v1.6.4-signed

⚠️ IMPORTANT

No major security fixes.

TLDR;

1. Make2023BootableMedia.ps1 Improved and Signed!
2. High Confidence Buckets added
3. KEK update map fixes
4. authenticode_transplant.py Updates

What's Changed

• pip: bump ruff from 0.14.14 to 0.15.0 by @dependabot[bot] in #345
• pip: bump ruff from 0.15.0 to 0.15.1 by @dependabot[bot] in #348
• Add cryptographic verification to authenticode_transplant.py by @Flickdm in #326
• pip: bump cryptography from 43.0.0 to 46.0.5 by @dependabot[bot] in #349
• Repo File Sync: CodeQL sync and update to Mu DevOps v18.0.3 by @mu-automation[bot] in #352
• pip: bump ruff from 0.15.1 to 0.15.2 by @dependabot[bot] in #351
• High Confidence Buckets - 02/25/2026 by @jgeurten in #353
• pip: bump ruff from 0.15.2 to 0.15.4 by @dependabot[bot] in #356
• pip: bump edk2-pytool-extensions from 0.30.6 to 0.30.8 by @dependabot[bot] in #357
• GitHub Action: Bump actions/upload-artifact from 6 to 7 by @dependabot[bot] in #354
• pip: bump ruff from 0.15.4 to 0.15.5 by @dependabot[bot] in #360
• Improve Make2023BootableMedia.ps1: auto-download oscdimg, path handling, boot.stl, NTFS enforcement by @ballsop in #361
• kek update map fixes by @kraxel in #364

New Contributors

• @jgeurten made their first contribution in #353

Full Changelog: v1.6.3-signed...v1.6.4-signed

v1.6.4

⚠️ IMPORTANT

No major security fixes.

TLDR;

1. Make2023BootableMedia.ps1 Improved and Signed!
2. High Confidence Buckets added
3. KEK update map fixes
4. authenticode_transplant.py Updates

What's Changed

• kek update map fixes @kraxel (#364)
  
  Change Details

    ## Description

  Update scripts/get_auth_var_signing_certificate.py to sort the entries.

  Fix PostSignedObjects/KEK/kek_update_map.json data file.
  Changes:

  • All entries are now sorted by filename.
  • Fix some paths from windows ('\') to posix ('/') directory separator.
  • Remove duplicate RedHat entry.

  How This Was Tested

  • Inspect the file changes.

  • Verify with jq utility that kek_update_map.json is valid JSON.

  ---

• Improve Make2023BootableMedia.ps1: auto-download oscdimg, path handling, boot.stl, NTFS enforcement @ballsop (#361)
  
  Change Details

    ## Description

  • Add Download-Oscdimg function to download oscdimg.exe from the Microsoft public symbol server when not found locally, with architecture detection (AMD64/ARM64/x86) and user confirmation prompt. Previously downloaded copies in %TEMP% are reused automatically. Addresses #333.

  • Fix path handling errors found in testing: normalize ISOPath to absolute early via ConvertTo-AbsolutePath to prevent crash when bare filenames are passed. Replace fragile Substring/LastIndexOf with Split-Path in Create-ISOMedia. Replace unsafe Substring(0,1) drive letter extraction with Split-Path -Qualifier in Initialize-StagingDirectory and Validate-Parameters. Add null/empty input guard and use TrimEnd in ConvertTo-AbsolutePath.

  • Copy boot.stl from boot.wim (Windows\Boot\EFI\boot.stl) to staged media (EFI\Microsoft\Boot\boot.stl) when present and not already at destination. Recent OS servicing introduced a new dependency on boot.stl.

  • Require NTFS for StagingDir and NewMediaPath since WIM mounting relies on reparse points not fully supported on ReFS.

  • Impacts functionality?

  • Impacts security?

  • Breaking change?

  • Includes tests?

  • Includes documentation?

  How This Was Tested

  Tested on ISO, USB, and LOCAL media creation flows on both X64 and ARM64 systems.

  Integration Instructions

  N/A

    </blockquote>
    <hr>
  </details>
  

• High Confidence Buckets - 02/25/2026 @jgeurten (#353)
  
  Change Details

    ## Description

  Open-sourcing the list of buckets where Microsoft has high confidence devices successfully apply the Secure Boot DB and KEK 2023 updates.

  For details on how to complete these options and their meaning refer to CONTRIBUTING.md.

  • Impacts functionality?
  • Impacts security?
  • Breaking change?
  • Includes tests?
  • [X ] Includes documentation?

  How This Was Tested

  N/A Testing only

  Integration Instructions

  N/A
  

  
  

  ---

  
  

• Add cryptographic verification to authenticode\_transplant.py @Flickdm (#326)
  
  Change Details

    This commit adds comprehensive cryptographic validation to the Authenticode signature combining tool, bringing the same verification capabilities from auth_var_tool.py to PE file signature operations.

