Postinst installs unsigned (unbootable) efi on secure boot systems
Package: systemd-boot
Version: 252.12-1~deb12u1
Version: 252.12-1~deb12u1
When updating systemd-boot on a system with secure-boot
enabled, the postinst calls `bootctl update –graceful` which
installs an unsigned efi. This will overwrite an existing efi
with correct signature and cause the system to not boot
anymore, because of a security violation.
The postinst should either read a config file, so users can disable
this behavior or only update the efi when it has the correct
signature.
Read more here: Source link