June 22, 2026
Boot me once, shame on UEFI
Linux and Secure Boot certificate expiration
A hidden Linux boot deadline has users asking: who forgot the instructions
TLDR: A key that many Linux systems rely on for Secure Boot expires in September, which could break new installs unless computers get the newer replacement. Commenters are split between frustrated “where’s the simple guide?” complaints, distrust of Microsoft’s role, and warnings that more people should be worried.
Linux users just discovered there’s a very real calendar bomb lurking inside many computers: a Microsoft-approved signing certificate used to help Linux start on Secure Boot systems runs out in September. In plain English, many already-installed machines should keep starting fine, but new installs and recovery media could suddenly get messy unless the newer replacement key is present. And that’s where the comments section turned into a mix of panic, DIY support group, and anti-corporate roast session.
The loudest complaint was brutally simple: where are the step-by-step instructions? One commenter said every version of this story skipped the most important newbie question: how do I check if I need to do anything? Another basically rolled up with a homemade guide after testing on six Linux machines, which is peak open-source energy: “fine, I’ll write the manual myself.” Others were relieved that update tools and opt-in analytics suggest fixes are landing successfully on most systems, while also pitying the poor souls who had to chase hardware vendors on short notice.
Then came the spicy ideological fight. One angry commenter demanded to know why Microsoft is the trusted middleman at all, tossed in a “MicroSlop” jab, and questioned whether Secure Boot really improves safety. Another was stunned more people weren’t absolutely freaking out, warning that a lot of Linux machines and even virtual machines could get caught out. The vibe? Part concern, part clown-show, part community triage—with everyone agreeing on one thing: this should have come with a giant, friendly “click here to check” button.
Key Points
- •The Microsoft 2011 signing key currently used for Linux shim expires on September 11, and future installation media will need shim signed with Microsoft’s 2023 UEFI third-party key.
- •The article says certificate expiration should mainly affect booting new Linux installation media on Secure Boot systems, while existing installed systems should generally keep booting with their own distribution keys.
- •System firmware databases vary: some devices lack the new Microsoft key, some contain both old and new keys, and some may contain only the new key, creating compatibility issues.
- •Hardware vendors can provide firmware updates to add the new key, but those updates must be distributed to and installed on affected systems.
- •LVFS and newer fwupd releases are described as important tools for delivering and applying firmware updates needed to mitigate the transition.