  Key changes:

  • Added cryptographic signature verification using the 'cryptography' library
  • Implemented SpcIndirectDataContent parsing to extract embedded PE hashes
  • Added certificate extraction and display from PKCS#7 signatures
  • Compute Authenticode hashes using the algorithm specified in the signature
  • Verify signatures mathematically using signer's public key (RSA/ECDSA)
  • Validate that computed PE hash matches the hash in SpcIndirectDataContent

  New functions:

  • _get_hash_algorithm_from_oid(): Maps OID strings to hash algorithms
  • _extract_pe_hash_from_spc_indirect_data(): Parses SPC structure for hash
  • _extract_certificates_from_pkcs7(): Extracts X.509 certificates
  • _verify_pkcs7_signature(): Performs full cryptographic verification
  • compute_authenticode_hash(): Flexible hash computation with configurable algorithm

  Enhanced functions:

  • validate_pkcs7_signatures(): Now performs cryptographic verification
  • main_verify(): Displays certificate details and verification status
  • main_combine(): Validates signatures cryptographically before combining

  Bug fixes:

  • Removed incorrect 8-byte padding from Authenticode hash calculation (padding only applies to WIN_CERTIFICATE structure alignment, not hash data)
  • Consolidated duplicate hash functions into single implementation

  Code improvements:

  • Named constants for all magic numbers in SPC parsing
  • Better documentation and inline comments
  • Proper type annotations with Optional types

  Testing:

  • Verified against Microsoft-signed bootmgfw.efi files
  • Hash computation now matches Windows AppLocker and UEFI firmware
  • Both multi-signature and nested signature modes validated
  • All test cases pass with cryptographic verification

  Follows Microsoft Authenticode PE specification v1.1

  Description

  • Impacts functionality?
  • Impacts security?
  • Breaking change?
  • Includes tests?
  • Includes documentation?

  How This Was Tested

  Ran it against copies of bootmgfw.efi and hellouefi.efi that were both singly signed and

  Integration Instructions

  N/A
  

  
  

  ---

  
  

Full Changelog: v1.6.3...v1.6.4

What's Changed

• pip: bump ruff from 0.14.14 to 0.15.0 by @dependabot[bot] in #345
• pip: bump ruff from 0.15.0 to 0.15.1 by @dependabot[bot] in #348
• Add cryptographic verification to authenticode_transplant.py by @Flickdm in #326
• pip: bump cryptography from 43.0.0 to 46.0.5 by @dependabot[bot] in #349
• Repo File Sync: CodeQL sync and update to Mu DevOps v18.0.3 by @mu-automation[bot] in #352
• pip: bump ruff from 0.15.1 to 0.15.2 by @dependabot[bot] in #351
• High Confidence Buckets - 02/25/2026 by @jgeurten in #353
• pip: bump ruff from 0.15.2 to 0.15.4 by @dependabot[bot] in #356
• pip: bump edk2-pytool-extensions from 0.30.6 to 0.30.8 by @dependabot[bot] in #357
• GitHub Action: Bump actions/upload-artifact from 6 to 7 by @dependabot[bot] in #354
• pip: bump ruff from 0.15.4 to 0.15.5 by @dependabot[bot] in #360
• Improve Make2023BootableMedia.ps1: auto-download oscdimg, path handling, boot.stl, NTFS enforcement by @ballsop in #361
• kek update map fixes by @kraxel in #364

New Contributors

• @jgeurten made their first contribution in #353

Full Changelog: v1.6.3...v1.6.4

v1.6.3-signed

⚠️ IMPORTANT

No major security fixes.

1. Additional KEKs provided by ASUS, Acer, Fujitsu, BIOSTAR, TONGFANG, MEDION, Redhat, Microsoft
2. Bug fixes in auth_var_tool.py

What's Changed

• [Secure Boot KEK Update] ASUS PK-Signed KEK Update by @ChengAn0519 in #293
• [Secure Boot KEK Update] ASUS PK-Signed KEK Update by @ChengAn0519 in #295
• pip: bump pytest from 8.4.2 to 9.0.0 by @dependabot[bot] in #297
• pip: bump ruff from 0.14.3 to 0.14.4 by @dependabot[bot] in #296
• auth_var_tool: Fix timestamp handling by @Flickdm in #299
• Repo File Sync: Update mu_devops from v18.0.0 to v18.0.2 by @mu-automation[bot] in #300
• pip: bump ruff from 0.14.4 to 0.14.5 by @dependabot[bot] in #307
• [Secure Boot KEK Update] Acer PK-Signed KEK Update by @bloomlin in #309
• pip: bump pytest from 9.0.0 to 9.0.1 by @dependabot[bot] in #306
• [Secure Boot KEK Update] Fujitsu (& FCCL) PK-Signed KEK Update by @akudou1 in #310
• [Secure Boot KEK Update] Acer PK-Signed KEK Update by @bloomlin in #311
• [Secure Boot KEK Update] TONGFANG PK-Signed KEK Update by @Faintsnow in #315
• [Secure Boot KEK Update] BIOSTAR PK-Signed KEK Update by @bloomlin in #316
• MEDION KEK files added by @MaHoBo in #308
• Revert "[Secure Boot KEK Update] TONGFANG PK-Signed KEK Update" by @Flickdm in #322
• pip: bump edk2-pytool-extensions from 0.30.5 to 0.30.6 by @dependabot[bot] in #320
• pip: bump ruff from 0.14.5 to 0.14.7 by @dependabot[bot] in #329
• [Secure Boot KEK Update] RedHat PK-Signed KEK Update by @kraxel in #328
• KEK: Update the get_auth_var_signing_certificate and kek_update_map.json by @Flickdm in #325
• pip: bump ruff from 0.14.7 to 0.14.8 by @dependabot[bot] in #330
• pip: bump pytest from 9.0.1 to 9.0.2 by @dependabot[bot] in #332
• pip: bump edk2-pytool-library from 0.23.10 to 0.23.11 by @dependabot[bot] in #331
• GitHub Action: Bump actions/checkout from 4 to 6 by @dependabot[bot] in #317
• [Secure Boot KEK Update] Microsoft PK-Signed KEK Update by @Flickdm in #336
• [Secure Boot KEK Update] TONGFANG PK-Signed KEK Update by @Faintsnow in #335
• pip: bump ruff from 0.14.8 to 0.14.9 by @dependabot[bot] in #337
• GitHub Action: Bump actions/upload-artifact from 4 to 6 by @dependabot[bot] in #334
• pip: bump ruff from 0.14.9 to 0.14.10 by @dependabot[bot] in #338
• pip: bump pyasn1 from 0.6.1 to 0.6.2 by @dependabot[bot] in #340
• pip: bump ruff from 0.14.10 to 0.14.13 by @dependabot[bot] in #341
• pip: bump ruff from 0.14.13 to 0.14.14 by @dependabot[bot] in #342

