Verification-done on bionic with grub2 / grub2-signed: iF grub-efi-amd64 2.02-2ubuntu8.10 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 version) ii grub-efi-amd64-bin 2.02-2ubuntu8.10 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 binaries) ii grub-efi-amd64-signed 1.93.11+2.02-2ubuntu8.10 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 version, signed) Forcing an unsigned copy of the kernel, or one signed by an unknown key leads to the system failing to upgrade, as expected: ubuntu@ubuntu:/boot$ sudo cp vmlinuz-4.15.0-44-generic vmlinuz-4.15.0-44-matt ubuntu@ubuntu:/boot$ sudo sb sbattach sbkeysync sbsiglist sbsign sbvarsign sbverify ubuntu@ubuntu:/boot$ sudo sbattach --remove vmlinuz-4.15.0-44-matt ubuntu@ubuntu:/boot$ sudo apt install --reinstall grub-efi-amd64 Reading package lists... Done Building dependency tree Reading state information... Done 0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded. Need to get 47.0 kB of archives. After this operation, 0 B of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 grub-efi-amd64 amd64 2.02-2ubuntu8.10 [47.0 kB] Fetched 47.0 kB in 0s (112 kB/s) Preconfiguring packages ... (Reading database ... 66920 files and directories currently installed.) Preparing to unpack .../grub-efi-amd64_2.02-2ubuntu8.10_amd64.deb ... Unpacking grub-efi-amd64 (2.02-2ubuntu8.10) over (2.02-2ubuntu8.10) ... Setting up grub-efi-amd64 (2.02-2ubuntu8.10) ... /boot/vmlinuz-4.15.0-44-matt is unsigned. E: Your kernels are not signed with a key known to your firmware. This system will fail to boot in a Secure Boot environment. dpkg: error processing package grub-efi-amd64 (--configure): installed grub-efi-amd64 package post-installation script subprocess returned error exit status 1 E: Sub-process /usr/bin/dpkg returned an error code (1) ubuntu@ubuntu:~$ sudo apt install --reinstall grub-efi-amd64 [sudo] password for ubuntu: Reading package lists... Done Building dependency tree Reading state information... Done 0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded. Need to get 0 B/47.0 kB of archives. After this operation, 0 B of additional disk space will be used. Preconfiguring packages ... (Reading database ... 66920 files and directories currently installed.) Preparing to unpack .../grub-efi-amd64_2.02-2ubuntu8.10_amd64.deb ... Unpacking grub-efi-amd64 (2.02-2ubuntu8.10) over (2.02-2ubuntu8.10) ... Setting up grub-efi-amd64 (2.02-2ubuntu8.10) ... /boot/vmlinuz-4.15.0-44-matt is signed, but using an unknown key: Subject: CN = PPA cyphermox efi E: Your kernels are not signed with a key known to your firmware. This system will fail to boot in a Secure Boot environment. dpkg: error processing package grub-efi-amd64 (--configure): installed grub-efi-amd64 package post-installation script subprocess returned error exit status 1 Errors were encountered while processing: grub-efi-amd64 E: Sub-process /usr/bin/dpkg returned an error code (1) And a properly signed kernel obviously passes validation with no issues; and does not block upgrade.