When I open UEFI settings on my Asus laptop, the list of "authorized signatures" under secure boot includes the following:
I installed Linux distros other than Ubuntu (Centos, for example) while secure boot was on. I know that almost all Linux distros use Shim for secure boot, but does Canonical sign Shim for all of them? In other words, why is canonical the only Linux representative on my list?
Most distributions by default provide shim signed only by Microsoft because:
Most x86 hardware comes from the factory pre-loaded with Microsoft keys. This means the firmware on these systems will trust binaries that are signed by Microsoft.
So, Debian ships with shim signed by Microsoft, as well as Fedora, and most other distributions. This is also true for Ubuntu:
On Ubuntu, all pre-built binaries intended to be loaded as part of the boot process, with the exception of the initrd image, are signed by Canonical's UEFI certificate, which itself is implicitly trusted by being embedded in the shim loader, itself signed by Microsoft.
But Ubuntu also ships with dual-singed shim by both Canonical and Microsoft in addition to the one signed by Microsoft. It can be run by hardware trusting certificates from Canonical CA (certificate authority).
See this comment on Ask Ubuntu for some more details.
This does not prevent you to enroll your own key to be used with Secure Boot and use a self-signed shim instead of the one signed by Microsoft.
