shim-signed update - should new shim be copied to ESP automatically?

[Mateo_123]

After upgrading shim-signed (1.48+pmx1) on a bare metal PVE host (9.1 -> 9.2) I noticed that /boot/efi/EFI/debian/shimx64.efi was not updated automatically.

The new shim signed with both Microsoft UEFI CA 2011 and 2023 was available at /usr/lib/shim/shimx64.efi.signed but never made it to the ESP on its own.

I ended up copying it manually:
cp /usr/lib/shim/shimx64.efi.signed /boot/efi/EFI/debian/shimx64.efi

What is the correct way for the shim to be updated on the ESP after a package upgrade?

 

[Sunilkumar]

You’re correct—on Proxmox VE (Debian-based systems), updating the shim-signed package does not automatically copy the new shimx64.efi to the ESP.


From what I’ve observed, the package only installs the updated binary under /usr/lib/shim/, but it doesn’t trigger a post-install hook to sync it with /boot/efi. This behavior is consistent with Debian, where ESP updates are usually handled by tools like grub-install or proxmox-boot-tool (depending on your boot setup).


If you're using systemd-boot with proxmox-boot-tool, running:



<span>proxmox-boot-tool refresh</span>


might help ensure the ESP is updated properly.


For GRUB-based setups, a safer approach than manual copying could be:




<span>grub-install</span><br><span>update-grub</span>


That said, your manual copy works, but it would be good to confirm whether future updates might overwrite it or if a hook should handle this automatically.


Would be great if someone from the Proxmox team could clarify whether this is expected behavior or something that should be improved.