Package: systemd-boot Version: 252.12-1~deb12u1 When updating systemd-boot on a system with secure-boot enabled, the postinst calls `bootctl update --graceful` which installs an unsigned efi. This will overwrite an existing efi with correct signature and cause the system to not boot anymore, because of a security violation.
The postinst should either read a config file, so users can disable this behavior or only update the efi when it has the correct signature.
