eeb'
+         '5fc737504651ec2d22cd0e425546b6b1'
+         'a2b4ddc85455662c76f59ba6487c13ef'
+         '0fb529c47fcc7cca9c675a771a4717cd')
+sha256sums=('4b2672a177acc5a7e1a8a1d88e118d07918dce51aa60ae26a99edce4f48e9ca5'
+            '81218cec1bacf045a30c8215e92c433b53bc51f9be9010baba4ffd71093437f3'
+            'd22b5b9db03ce3e52404dc4afa2a61398bfe4e3b18d292ae8f2461c2176fa9e0'
+            '84374882eccc15a10418fbc31d15f7f74cc9619089847d4d145ba562281e02dd')
+sha512sums=('f3eab6fbb65cd55b894917f8b09abd4ed326a96f6d8d14793c79a4a5586797c82671e9023043227a586c444ba8a83ec412370965e43ca165b5a2f900890a9e99'
+            'e0e075d746b24b240042d59a0f0db2155d3f1f1ff729d63a12b2852a1b54ee1e557f00d8f80a3f075e4786c1e6e752748d266a20fce0c9bd1f2bef47697e2e01'
+            '88ade890592e3725f42e220925a2c9485df6625f3af311d9c2c2ae58c7c6d37cc8efe051dcf87e6ecf8f083422cfeeb2e1c76045ded67f87b053bddc151f9028'
+            'a03f88589455b4b61489107ef7f64adb4099772fade3632376668e392018be79089a064de2c57fd0bad0dafc73c25a10c7ed5608dc36c25194290d0b188d872a')

 prepare() {
+   local debfile
+
    cd "$srcdir"
-   bsdtar -xf data.tar.xz
+   for debfile in ${noextract[@]}; do
+       bsdtar -xOf "$debfile" data.tar.xz | bsdtar -x usr/lib/shim/
+   done
 }

 package() {
-   install -Dm0644 "${srcdir}/usr/lib/shim/shimx64.efi.signed.latest" "${pkgdir}/usr/share/${pkgname}/shimx64.efi"
-   install -Dm0644 "${srcdir}/usr/lib/shim/"{mm,fb}x64.efi "${pkgdir}/usr/share/${pkgname}/"
-   install -Dm0644 "${srcdir}/usr/share/doc/shim-signed/copyright" "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
+   local uefiarch
+
+   for uefiarch in x64 ia32 aa64; do
+       install -Dm0644 "${srcdir}/shim-signed.git/shim${uefiarch}.efi.signed" "${pkgdir}/usr/share/${pkgname}/shim${uefiarch}.efi"
+       install -Dm0644 "${srcdir}/usr/lib/shim/mm${uefiarch}.efi.signed" "${pkgdir}/usr/share/${pkgname}/mm${uefiarch}.efi"
+       install -Dm0644 "${srcdir}/usr/lib/shim/fb${uefiarch}.efi.signed" "${pkgdir}/usr/share/${pkgname}/fb${uefiarch}.efi"
+   done
+   install -Dm0644 "${srcdir}/shim-signed.git/debian/copyright" "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
 }

Great update :)

I may also suggest in the future using the Debian package, as they support also x86_32 and ARM64: https://tracker.debian.org/pkg/shim-signed

Otherwise, you can ping this comment and people will know they can fetch the stuff from the Debian binary :)

Ubuntus shim appears to be signed right now until 2042, can we use that for now? They also appear to be still updating it.

There's a Fedora bug for the expired certificate: https://bugzilla.redhat.com/show_bug.cgi?id=2198977

Reading an unrelated bug, it doesn't appear like Fedora (or anyone else?) will release a new signed shim anytime soon.

I am not sure if this should go here or to fedoras page, but currently when I try to boot the os from the grub menu I receive the error "bad shim signature". Running mokutil --list-enrolled shows that the fedora signature expired on Dec 5 2022.

Edit: This is a grub issue https://bbs.archlinux.org/viewtopic.php?id=286617

Please do not flag the package out-of-date if there is no updated Fedora package available.

How hard would it be to provide a grub-signed package alongside this? The instructions in the wiki to use grub no longer work, it seems it's necessary to use grub-mkimage instead of grub-install but I'm not sure how to do this, for now I just used a copy of fedora's signed grub but it would be better to have a package for this

It seems to me that it's a bad idea to include fbx64.efi in the package, especially when bootx64.csv is not included, since shim will appear to fail with no reason if a user copied fbx64.efi to the ESP as well (by doing something like cp /usr/share/shim-signed/*x64.efi $esp/EFI/BOOT/; ...; mv|cp $esp/EFI/BOOT/{shim,boot}x64.efi).

I suppose it will fail too if shimx64.efi is renamed (instead of copied) to bootx64.efi even if bootx64.csv is included. So it probably is still bad unless it ships also bootx64.efi (a dup of shimx64.efi).

Added a note on the wiki page already though.