signed vs unsigned bootloader
-------------------
The tools aren't configured to understand that there is actually a difference 
between the signed and unsigned version, only the BIOS will notice this 
difference when enforcing secure boot.

The reasoning behind signed/unsigned installation is to be able to support 
secure boot, even if the user doesn't have it turned on at installation time.
For Debian this is less applicable until there is infrastructure to support 
secure boot.  

At least in Ubuntu the way that it's being done is that both
fwupdate-signed and fwupdate is seeded in the default installation.
If the end user installs in legacy mode nothing gets installed to the ESP.
If they install in UEFI mode then the signed version goes to the ESP
(whether or not secure boot is on).  If they turn secure boot on later
then they're in good shape.

When someone installs from a minimal system fwupdate without 
fwupdate-signed it will look and see if secure boot is turned on.
It doesn't do them any good to install to the ESP if secure boot is
turned on but fwupdate-signed isn't installed.  So rather than cause the 
postinst fail on something that is configurable in the BIOS, display a
warning.