New Contributors

• @bloomlin made their first contribution in #309
• @akudou1 made their first contribution in #310
• @Faintsnow made their first contribution in #315
• @MaHoBo made their first contribution in #308
• @kraxel made their first contribution in #328

Full Changelog: v1.6.2-signed...v1.6.3-signed

v1.6.3

⚠️ IMPORTANT

No major security fixes.

1. Additional KEKs provided by ASUS, Acer, Fujitsu, BIOSTAR, TONGFANG, MEDION, Redhat, Microsoft
2. Bug fixes in auth_var_tool.py

What's Changed

• [Secure Boot KEK Update] ASUS PK-Signed KEK Update by @ChengAn0519 in #293
• [Secure Boot KEK Update] ASUS PK-Signed KEK Update by @ChengAn0519 in #295
• pip: bump pytest from 8.4.2 to 9.0.0 by @dependabot[bot] in #297
• pip: bump ruff from 0.14.3 to 0.14.4 by @dependabot[bot] in #296
• auth_var_tool: Fix timestamp handling by @Flickdm in #299
• Repo File Sync: Update mu_devops from v18.0.0 to v18.0.2 by @mu-automation[bot] in #300
• pip: bump ruff from 0.14.4 to 0.14.5 by @dependabot[bot] in #307
• [Secure Boot KEK Update] Acer PK-Signed KEK Update by @bloomlin in #309
• pip: bump pytest from 9.0.0 to 9.0.1 by @dependabot[bot] in #306
• [Secure Boot KEK Update] Fujitsu (& FCCL) PK-Signed KEK Update by @akudou1 in #310
• [Secure Boot KEK Update] Acer PK-Signed KEK Update by @bloomlin in #311
• [Secure Boot KEK Update] TONGFANG PK-Signed KEK Update by @Faintsnow in #315
• [Secure Boot KEK Update] BIOSTAR PK-Signed KEK Update by @bloomlin in #316
• MEDION KEK files added by @MaHoBo in #308
• Revert "[Secure Boot KEK Update] TONGFANG PK-Signed KEK Update" by @Flickdm in #322
• pip: bump edk2-pytool-extensions from 0.30.5 to 0.30.6 by @dependabot[bot] in #320
• pip: bump ruff from 0.14.5 to 0.14.7 by @dependabot[bot] in #329
• [Secure Boot KEK Update] RedHat PK-Signed KEK Update by @kraxel in #328
• KEK: Update the get_auth_var_signing_certificate and kek_update_map.json by @Flickdm in #325
• pip: bump ruff from 0.14.7 to 0.14.8 by @dependabot[bot] in #330
• pip: bump pytest from 9.0.1 to 9.0.2 by @dependabot[bot] in #332
• pip: bump edk2-pytool-library from 0.23.10 to 0.23.11 by @dependabot[bot] in #331
• GitHub Action: Bump actions/checkout from 4 to 6 by @dependabot[bot] in #317
• [Secure Boot KEK Update] Microsoft PK-Signed KEK Update by @Flickdm in #336
• [Secure Boot KEK Update] TONGFANG PK-Signed KEK Update by @Faintsnow in #335
• pip: bump ruff from 0.14.8 to 0.14.9 by @dependabot[bot] in #337
• GitHub Action: Bump actions/upload-artifact from 4 to 6 by @dependabot[bot] in #334
• pip: bump ruff from 0.14.9 to 0.14.10 by @dependabot[bot] in #338
• pip: bump pyasn1 from 0.6.1 to 0.6.2 by @dependabot[bot] in #340
• pip: bump ruff from 0.14.10 to 0.14.13 by @dependabot[bot] in #341
• pip: bump ruff from 0.14.13 to 0.14.14 by @dependabot[bot] in #342

New Contributors

• @bloomlin made their first contribution in #309
• @akudou1 made their first contribution in #310
• @Faintsnow made their first contribution in #315
• @MaHoBo made their first contribution in #308
• @kraxel made their first contribution in #328

Full Changelog: v1.6.2...v1.6.3

v1.6.2-signed

⚠️ IMPORTANT

No major security fixes.

