Postinst installs unsigned (unbootable) efi on secure boot systems

Package: systemd-boot

Version: 252.12-1~deb12u1

When updating systemd-boot on a system with secure-boot
enabled, the postinst calls `bootctl update –graceful` which
installs an unsigned efi. This will overwrite an existing efi
with correct signature and cause the system to not boot
anymore, because of a security violation.

The postinst should either read a config file, so users can disable
this behavior or only update the efi when it has the correct
signature.

Read more here: Source link