UEFI Secure Boot keys will expire in June 2026 which means Microsoft can no longer sign with them. Machines will continue to boot as long as the current public keys are not removed from db or revoked by dbx. Fedora Rawhide contains a dual-signed first stage boot loader.
You can think of Secure Boot as a security guard at an entrance. The security guard checks the ID badge of the software that wants in to verify it’s signed by a trusted company.
All ID badges are now being updated, the old seal of trust from 2011 will no longer be accepted and they must use the new seal from 2023.
The Security Guard will enforce this 2026-06-17.
You can think of Secure Boot as a security guard at an entrance. The security guard checks the ID badge of the software that wants in to verify it’s signed by a trusted company.
All ID badges are now being updated, the old seal of trust from 2011 will no longer be accepted and they must use the new seal from 2023.
The Security Guard will enforce this 2026-06-17.