1. Additional KEKs provided by ASUS have been submitted
2. A script to perform Multi Signature support for Secure Boot has been added
3. Updates to Make2023BootableMedia.ps1 and updating the signed version

What's Changed

• pip: bump ruff from 0.14.1 to 0.14.2 by @dependabot[bot] in #282
• Script to perform UEFI multi signatures by @Flickdm in #270
• pip: bump ruff from 0.14.2 to 0.14.3 by @dependabot[bot] in #283
• [Secure Boot KEK Update] ASUS PK-Signed KEK Update by @ChengAn0519 in #284
• Fix issue with ARM64 media, FAT32 USB handling and several other updates by @ballsop in #285
• [Secure Boot KEK Update] ASUS PK-Signed KEK Update by @ChengAn0519 in #287

New Contributors

• @ChengAn0519 made their first contribution in #284
• @ballsop made their first contribution in #285

Full Changelog: v1.6.1-signed...v1.6.2-signed

v1.6.2

⚠️ IMPORTANT

No major security fixes.

1. Additional KEKs provided by ASUS have been submitted
2. A script to perform Multi Signature support for Secure Boot has been added
3. Updates to Make2023BootableMedia.ps1 and updating the signed version

What's Changed

• [Secure Boot KEK Update] ASUS PK-Signed KEK Update @ChengAn0519 (#287)
  
  Change Details

    ## OEM Certificate Submission

  OEM Name: ASUS
  Contact Email: ChengAn_Chiu@asus.com

  Certificate Details

  • Platform Key Thumbprint: 3BEF0726985C1C38CBA54C48A4B2B6EB281D9EE524CA7E1C8D6EE23942896F9A
  • Expiration Date: 2040-01-01

  Testing Completed

  • Windows validation
  • Linux validation

  Security Review

  • No known security issues

  Additional Notes

  Platform Key Thumbprint SHA1:EABCB3D43C0F3353F6396E297A8CBC4EF5F2AD39
  

  
  

  ---

  
  

• Fix issue with ARM64 media, FAT32 USB handling and several other updates @ballsop (#285)
  
  Change Details

    ## Description

  • Fixed issue with ARM64 media being handled as X64 media.
  • FAT32 USB key generation improvements.
  • No longer need to install ADK if not generating ISO images
  • Added DebugOn parameter to easily turn on extra logging output
  • A number of improvements to parameter handling
  • Misc tweaks and optimizations

  How This Was Tested

  • Large number of iterations against current and old media images, including ARM64 media.

    </blockquote>
    <hr>
    

• [Secure Boot KEK Update] ASUS PK-Signed KEK Update @ChengAn0519 (#284)
  
  Change Details

    ## OEM Certificate Submission

  OEM Name: ASUS
  Contact Email: ChengAn_Chiu@asus.com

  Certificate Details

  • Platform Key Thumbprint: 3F7AD0C7F6D52E501D885A312B232A739EA44709844DA4002EAE5A005A3ABAEF
  • Expiration Date: 2043-11-14

  Testing Completed

  • Windows validation
  • Linux validation

  Security Review

  • No known security issues

  Additional Notes

  Platform Key Thumbprint SHA1:131A78741E5D4152489B838ED8F717FB167D6888
  

  
  

  ---

  
  

• Script to perform UEFI multi signatures @Flickdm (#270)
  
  Change Details

    ## Description

  As the ecosystem is marching towards certificate key expiry, we must standardize and document
  how multiple signatures are expected to work. This PR implements a python script that can take
  two signed binaries and output a third "multi" signed binary.

  It does not appear that the windows authenticode specification dictates how multi-signatures
  are expected to be implemented. In that absence, EDK2 chose to implement multi-signatures
  using multiple WIN_CERTIFICATES according to the PE/COFF specification.
  The UEFI specification describes this as:

  Multiple signatures are allowed to exist in the binary’s certificate table (as per PE/COFF Section “Attribute Certificate Table”). 
  

  This PR implements the code to perform the binary manipulation to get the multi signed
  binary in the correct format to be validated by EDK2.

  Additionally, this scripts supports "--nested" which is similar to the "/as" command by SignTool.
  UEFI does not appear to support this today.

