Your PC's 2013 Secure Boot Certificate Just Expired — Debian 13.6 Ships the Fix

On July 11, 2026, the Debian project released Debian 13.6, the sixth point update to its current stable release "Trixie." It bundles 244 package fixes and over 120 security updates — but the headline item goes well beyond a routine maintenance release: a critical patch for an industry-wide Secure Boot crisis that has been building since the original certificates were issued 13 years ago.

The Problem: A 2013 Certificate Has Expired

UEFI Secure Boot is the mechanism that prevents a PC from booting tampered or unauthorized operating systems. At its core, it depends on a chain of digital certificates. The foundation of that chain — the 2013 UEFI Secure Boot Certificate Authority — shipped on virtually every PC sold over the past decade, and it's what gets used to verify the bootloaders of Linux distributions, Windows, and other operating systems.

That root certificate has now expired.

On its own, expiry doesn't immediately break anything — existing installations continue to boot normally. The danger is forward-looking: firmware updates that include revocation (DBX) database changes could leave systems unable to boot with Secure Boot enabled if the CA isn't updated at the same time. Systems that haven't migrated to the new certificate chain could also reject new shim builds after a future OS update, potentially locking users out.

What Debian 13.6 Ships to Fix It

Debian 13.6 addresses the problem through two targeted updates. First, fwupd has been bumped to version 2.0.20, which gains the ability to push updates to the Secure Boot Certificate Authority (CA), Key Exchange Key (KEK), and Forbidden Signatures Database (DBX) — the three databases that govern what a UEFI system will and won't boot. Second, shim and shim-signed have been updated for compatibility with the 2023 Microsoft UEFI CA and the new SBAT revocation requirements that accompany the transition.

Debian's release announcement strongly advises users to apply CA, KEK, and DBX updates from their system OEM after upgrading. The updates are being distributed through normal firmware update channels — fwupd's expanded capabilities make this process accessible for the first time on most hardware.

This Affects Every Linux Distribution

The Secure Boot CA expiry is a cross-distribution, cross-platform issue. Ubuntu, Fedora, Arch, openSUSE, and every other distribution that ships signed bootloaders traces back to the same 2013 root CA. The coordinated industry response has been in motion for months, with Microsoft, Canonical, Red Hat, and the Linux Foundation all working on the transition. Debian 13.6 is one of the clearest concrete examples of a major distribution shipping a packaged fix that users can actually apply.

If you're running any Linux distribution and haven't checked your Secure Boot certificate status recently, now is the time to look. The problem won't crash your machine today, but the window for an easy, graceful migration is narrowing as OEM firmware updates begin rolling out the new CA requirements in earnest.

Beyond the Secure Boot story, Debian 13.6 also brings updated Trixie live images with RAM sandboxing improvements, a GeoIP database rollback that resolves location detection regressions introduced in 13.5, and the steady accumulation of upstream bugfixes that keep Trixie on solid footing. For a point release, it's unusually consequential.