From stappers at stappers.it Wed Nov 12 20:47:19 2025 From: stappers at stappers.it (Geert Stappers) Date: Wed, 12 Nov 2025 21:47:19 +0100 Subject: [ipxe-devel] FYI: iPXE 16.1 shim signed In-Reply-To: References: Message-ID: On Wed, Nov 12, 2025 at 02:35:15AM -0800, Michael Brown in https://github.com/rhboot/shim-review/issues/319#issuecomment-3521239969 : > I'm very happy to report that this submission has been signed by Microsoft. The signed binaries are available from https://github.com/ipxe/shim/releases/tag/ipxe-16.1. Here's a celebratory screenshot showing the signed shim being used to load `snponly.efi` on a VM with Secure Boot enabled and only the standard Microsoft certs installed: >

> My huge thanks to everyone involved in making this happen, especially to @steve-mcintyre and @aronowski for all the assistance with the review process, and to @SochiOgbuanya for pushing through the signing policy updates within Microsoft. > As per https://github.com/rhboot/shim-review/issues/319#issuecomment-1460667603 ("Other vendors should not be signing iPXE for use with their shim") and https://techcommunity.microsoft.com/blog/hardware-dev-center/updated-uefi-signing-requirements/1062916, my expectation is that no third-party vendors will be submitting an iPXE shim for signing. > There will be some further internal iPXE work to design an audit and release process for our signed iPXE binaries, and to establish precisely which features will be included in the signed build. I hope to get the first public signed iPXE binaries made generally available in January. In the meantime, if anyone has an urgent commercial need for using iPXE with Secure Boot enabled, please contact me directly or via vendor-support at ipxe.org.