  UEFI Style Multi-Signature

  ┌─────────────────────────────────────────────────────────────┐
  │                    DOS Header (64 bytes)                    │
  │  Offset 0x3C: PE Header offset                              │
  └─────────────────────────────────────────────────────────────┘
  │                    DOS Stub                                 │
  └─────────────────────────────────────────────────────────────┘
  │                    PE Signature "PE\0\0"                    │
  └─────────────────────────────────────────────────────────────┘
  │                    COFF Header (20 bytes)                   │
  └─────────────────────────────────────────────────────────────┘
  │                    Optional Header                          │
  │  ┌─────────────────────────────────────────────────────┐    │
  │  │  Magic: 0x010B (PE32) or 0x020B (PE32+)             │    │
  │  │  ... other fields ...                               │    │
  │  │                                                     │    │
  │  │  Data Directories                                   │    │
  │  │  ┌──────────────────────────────────────────────┐   │    │
  │  │  │ [4] Security Directory ◄─────────────────────┼───┼────┼──┐
  │  │  │     VirtualAddress: 0xNNNN (file offset)     │   │    │  │
  │  │  │     Size: SSSS bytes (LARGER than source!)   │   │    │  │
  │  │  └──────────────────────────────────────────────┘   │    │  │
  │  └─────────────────────────────────────────────────────┘    │  │
  └─────────────────────────────────────────────────────────────┘  │
  │                    Section Headers                          │  │
  └─────────────────────────────────────────────────────────────┘  │
  │                    .text Section (IDENTICAL to sources)     │  │
  └─────────────────────────────────────────────────────────────┘  │
  │                    .data Section (IDENTICAL to sources)     │  │
  └─────────────────────────────────────────────────────────────┘  │
  │                    .reloc Section (IDENTICAL to sources)    │  │
  └─────────────────────────────────────────────────────────────┘  │
  │                    ... other sections ...                   │  │
  └─────────────────────────────────────────────────────────────┘  │
  │                                                             │  │
  │  ┌────────────────────────────────────────────────────────┐ │◄─┘
  │  │           WIN_CERTIFICATE Structure #1                 │ │ ◄── First Authority
  │  │  ┌──────────────────────────────────────────────────┐  │ │
  │  │  │ dwLength (4 bytes)     = Size of structure #1    │  │ │
  │  │  │ wRevision (2 bytes)    = 0x0200                  │  │ │
  │  │  │ wCertificateType (2 bytes) = 0x0002 (PKCS#7)     │  │ │
  │  │  └──────────────────────────────────────────────────┘  │ │
  │  │  ┌──────────────────────────────────────────────────┐  │ │
  │  │  │    PKCS#7 SignedData from source1.efi            │  │ │
  │  │  │  - Complete, independent PKCS#7 structure        │  │ │
  │  │  │  - Includes cert chain from first signer         │  │ │
  │  │  │  - Timestamp from first signing                  │  │ │
  │  │  └──────────────────────────────────────────────────┘  │ │
  │  │  ┌──────────────────────────────────────────────────┐  │ │
  │  │  │ Padding (0-7 bytes for 8-byte alignment)         │  │ │
  │  │  └──────────────────────────────────────────────────┘  │ │
  │  └────────────────────────────────────────────────────────┘ │
  │                                                             │
  │  ┌────────────────────────────────────────────────────────┐ │ ◄── Second Authority
  │  │           WIN_CERTIFICATE Structure #2                 │ │
  │  │  ┌──────────────────────────────────────────────────┐  │ │
  │  │  │ dwLength (4 bytes)     = Size of structure #2    │  │ │
  │  │  │ wRevision (2 bytes)    = 0x0200                  │  │ │
  │  │  │ wCertificateType (2 bytes) = 0x0002 (PKCS#7)     │  │ │
  │  │  └──────────────────────────────────────────────────┘  │ │
  │  │  ┌──────────────────────────────────────────────────┐  │ │
  │  │  │    PKCS#7 SignedData from source2.efi            │  │ │
  │  │  │  - Complete, independent PKCS#7 structure        │  │ │
  │  │  │  - Includes cert chain from second signer        │  │ │
  │  │  │  - Timestamp from second signing                 │  │ │
  │  │  └──────────────────────────────────────────────────┘  │ │
  │  │  ┌──────────────────────────────────────────────────┐  │ │
  │  │  │ Padding (0-7 bytes for 8-byte alignment)         │  │ │
  │  │  └──────────────────────────────────────────────────┘  │ │
  │  └────────────────────────────────────────────────────────┘ │
  └─────────────────────────────────────────────────────────────┘
                           END OF FILE
  
  Note: The security directory Size field =
        (WIN_CERTIFICATE #1 total size) + (WIN_CERTIFICATE #2 total size)
  

  For details on how to complete these options and their meaning refer to CONTRIBUTING.md.

  • Impacts functionality?
  • Impacts security?
  • Breaking change?
  • Includes tests?
  • Includes documentation?

  How This Was Tested

  Multi signed binary was executed in the following conditions

  w/ nested signature (Microsoft OID) (--nested argument)

  Only primary signature is checked, secondary signature fails

  1. With SB disabled, binary passes validation
  2. With SB enabled
     2.1 DB with 2011 CA & 2023 CA - multi-signed image passes
     2.2 DB with 2011 CA - multi-signed image passes
     2.3 DB with 2023 CA - multi-signed image fails

  Windows can verify this image using standard tooling.

  w/ multiple win_certificates (not spec defined)

  1. With SB disabled, binary passes validation
  2. With SB enabled
     2.1 DB with 2011 CA & 2023 CA - multi-signed image passes
     2.2 DB with 2011 CA - multi-signed image passes
     2.3 DB with 2023 CA - multi-signed image passes

  Windows cannot verify this using standard tooling.

  Integration Instructions

  N/A
  

  
  

  ---

  
  

...

v1.6.1-signed

⚠️ IMPORTANT

DBX Info file had regressions that said the latest SVN was 5.0 despite the binary being updated to 7.0. This has been corrected.

