Invalid Signature detected -- must uncheck secure boot
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
shim (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
This occurred after a fresh install of 16.04 on an Acer Desktop. At the start only Windows would boot -- no Grub2 screen appeared. I made a number of attempts following "https:/
I executed a suggested command "bcdedit /set {bootmgr} path \EFI\ubuntu\
This gave the Grub2 menu but only in unsecure boot mode.
The same document says to send a bug report if an invalid signature is detected. I am doing that. However in doing so i note that the bug report is sent to "shim". But the instructions said to set the path to "grub64.efi" and not "shimx64.efi" which was also available in the /boot/EFI folder.
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: shim 0.8-0ubuntu2
ProcVersionSign
Uname: Linux 4.4.0-47-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: Unity
Date: Mon Nov 14 20:47:37 2016
Dependencies:
EFIBootMgr:
BootCurrent: 0001
Timeout: 2 seconds
BootOrder: 0001,0000
Boot0000 ubuntu VenHw(99e275e7-
Boot0001* Windows Boot Manager HD(1,GPT,
InstallationDate: Installed on 2016-11-12 (3 days ago)
InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719)
SourcePackage: shim
UpgradeStatus: No upgrade log present (probably fresh install)
Indeed, this is wrong. grub is not an image we get signed with the Microsoft keys, and so is not going to be recognized as a valid signature by firmware unless you re-sign it yourself and add the key you used to the firmware.
With things as they are, it doesn't look like you'd be able to successfully boot Windows anyway (since you'd likely be missing extra options normally passed to the Windows Boot Manager). What I see here is that the ubuntu entry exists (so it should be possible to pick what to boot via F12 or some other keyboard shortcut appropriate to your system), but it's been mangled by the firmware. There isn't much we can do if firmware breaks the boot entries, except tricking it into doing the right thing by putting files in a different location.
The correct file to use as a BootEntry binary is shimx64.efi, not grubx64.efi. You may try the same bcdedit command with that file.
Otherwise, please try to fix Windows using the recovery options if you can (repair boot, etc. as per the AskUbuntu question or Windows documentation). From that point, you would be able to reinstall Ubuntu or boot from an Ubuntu CD/USB and reinstall grub, which will create the right boot entry (which is what Boot0000 should be in this bug's description).