Can I avoid secure boot policy violance message, but keep secure boot on?

Recently installed Tumbleweed KDE latest available from download server, written to usb by dd command. Both boot from usb and hard drive after installation usually drop me to the message shown below:
https://otvet.imgsmail.ru/download/12464499_5bb595e68dc9cb0189cb0d6415568bad_800.jpg
… when secure boot is on. I tried various ways to avoid it, ending by signing a bunch of efi entries (explained here → https://en.opensuse.org/openSUSE:UEFI)But nothing helped out, however, there are many other methods I could miss to try, I primarily hoped on modded efi files.

Can I take care of this?

To reduce the range of solutions searching, iso file successfully past sha256 checking, as well as gpg verifying. The ways to write usb image I tried: live-fat-stick (failed, boot stuck at grub-minimal command line), dd, extract iso to usb (windows 10), Etcher (windows 10), imageusb (also windows 10).
Oh, forgot to mention, I’m performing dual-boot with Windows 10 UEFI secure boot on.

Check this page: openSUSE:UEFI

Look for the section that begins: Booting the Machine that supports only one signature with vendor provided Keys

That is the most likely explanation for your problem. The web page gives a workaround. If there is a BIOS update for your system, that might be a better solution.

At one time, I had that problem on one of my computers (a Lenovo ThinkServer). I could fix it as described in the web page, but I found it easier to turn secure-boot off. The trouble with the suggested fix, is that updates to the shim package will break that fix. And updates to grub will force a “shim-install” which also breaks the fix. Eventually, a suitable BIOS update became available, so I now leave secure-boot on.

Sweet! Thank you very much! I could miss that section, it was not really shown in Russian localized page.
After a reboot a blue screen with a question to sign new kernel modules appeared, so I pressed ‘yes’ and the OS runs okay.

The latest BIOS update available for my machine is 3 months old, and doubtful the next one will bring something new to fix similar problems.
Also, there were words that said shim update will undo the fix. How often does this happen (if shim update is automatic process), or is it user-depended only?

In Tumbleweed – fairly often. In Leap, once in 6 months.

However, even with Tumbleweed, it is usually an update of something related that causes this. Most of the time, it is still based on the original file “/usr/lib64/efi/shim-opensuse.efi”. If you put your modified shim there (to replace that file), perhaps it will only happen every 6 months or so.

If you decide to do that, I would rename the old file (perhaps “shim-opensuse.efi.original” or similar).

Oh, before reading your response, I just noticed shim appeared in software update process, so this must be the thing. Still, thanks for help!