What's Changed

• pip: bump edk2-pytool-library from 0.23.8 to 0.23.10 by @dependabot[bot] in #275
• pip: bump ruff from 0.14.0 to 0.14.1 by @dependabot[bot] in #276
• pip: bump edk2-pytool-extensions from 0.30.3 to 0.30.5 by @dependabot[bot] in #277
• Fix SVN Regressions by @Flickdm in #279

Full Changelog: v1.6.0-signed...v1.6.1-signed

v1.6.1

⚠️ IMPORTANT

DBX Info file had regressions that said the latest SVN was 5.0 despite the binary being updated to 7.0. This has been corrected.

What's Changed

• pip: bump edk2-pytool-library from 0.23.8 to 0.23.10 by @dependabot[bot] in #275
• pip: bump ruff from 0.14.0 to 0.14.1 by @dependabot[bot] in #276
• pip: bump edk2-pytool-extensions from 0.30.3 to 0.30.5 by @dependabot[bot] in #277
• Fix SVN Regressions by @Flickdm in #279

Full Changelog: v1.6.0...v1.6.1

v1.6.0-signed

⚠️ IMPORTANT

Signed DBX and Revocations have been updated to include the revocations for Igel* - see #272

Updating post signed folder with signed DB update packages for 3P UEFI CA and Option ROM CA - see
#226

Bumping SVN revocation for Windows bootmgr from 5 to 7 - see
#263

What's Changed

• Fix dbx_info_msft_06_10_25.json cert file name by @dinhngtu in #223
• Make2023BootableMedia.ps1 handle spaces in ISOPath by @christophvw in #210
• Create pipeline to validate DBX JSON certificate references by @Copilot in #225
• pip: bump ruff from 0.11.12 to 0.12.0 by @dependabot[bot] in #227
• Repo File Sync: synced file(s) with microsoft/mu_devops by @mu-automation[bot] in #229
• pip: bump pytest from 8.4.0 to 8.4.1 by @dependabot[bot] in #228
• Updating Post signed folder with signed db update packages for 3P CAs. by @SochiOgbuanya in #226
• Fix "Lable" misspelling in Make2023BootableMedia.ps1 by @Copilot in #221
• Repo File Sync: Update to Mu DevOps v15.0.3 by @mu-automation[bot] in #235
• pip: bump ruff from 0.12.0 to 0.12.1 by @dependabot[bot] in #234
• pip: bump ruff from 0.12.1 to 0.12.2 by @dependabot[bot] in #237
• Feature: Authenticated Variable Tooling by @Flickdm in #236
• pip: bump ruff from 0.12.2 to 0.12.3 by @dependabot[bot] in #239
• pip: bump ruff from 0.12.3 to 0.12.4 by @dependabot[bot] in #240
• pip: bump ruff from 0.12.4 to 0.12.7 by @dependabot[bot] in #241
• pip: bump ruff from 0.12.7 to 0.12.8 by @dependabot[bot] in #244
• Update InstallSecureBootKeys.ps1 by @serock in #246
• pip: bump ruff from 0.12.8 to 0.12.9 by @dependabot[bot] in #247
• Repo File Sync: Update to Mu DevOps v16.0.0 by @mu-automation[bot] in #248
• pip: bump ruff from 0.12.9 to 0.12.10 by @dependabot[bot] in #249
• Repo File Sync: Update workflows to mu_devops v17 by @mu-automation[bot] in #251
• Repo File Sync: Update workflows to v17.0.1 by @mu-automation[bot] in #252
• pip: bump ruff from 0.12.10 to 0.12.11 by @dependabot[bot] in #253
• GitHub Action: Bump actions/setup-python from 5 to 6 by @dependabot[bot] in #254
• pip: bump pytest from 8.4.1 to 8.4.2 by @dependabot[bot] in #256
• pip: bump ruff from 0.12.11 to 0.12.12 by @dependabot[bot] in #257
• Repo File Sync: Update to Mu DevOps v18.0.0 by @mu-automation[bot] in #258
• pip: bump ruff from 0.13.0 to 0.13.1 by @dependabot[bot] in #259
• Bumping SVN revocation for Windows bootmgr from 5 to 7 by @SochiOgbuanya in #263
• pip: bump ruff from 0.13.1 to 0.13.2 by @dependabot[bot] in #262
• Clean up Post Signed Objects Branch by @Flickdm in #265
• pip: bump edk2-pytool-library from 0.23.2 to 0.23.8 by @dependabot[bot] in #266
• pip: bump edk2-pytool-extensions from 0.29.2 to 0.30.2 by @dependabot[bot] in #268
• pip: bump ruff from 0.13.2 to 0.14.0 by @dependabot[bot] in #267
• Repo File Sync: Update deps ignored in dependabot config by @mu-automation[bot] in #269
• pip: bump edk2-pytool-extensions from 0.30.2 to 0.30.3 by @dependabot[bot] in #271
• Updating Post signed DBX folder with latest revocation of vulnerable IGEL shims by @SochiOgbuanya in #272

New Contributors

• @dinhngtu made their first contribution in #223
• @christophvw made their first contribution in #210
• @Copilot made their first contribution in #225
• @serock made their first contribution in #246

