signed vs unsigned fwupdate programs ------------------------------------ The tools aren't configured to understand that there is actually a difference between the signed and unsigned version, only the firmware will notice this difference when enforcing secure boot. The reasoning behind signed/unsigned installation is to be able to support secure boot, even if the user doesn't have it turned on at installation time. In Ubuntu, both fwupdate-signed and fwupdate are seeded in the default installation. If the end user installs in legacy mode nothing gets installed to the ESP. If they install in UEFI mode then the signed version goes to the ESP (whether or not secure boot is on). If they turn secure boot on later then they're in good shape. When someone installs from a minimal system fwupdate without fwupdate-signed it will look and see if secure boot is turned on. It doesn't do them any good to install to the ESP if secure boot is turned on but fwupdate-signed isn't installed. So rather than cause the postinst fail on something that is configurable in the BIOS, display a warning. In Debian, the package name for the signed version is slightly different due to different infrastructure. fwupdate-signed-$ARCH and fwupdate should both be installed and then things will work similarly to what's described above.