Hi Andre,

On Fri, Jul 05, 2024 at 06:57:33PM +0200, Andre Gompel wrote:

Problem with Debian debian-live-12.6.0-amd64-mate.iso

Hello:
the ISO file is not signed to boot with UEFI Secure Boot Enabled.
Would you� consider only putting in download UEFI signed iso files ?
I can boot Fedora & OpenSuse, butnot this Debian� I do need a Debian (or >derived) distro
I can't disable the Secure Boot in the BIOS (miss password)
Thanks for the attention !

That image is definitely built with UEFI SB stuff included, I've just double-checked. What error(s) are you seeing?

--
Steve McIntyre, Cambridge, UK. [email protected]
Getting a SCSI chain working is perfectly simple if you remember that there
must be exactly three terminations: one on one end of the cable, one on the
far end, and the goat, terminated over the SCSI chain with a silver-handled
knife whilst burning *black* candles. --- Anthony DeBoer

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

[ Please respond to the list too, so other people can see and take
part in the conversation too. You're unfortunately using gmail,
which makes it much harder to use mailing lists sensibly. :-( ]

On Sun, Jul 07, 2024 at 12:47:28PM +0200, Andre Gompel wrote:

"That image is definitely built with UEFI SB stuff included, I've just >double-checked. What error(s) are you seeing?"

thanks for the quick reply.
The answer is the typical message "Verifying SBAT shim failed, etc...."
Let me add that with the very same hardware, and software (sha256sum >validation, and very reliable Fedora media writer), everything works fine with >two other distros Fedora, and the latest Open Suse Leap, both shim-EFI signed. >I also can normally use the very same USB thumb drive, on my other system with >Secureboot disabled.
So there is definitely no doubt that there is something wrong with the way the >ISO is EFI-shim signed. (debugging this is not so easy!)

No, I know 100% there is no problem with the image at all.

Secure Boot is not a static thing where boot files are signed once and
work forever. To keep up to date and secure, SB binaries are revoked
from time to time to disable loading of older software with known
security holes. These revocations are stored in the EFI variable space
on each machine supporting Secure Boot, and will persist there. This
can cause boot media to stop working, with symptoms very like what you
have seen here.

What exact OSes have you booted on this hardware in the last 6 months
or so? It's likely that one of those has revoked older versions of
shim.

We have a newer version of the shim-signed package coming soon, most
likely in the 12.7 point reelease.

I am not exactly a distro hopper, I just need Debian (I used in the past) >because of some SW with Debian packages and support only (the Google Flutter >Framework)
I also have used Linux since the time of LILO etc....
----
I reiterate here, I cannot disable the Secure Boot (I don't have the BIOS >password).

Then that is going to be a real problem for you, I'm afraid. If you
can't access the BIOS config, you are not in control fof your system. :-(

--
Steve McIntyre, Cambridge, UK. [email protected] "I suspect most samba developers are already technically insane... Of
course, since many of them are Australians, you can't tell." -- Linus Torvalds

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)