Secure Boot and CA Rollover - a heads-up for distributions

This is a brief and clear post. If you're not a distro maintainer, I think the takeaway should be this section. (I've gotten this question a few times in the last few months)

OMG!!! Will all my existing Secure Boot machines stop booting?

Almost definitely not, no.

The specification for UEFI Secure Boot expects that valid dates on certificates should not be enforced for signatures here. All that matters here is the signatures themselves. Modulo buggy firmware, existing signed binaries should continue just fine.

Julian Klode has posted about the Ubuntu parts of this here: https://discourse.ubuntu.com/t/microsoft-uefi-ca-rotation-what-it-means-for-ubuntu-users-and-vendors/82652