GRUB¶
The grub2 package is a delicate one, due to supporting Secure Boot.
The current workflow for Debian is described at https://wiki.debian.org/SecureBoot/Discussion#Agreed_design
In particular, building grub2 generates grub-efi-*-signed-template
packages. The Debian signing service explicitly detects grub2, will
grab these binary packages on upload, and should generate
grub-efi-*-signed automatically (like this).
The bullseye-security queue is setup, see e.g. linux and linux-6.1 (signed by 7CA15FBC7108FA0914F84F9D8B415188B74E3736).
grub2 is referenced in lts-do-call-me, so coordinate with its Debian maintainers first.
For ELTS, a similar system is in place, pochu and kanashiro are working on it. There’s extra work on upload, and it needs to be done by someone authorized to do the signing (currently 2025-04 helmut and pochu).
TODO: testing procedures with self-signed / MOK’d packages, before uploading ?
TODO: testing procedures with a VM: https://wiki.debian.org/SecureBoot/VirtualMachine