Full Changelog: v1.5.1-signed...1.6.0-signed

What's Changed

• Fix dbx_info_msft_06_10_25.json cert file name by @dinhngtu in #223
• Make2023BootableMedia.ps1 handle spaces in ISOPath by @christophvw in #210
• Create pipeline to validate DBX JSON certificate references by @Copilot in #225
• pip: bump ruff from 0.11.12 to 0.12.0 by @dependabot[bot] in #227
• Repo File Sync: synced file(s) with microsoft/mu_devops by @mu-automation[bot] in #229
• pip: bump pytest from 8.4.0 to 8.4.1 by @dependabot[bot] in #228
• Updating Post signed folder with signed db update packages for 3P CAs. by @SochiOgbuanya in #226
• Fix "Lable" misspelling in Make2023BootableMedia.ps1 by @Copilot in #221
• Repo File Sync: Update to Mu DevOps v15.0.3 by @mu-automation[bot] in #235
• pip: bump ruff from 0.12.0 to 0.12.1 by @dependabot[bot] in #234
• pip: bump ruff from 0.12.1 to 0.12.2 by @dependabot[bot] in #237
• Feature: Authenticated Variable Tooling by @Flickdm in #236
• pip: bump ruff from 0.12.2 to 0.12.3 by @dependabot[bot] in #239
• pip: bump ruff from 0.12.3 to 0.12.4 by @dependabot[bot] in #240
• pip: bump ruff from 0.12.4 to 0.12.7 by @dependabot[bot] in #241
• pip: bump ruff from 0.12.7 to 0.12.8 by @dependabot[bot] in #244
• Update InstallSecureBootKeys.ps1 by @serock in #246
• pip: bump ruff from 0.12.8 to 0.12.9 by @dependabot[bot] in #247
• Repo File Sync: Update to Mu DevOps v16.0.0 by @mu-automation[bot] in #248
• pip: bump ruff from 0.12.9 to 0.12.10 by @dependabot[bot] in #249
• Repo File Sync: Update workflows to mu_devops v17 by @mu-automation[bot] in #251
• Repo File Sync: Update workflows to v17.0.1 by @mu-automation[bot] in #252
• pip: bump ruff from 0.12.10 to 0.12.11 by @dependabot[bot] in #253
• GitHub Action: Bump actions/setup-python from 5 to 6 by @dependabot[bot] in #254
• pip: bump pytest from 8.4.1 to 8.4.2 by @dependabot[bot] in #256
• pip: bump ruff from 0.12.11 to 0.12.12 by @dependabot[bot] in #257
• Repo File Sync: Update to Mu DevOps v18.0.0 by @mu-automation[bot] in #258
• pip: bump ruff from 0.13.0 to 0.13.1 by @dependabot[bot] in #259
• Bumping SVN revocation for Windows bootmgr from 5 to 7 by @SochiOgbuanya in #263
• pip: bump ruff from 0.13.1 to 0.13.2 by @dependabot[bot] in #262
• Clean up Post Signed Objects Branch by @Flickdm in #265
• pip: bump edk2-pytool-library from 0.23.2 to 0.23.8 by @dependabot[bot] in #266
• pip: bump edk2-pytool-extensions from 0.29.2 to 0.30.2 by @dependabot[bot] in #268
• pip: bump ruff from 0.13.2 to 0.14.0 by @dependabot[bot] in https://github.com/microsoft/secureboot_obje...

v1.6.0

⚠️ IMPORTANT

Signed DBX and Revocations have been updated to include the revocations for Igel* - see #272

Updating post signed folder with signed DB update packages for 3P UEFI CA and Option ROM CA - see
#226

Bumping SVN revocation for Windows bootmgr from 5 to 7 - see
#263

What's Changed

• Updating Post signed DBX folder with latest revocation of vulnerable IGEL shims @SochiOgbuanya (#272)
  
  Change Details

    ## Description

  Secure Boot Bypass due to vulnerable IGEL Linux shims

  Attacker who has gained physical access to the device can plant vulnerable shims that allow loading older Linux loader which in turn loads unsigned Kernel. It is integrity bypass for boot code.

  • Impacts functionality?
  • Impacts security?
  • Breaking change?
  • Includes tests?
  • Includes documentation?

  How This Was Tested

  Verified by trying to boot using vulnerable IGEL boot module to ensure the modules are blocked from booting on Secure boot enabled system

  Integration Instructions

  N/A

    </blockquote>
    <hr>
  </details>
  

• Clean up Post Signed Objects Branch @Flickdm (#265)
  
  Change Details

    ## Description

  Cleaning up documentation to point to the Wiki.

  Additionally,

  • Deleted uncessary copy of kek_update_map.json
  • Fixing auth_var_tool.py so it creates the output folder if it doesn't exist

  For details on how to complete these options and their meaning refer to CONTRIBUTING.md.

  • Impacts functionality?
  • Impacts security?
  • Breaking change?
  • Includes tests?
  • Includes documentation?

  How This Was Tested

  Local testing to verify functionality of wiki

  Integration Instructions

  N/A
  

  
  

  ---

  
  

• Bumping SVN revocation for Windows bootmgr from 5 to 7 @SochiOgbuanya (#263)
  
  Change Details

    ## Description

  Windows bootmgr svn revocation bumped from 5 to 7 as Windows Boot Manager can be rolled back to previous vulnerable version to trigger Secure boot rollback.

  For details on how to complete these options and their meaning refer to CONTRIBUTING.md.

