Most distributions by default provide shim signed only by Microsoft because:
Most x86 hardware comes from the factory pre-loaded with Microsoft
keys. This means the firmware on these systems will trust binaries
that are signed by Microsoft.
So, Debian ships with shim signed by Microsoft, as well as Fedora, and most other distributions. This is also true for Ubuntu:
On Ubuntu, all pre-built binaries intended to be loaded as part of the
boot process, with the exception of the initrd image, are signed by
Canonical's UEFI certificate, which itself is implicitly trusted by
being embedded in the shim loader, itself signed by Microsoft.
But Ubuntu also ships with dual-singed shim by both Canonical and Microsoft in addition to the one signed by Microsoft. It can be run by hardware trusting certificates from Canonical CA (certificate authority).
See this comment on Ask Ubuntu for some more details.
This does not prevent you to enroll your own key to be used with Secure Boot and use a self-signed shim instead of the one signed by Microsoft.