September expiration date

* The LVFS wiki page at https://fwupd.github.io/libfwupdplugin/uefi-db.html claims that the expiration date of some certificate is 11th September 2025.

* The shim currently shipped in Ubuntu 22.04 is signed by an intermediate "Microsoft Windows UEFI Driver Publisher" certificate that already expired (!) on 16th October 2024. This intermediate is signed using the root "Microsoft Corporation UEFI CA 2011" certificate that expires on 27th June 2026. This root certificate is typically trusted by the firmware.

* Shims in some other distributions (Fedora, AlmaLinux) also seem to be signed by the expired intermediate certificate. OTOH, the CentOS Stream 10 shim is signed by an updated intermediate that expires on 15th May 2026.

* My ThinkPad L13 Gen2 can boot into Ubuntu even though their intermediate is expired.

* In https://github.com/rhboot/shim-review/issues/454#issuecom... I've found the information that Microsoft will *start* signing binaries with their new CA certificate in cca. October 2025.

I have a (speculative and unproven) theory on how to fit this together: starting with September or October 2025 Linux distros may not be able to obtain shims signed by the old 2011 MS certificate. This may prevent new installation media from booting on systems without the new "Microsoft UEFI CA 2023" certificate in their UEFI "db". Old media may remain working until June 27, 2026, when the old "Microsoft Corporation UEFI CA 2011" expires. This assumes that UEFI implementations check the certificate expiration date, which seems not to always be the case.

Could anyone please confirm or refute this?

Thank you, Jakub