  • Impacts functionality? No
  • Impacts security? Yes
  • Breaking change?
  • Includes tests? No
  • Includes documentation? No

  How This Was Tested

  Booted to latest Windows version and blocked affected versions

  Integration Instructions

  N/A

    </blockquote>
    <hr>
  </details>
  

• Update InstallSecureBootKeys.ps1 @serock (#246)
  
  Change Details

    Fixes #245

  Description

  Changed "$esult" to "$Result" so that the script can properly determine if the DBX was enrolled successfully.

  • Impacts functionality?
  • Impacts security?
  • Breaking change?
  • Includes tests?
  • Includes documentation?

  How This Was Tested

  Tested on a Dell Inspiron 3847 with the MicrosoftAndThirdParty/Firmware files from https://github.com/microsoft/secureboot_objects/releases/download/v1.5.1/edk2-x64-secureboot-binaries.zip and a customized DBX.bin file.

  Integration Instructions

  N/A

    </blockquote>
    <hr>
  </details>
  

• Feature: Authenticated Variable Tooling @Flickdm (#236)
  
  Change Details

    ## Description This pull request introduces two major updates: a CLI utility for working with secure boot objects in the operating system and a test script to generate test certificates to debug and work with a platform. These scripts can be used to perform the full end to end secure boot workflow in two configurations - local signing, or remote signing.

  Full chain usage will be added to the WIKI and a link will be added here.

  • Impacts functionality?
  • Impacts security?
  • Breaking change?
  • Includes tests?
  • Includes documentation?
    https://github.com/microsoft/secureboot_objects/wiki/Secure-Boot-Workflow#secure-boot-workflow-setup-mode-key-installation-and-management

  How This Was Tested

  Local Testing on Devkit

  Integration Instructions

  N/A
  

  
  

  ---

  
  

• Fix "Lable" misspelling in Make2023BootableMedia.ps1 @[copilot-swe-agent[bot]](https://github.com/apps/copilot-swe-agent) (#221)
  
  Change Details

    Fixed multiple spelling errors in the PowerShell script `Make2023BootableMedia.ps1`:

  Primary fix:

  • Corrected ISO_Lable to ISO_Label throughout the script (4 occurrences on lines 230, 718, 719, and 725)
  • This ensures consistency with the correctly spelled variable declaration on line 806

  Additional spelling corrections:

  • Fixed "Avalable" to "Available" in ADK requirement message (line 76)
  • Fixed "defualt" to "default" in comment (line 717)
  • Fixed "$ISOLable" to "$ISOLabel" in comment (line 717)

  The variable name inconsistency could have caused runtime errors when the script attempts to reference $global:ISO_Label but some parts of the code were setting $global:ISO_Lable. All variable references now use the correct spelling ISO_Label.

  Fixes #220.

  ---

  💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.
  

  
  

  ---

  
  

• Updating Post signed folder with signed db update packages for 3P CAs. @SochiOgbuanya (#226)
  
  Change Details

    ## Description

  Updating post signed folder with signed DB update packages for 3P UEFI CA and Option ROM CA

  Added db update packages for 3P UEFI CA 2023 and Option ROM CA 2023 to post signed folder.
  Moved older json to archives.

  • Impacts functionality?
  • Impacts security?
  • Breaking change?
  • Includes tests?
  • Includes documentation?

  How This Was Tested

  Updated on local machines and @hughsie tested via fwupd

  Integration Instructions

  FIrmware does not require this payload however third party operating systems may
  

  
  

  ---

  
  

• Create pipeline to validate DBX JSON certificate references @[copilot-swe-agent[bot]](https://github.com/apps/copilot-swe-agent) (#225)
  
  Change Details

    This PR implements a validation pipeline to ensure that DBX JSON files reference certificate files that actually exist in the `PreSignedObjects/DBX/Certificates` folder.

  Problem

  When new DBX JSON files are created, the internal certificate names referenced in the JSON don't always match the external filenames in the Certificates folder, and there was no validation to catch these mismatches. For example, the current dbx_info_msft_06_10_25.json references WindowsProduction2011.cer but the actual file is named MicWinProPCA2011_2011-10-19.der.

  Solution

  Added a new validation script and CI pipeline step that:

  1. Finds the latest DBX JSON file - Automatically locates dbx_info_msft_<date>.json files
  2. Validates certificate references - Checks that all certificates listed in the "certificates" array actually exist in the Certificates folder
  3. Provides clear error messages - Shows exactly which certificates are missing and lists available files for debugging
  4. Handles edge cases - Gracefully handles missing certificates sections, malformed JSON, etc.

  Changes Made

  New Files

  • scripts/validate_dbx_references.py - Main validation script with CLI interface
  • scripts/test_validate_dbx_references.py - Comprehensive unit tests (7 test cases)

  CI Integration

  • Added validation step to .github/workflows/prepare-binaries.yml after unit tests
  • Pipeline will now fail on PR/release if certificate references are invalid

  Other

  • Fixed .gitignore to properly exclude __pycache__ directories
  • Removed accidentally committed cache files

  Testing

  # Current mismatch is detected
  $ python scripts/validate_dbx_references.py PreSignedObjects/DBX
  ERROR: Certificate file 'WindowsProduction2011.cer' referenced in JSON but not found in PreSignedObjects/DBX/Certificates
  INFO: Available certificate files:
  INFO:   - MicWinProPC...