1 This directory contains known public keys for Linux distributions and from
2 other parties that sign boot loaders and kernels that should be verifiable
3 by shim. I'm providing these keys as a convenience to enable easy
4 installation of keys should you replace your distribution's version of shim
5 with another one and therefore require adding its public key as a machine
8 Files come with three extensions. A filename ending in .crt is a
9 certificate file that can be used by sbverify to verify the authenticity of
12 $ sbverify --cert keys/refind.crt refind/refind_x64.efi
14 The .cer and .der filename extensions are equivalent, and are public key
15 files similar to .crt files, but in a different form. The MokManager
16 utility expects its input public keys in this form, so these are the files
17 you would use to add a key to the MOK list maintained by MokManager and
20 The files in this directory are, in alphabetical order:
22 - altlinux.cer -- The public key for ALT Linux (http://www.altlinux.com).
23 Taken from the alt-uefi-certs package
24 (http://www.sisyphus.ru/br/srpm/Sisyphus/alt-uefi-certs/spec).
26 - canonical-uefi-ca.crt & canonical-uefi-ca.der -- Canonical's public key,
27 matched to the one used to sign Ubuntu boot loaders and kernels.
29 - centos.crt & centos.cer -- Public keys used to sign CentOS binaries, taken
30 from shim-signed-0.9-2.el7.src.rpm. Note that the binary's centos.crt file
31 was actually in .cer format, and has been renamed appropriately. The
32 centos.crt file included here is transformed from the original file by
33 openssl. Tested booting CentOS 7.
35 - fedora-ca.cer & fedora-ca.crt -- Fedora's public key, matched to the one
36 used used to sign Fedora's shim 0.8 binary.
38 - microsoft-kekca-public.der -- Microsoft's key exchange key (KEK), which
39 is present on most UEFI systems with Secure Boot. The purpose of
40 Microsoft's KEK is to enable Microsoft tools to update Secure Boot
41 variables. There is no reason to add it to your MOK list.
43 - microsoft-pca-public.der -- A Microsoft public key, matched to the one
44 used to sign Microsoft's own boot loader. You might include this key in
45 your MOK list if you replace the keys that came with your computer with
46 your own key but still want to boot Windows. There's no reason to add it
47 to your MOK list if your computer came this key pre-installed and you did
48 not replace the default keys.
50 - microsoft-uefica-public.der -- A Microsoft public key, matched to the one
51 Microsoft uses to sign third-party applications and drivers. If you
52 remove your default keys, adding this one to your MOK list will enable
53 you to launch third-party boot loaders and other tools signed by
54 Microsoft. There's no reason to add it to your MOK list if your computer
55 came this key pre-installed and you did not replace the default keys.
57 - openSUSE-UEFI-CA-Certificate.cer, openSUSE-UEFI-CA-Certificate.crt,
58 openSUSE-UEFI-CA-Certificate-4096.cer, &
59 openSUSE-UEFI-CA-Certificate-4096.crt -- Public keys matched to the ones
60 used to sign OpenSUSE; taken from openSUSE's shim 0.7.318.81ee56d
63 - refind.cer & refind.crt -- My own (Roderick W. Smith's) public key,
64 matched to the one used to sign refind_x64.efi and the 64-bit rEFInd
67 - SLES-UEFI-CA-Certificate.cer & SLES-UEFI-CA-Certificate.crt -- The Public
68 key for SUSE Linux Enterprise Server; taken from openSUSE's shim
69 0.7.318.81ee56d package.
71 The refind.cer and refind.crt files are my creations and are distributed
72 under the terms of the BSD 2-clause license. The rest of the files are
73 distributed on the assumption that doing so constitutes fair use. Certainly
74 they're all easily obtained on the Internet from other sources.