Bad shim signature

I’m trying to install the backport kernel, but when I try to boot, I get a"bad shim signature" error. I have to revert to the old kernel. Can someone tell me what this ‘shim signature’ is, and how to fix it?

After installing the backport kernel, there should have been a blue screen during boot. It is easy to miss, and apparently you missed it.

This screen gives you an option to enroll the signing key used for the backport kernel.

If you uninstall that kernel, then reinstall, you will get the blue screen again. Or, alternatively, look at “/etc/uefi/certs”. The certificate will be there. You can probably guess which it is, by the file date. To make another attempt, you can use (as root):

mokutil --import /etc/uefi/certs/"certificate-file-name"

Replace that quoted text by the actual file name. And then pay attention to blue screen on next boot. You will be asked for a password with that “mokutil” command and asked again with the blue screen. When this happens automatically with kernel install, the root password is used.

On upgrading the backport kernel, would this process have to be repeated?
I’m guessing this is happening because Suse doesn’t sign the backport kernels?

I guess I ignored the blue screen. There was an option to ‘continue boot’, and I went that way.

They are signed, but not with the SUSE key. So when you install a backport kernel, the signing key is installed in “/etc/uefi/certs”.

If you update to a newer backport kernel, that might be using the same signing key. But if it is signed with a different key you may see a blue screen once again.

1 Like

I have done that – and regretted it.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.