The developers of Fedora Linux have provided more details regarding the expiration of the Microsoft certificate used to sign the Shim layer for UEFI Secure Boot. The certificate is set to expire at the end of June, but users should not notice any immediate impact as the expiration will only prevent the creation of new signatures with the certificate. In UEFI Secure Boot, certificate expiration is not checked, and only compromised certificates are revoked.
Even if users do not update the shim layer, existing systems will continue to boot until the certificate’s public key is removed from the firmware or added to the UEFI Certificate Revocation List. The Microsoft certificate is used to verify the shim boot layer, which then verifies bootable components like the GRUB2 boot loader, Linux kernel, kernel modules, and boot processes like fwupd. This setup allows Microsoft to certify changes in the shim layer and independently verify the distribution boot process.
The Microsoft certificate for certifying third-party firmware for UEFI Secure Boot has been in use since 2011 and was replaced by a new certificate in 2023, which started being used for signatures from October 2025. An updated shim has been added to the Fedora Rawhide repository and forms the basis for the upcoming Fedora 45 release. This new release is certified by multiple keys to ensure compatibility with different hardware configurations.
While the expiration of the Microsoft certificate should not impact performance, Fedora developers recommend keeping Secure Boot keys up to date by updating firmware when available. Users can check if the system is booting in UEFI Secure Boot mode using the command “mokutil –sb-state” and view available public keys in firmware using “mokutil –db –short”. To view the keys used to sign the shim layer, users can run “sudo pesign -S -i /boot/efi/EFI/fedora/shimx64.efi” after installing the pesign package. Additionally, users can check for firmware updates and install them using “sudo fwupdmgr update”.
The next version of the shim layer will only be certified with the new Microsoft certificate, requiring users to update their firmware to accommodate this change. Updates to the shim layer will be released in case of identified vulnerabilities or critical errors, which could occur at any time. Although critical vulnerabilities have been found in the past, the most recent security report on shim was released just a few days ago.