Verification-done on cosmic with grub2 / grub2-signed.
Forcing an unsigned copy of the kernel, or one signed by an unknown key leads to the system failing to upgrade, as expected:
ubuntu@ubuntu:~$ dpkg -l grub-efi\* | grep ii | awk '{ print $2" "$3 }'
grub-efi-amd64 2.02+dfsg1-5ubuntu8.1
grub-efi-amd64-bin 2.02+dfsg1-5ubuntu8.1
grub-efi-amd64-signed 1.110.1+2.02+dfsg1-5ubuntu8.1
ubuntu@ubuntu:~$ sudo apt install --reinstall grub-efi-amd64-signed
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 295 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://us.archive.ubuntu.com/ubuntu cosmic-proposed/main amd64 grub-efi-amd64-signed amd64 1.110.1+2.02+dfsg1-5ubuntu8.1 [295 kB]
Fetched 295 kB in 0s (742 kB/s)
(Reading database ... 106062 files and directories currently installed.)
Preparing to unpack .../grub-efi-amd64-signed_1.110.1+2.02+dfsg1-5ubuntu8.1_amd64.deb ...
Unpacking grub-efi-amd64-signed (1.110.1+2.02+dfsg1-5ubuntu8.1) over (1.110.1+2.02+dfsg1-5ubuntu8.1) ...
Setting up grub-efi-amd64-signed (1.110.1+2.02+dfsg1-5ubuntu8.1) ...
/boot/vmlinuz-4.18.0-14-matt is unsigned.
E: Your kernels are not signed with a key known to your firmware. This system will fail to boot in a Secure Boot environment.
dpkg: error processing package grub-efi-amd64-signed (--configure):
installed grub-efi-amd64-signed package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
grub-efi-amd64-signed
E: Sub-process /usr/bin/dpkg returned an error code (1)
ubuntu@ubuntu:~$
ubuntu@ubuntu:~$ sudo sbsign --key ~/uefi-keys/uefi.
uefi.crt uefi.key
ubuntu@ubuntu:~$ sudo sbsign --key ~/uefi-keys/uefi.key --cert ~/uefi-keys/uefi.crt /boot/vmlinuz-4.18.0-14-matt
ubuntu@ubuntu:~$ sudo apt install grub-efi-amd64-signed
Reading package lists... Done
Building dependency tree
Reading state information... Done
grub-efi-amd64-signed is already the newest version (1.110.1+2.02+dfsg1-5ubuntu8.1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n]
Setting up grub-efi-amd64-signed (1.110.1+2.02+dfsg1-5ubuntu8.1) ...
/boot/vmlinuz-4.18.0-14-matt.signed is signed, but using an unknown key:
Subject: CN = PPA cyphermox efi
/boot/vmlinuz-4.18.0-14-matt is unsigned.
E: Your kernels are not signed with a key known to your firmware. This system will fail to boot in a Secure Boot environment.
dpkg: error processing package grub-efi-amd64-signed (--configure):
installed grub-efi-amd64-signed package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
grub-efi-amd64-signed
E: Sub-process /usr/bin/dpkg returned an error code (1)
Verification-done on cosmic with grub2 / grub2-signed.
Forcing an unsigned copy of the kernel, or one signed by an unknown key leads to the system failing to upgrade, as expected:
ubuntu@ubuntu:~$ dpkg -l grub-efi\* | grep ii | awk '{ print $2" "$3 }' 5ubuntu8. 1 5ubuntu8. 1 amd64-signed 1.110.1+ 2.02+dfsg1- 5ubuntu8. 1 amd64-signed us.archive. ubuntu. com/ubuntu cosmic- proposed/ main amd64 grub-efi- amd64-signed amd64 1.110.1+ 2.02+dfsg1- 5ubuntu8. 1 [295 kB] efi-amd64- signed_ 1.110.1+ 2.02+dfsg1- 5ubuntu8. 1_amd64. deb ... amd64-signed (1.110. 1+2.02+ dfsg1-5ubuntu8. 1) over (1.110. 1+2.02+ dfsg1-5ubuntu8. 1) ... amd64-signed (1.110. 1+2.02+ dfsg1-5ubuntu8. 1) ... 4.18.0- 14-matt is unsigned. amd64-signed (--configure): amd64-signed package post-installation script subprocess returned error exit status 1 amd64-signed keys/uefi. key --cert ~/uefi- keys/uefi. crt /boot/vmlinuz- 4.18.0- 14-matt amd64-signed amd64-signed is already the newest version (1.110. 1+2.02+ dfsg1-5ubuntu8. 1). amd64-signed (1.110. 1+2.02+ dfsg1-5ubuntu8. 1) ... 4.18.0- 14-matt. signed is signed, but using an unknown key: 4.18.0- 14-matt is unsigned. amd64-signed (--configure): amd64-signed package post-installation script subprocess returned error exit status 1 amd64-signed
grub-efi-amd64 2.02+dfsg1-
grub-efi-amd64-bin 2.02+dfsg1-
grub-efi-
ubuntu@ubuntu:~$ sudo apt install --reinstall grub-efi-
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 295 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://
Fetched 295 kB in 0s (742 kB/s)
(Reading database ... 106062 files and directories currently installed.)
Preparing to unpack .../grub-
Unpacking grub-efi-
Setting up grub-efi-
/boot/vmlinuz-
E: Your kernels are not signed with a key known to your firmware. This system will fail to boot in a Secure Boot environment.
dpkg: error processing package grub-efi-
installed grub-efi-
Errors were encountered while processing:
grub-efi-
E: Sub-process /usr/bin/dpkg returned an error code (1)
ubuntu@ubuntu:~$
ubuntu@ubuntu:~$ sudo sbsign --key ~/uefi-keys/uefi.
uefi.crt uefi.key
ubuntu@ubuntu:~$ sudo sbsign --key ~/uefi-
ubuntu@ubuntu:~$ sudo apt install grub-efi-
Reading package lists... Done
Building dependency tree
Reading state information... Done
grub-efi-
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n]
Setting up grub-efi-
/boot/vmlinuz-
Subject: CN = PPA cyphermox efi
/boot/vmlinuz-
E: Your kernels are not signed with a key known to your firmware. This system will fail to boot in a Secure Boot environment.
dpkg: error processing package grub-efi-
installed grub-efi-
Errors were encountered while processing:
grub-efi-
E: Sub-process /usr/bin/dpkg returned an error code (1)