Verification-done on bionic with grub2 / grub2-signed:
iF grub-efi-amd64 2.02-2ubuntu8.10 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 version)
ii grub-efi-amd64-bin 2.02-2ubuntu8.10 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 binaries)
ii grub-efi-amd64-signed 1.93.11+2.02-2ubuntu8.10 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 version, signed)
Forcing an unsigned copy of the kernel, or one signed by an unknown key leads to the system failing to upgrade, as expected:
ubuntu@ubuntu:/boot$ sudo apt install --reinstall grub-efi-amd64
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 47.0 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 grub-efi-amd64 amd64 2.02-2ubuntu8.10 [47.0 kB]
Fetched 47.0 kB in 0s (112 kB/s)
Preconfiguring packages ...
(Reading database ... 66920 files and directories currently installed.)
Preparing to unpack .../grub-efi-amd64_2.02-2ubuntu8.10_amd64.deb ...
Unpacking grub-efi-amd64 (2.02-2ubuntu8.10) over (2.02-2ubuntu8.10) ...
Setting up grub-efi-amd64 (2.02-2ubuntu8.10) ...
/boot/vmlinuz-4.15.0-44-matt is unsigned.
E: Your kernels are not signed with a key known to your firmware. This system will fail to boot in a Secure Boot environment.
dpkg: error processing package grub-efi-amd64 (--configure):
installed grub-efi-amd64 package post-installation script subprocess returned error exit status 1
E: Sub-process /usr/bin/dpkg returned an error code (1)
ubuntu@ubuntu:~$ sudo apt install --reinstall grub-efi-amd64
[sudo] password for ubuntu:
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 0 B/47.0 kB of archives.
After this operation, 0 B of additional disk space will be used.
Preconfiguring packages ...
(Reading database ... 66920 files and directories currently installed.)
Preparing to unpack .../grub-efi-amd64_2.02-2ubuntu8.10_amd64.deb ...
Unpacking grub-efi-amd64 (2.02-2ubuntu8.10) over (2.02-2ubuntu8.10) ...
Setting up grub-efi-amd64 (2.02-2ubuntu8.10) ...
/boot/vmlinuz-4.15.0-44-matt is signed, but using an unknown key:
Subject: CN = PPA cyphermox efi
E: Your kernels are not signed with a key known to your firmware. This system will fail to boot in a Secure Boot environment.
dpkg: error processing package grub-efi-amd64 (--configure):
installed grub-efi-amd64 package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
grub-efi-amd64
E: Sub-process /usr/bin/dpkg returned an error code (1)
And a properly signed kernel obviously passes validation with no issues; and does not block upgrade.
Verification-done on bionic with grub2 / grub2-signed:
iF grub-efi-amd64 2.02-2ubuntu8.10 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 version) amd64-signed 1.93.11+ 2.02-2ubuntu8. 10 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 version, signed)
ii grub-efi-amd64-bin 2.02-2ubuntu8.10 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 binaries)
ii grub-efi-
Forcing an unsigned copy of the kernel, or one signed by an unknown key leads to the system failing to upgrade, as expected:
ubuntu@ ubuntu: /boot$ sudo cp vmlinuz- 4.15.0- 44-generic vmlinuz- 4.15.0- 44-matt ubuntu: /boot$ sudo sb ubuntu: /boot$ sudo sbattach --remove vmlinuz- 4.15.0- 44-matt
ubuntu@
sbattach sbkeysync sbsiglist sbsign sbvarsign sbverify
ubuntu@
ubuntu@ ubuntu: /boot$ sudo apt install --reinstall grub-efi-amd64 archive. ubuntu. com/ubuntu bionic- proposed/ main amd64 grub-efi-amd64 amd64 2.02-2ubuntu8.10 [47.0 kB] efi-amd64_ 2.02-2ubuntu8. 10_amd64. deb ... 4.15.0- 44-matt is unsigned.
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 47.0 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://
Fetched 47.0 kB in 0s (112 kB/s)
Preconfiguring packages ...
(Reading database ... 66920 files and directories currently installed.)
Preparing to unpack .../grub-
Unpacking grub-efi-amd64 (2.02-2ubuntu8.10) over (2.02-2ubuntu8.10) ...
Setting up grub-efi-amd64 (2.02-2ubuntu8.10) ...
/boot/vmlinuz-
E: Your kernels are not signed with a key known to your firmware. This system will fail to boot in a Secure Boot environment.
dpkg: error processing package grub-efi-amd64 (--configure):
installed grub-efi-amd64 package post-installation script subprocess returned error exit status 1
E: Sub-process /usr/bin/dpkg returned an error code (1)
ubuntu@ubuntu:~$ sudo apt install --reinstall grub-efi-amd64 efi-amd64_ 2.02-2ubuntu8. 10_amd64. deb ... 4.15.0- 44-matt is signed, but using an unknown key:
[sudo] password for ubuntu:
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 0 B/47.0 kB of archives.
After this operation, 0 B of additional disk space will be used.
Preconfiguring packages ...
(Reading database ... 66920 files and directories currently installed.)
Preparing to unpack .../grub-
Unpacking grub-efi-amd64 (2.02-2ubuntu8.10) over (2.02-2ubuntu8.10) ...
Setting up grub-efi-amd64 (2.02-2ubuntu8.10) ...
/boot/vmlinuz-
Subject: CN = PPA cyphermox efi
E: Your kernels are not signed with a key known to your firmware. This system will fail to boot in a Secure Boot environment.
dpkg: error processing package grub-efi-amd64 (--configure):
installed grub-efi-amd64 package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
grub-efi-amd64
E: Sub-process /usr/bin/dpkg returned an error code (1)
And a properly signed kernel obviously passes validation with no issues; and does not block upgrade.