Invalid signature detected

gannicus · February 5, 2019, 7:36am

Hi,

I installed tumbleweed on a Lenovo think center desktop and I get the following message at boot:

 ***invalid signature detected. check secure boot policy in setup***

When I click “ok” the opensuse boot page appears and I can load opensuse without a problem but I’m not sure why that message appears. I tried disabling secure boot in the bios, but when I do that I get a “file system not found” message and opensuse fails to load.

Any advice would be welcome!

arvidjaar · February 5, 2019, 1:21pm

Is Secure Boot enabled in openSUSE YaST bootloader properties? Show output of

grep -Ev '^#|^$' /etc/sysconfig/bootloader
efibootmgr -v

nrickert · February 5, 2019, 2:02pm

Take a look at openSUSE:UEFI

Scroll down until you find a section that begins with the heading “Booting the Machine that supports only one signature with vendor provided Keys” (It is toward the bottom of that page).

You may have that problem.

You also have an additional problem, with that error when you disable secure-boot. I’m not sure what causes that, but please follow the suggestion of arvidjaar and provide us with the information that he requested. Perhaps that will help understand the issue.

gannicus · February 5, 2019, 8:10pm

Thank you both for your quick replies.

Here’s the output of grep -Ev ‘^#|^$’ /etc/sysconfig/bootloader:

grep -Ev '^#|^$' /etc/sysconfig/bootloader
LOADER_TYPE="grub2-efi"
SECURE_BOOT="yes"
TRUSTED_BOOT="no"

And here’s the output of efibootmgr -v:

efibootmgr -v
BootCurrent: 0002
Timeout: 1 seconds
BootOrder: 0001,0002,0007,0006,0005,0000,0004
Boot0000* Windows Boot Manager  VenHw(99e275e7-75a0-4b37-a2e6-c5385e6c00cb)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}....................
Boot0001* debian        HD(1,GPT,837847f3-f62c-44e6-8301-9ece293669c6,0x800,0x100000)/File(\EFI\DEBIAN\GRUBX64.EFI)
Boot0002* opensuse-secureboot   HD(1,GPT,837847f3-f62c-44e6-8301-9ece293669c6,0x800,0x100000)/File(\EFI\OPENSUSE\SHIM.EFI)
Boot0004* Generic Usb Device    VenHw(99e275e7-75a0-4b37-a2e6-c5385e6c00cb)
Boot0005* CD/DVD Device VenHw(99e275e7-75a0-4b37-a2e6-c5385e6c00cb)
Boot0006* UEFI: IPV4 Intel(R) Ethernet Connection (H) I219-V    PciRoot(0x0)/Pci(0x1f,0x6)/MAC(002324b936cb,0)/IPv4(0.0.0.00.0.0.0,0,0)..BO
Boot0007* UEFI: IPV6 Intel(R) Ethernet Connection (H) I219-V    PciRoot(0x0)/Pci(0x1f,0x6)/MAC(002324b936cb,0)/IPv6(::]:<->::]:,0,0)..BO

I’m wondering if I should just try to wipe the hard drive and reinstall. I looked at the opensuse:UEFI “Booting the machine that supports…” but the page says that the suggested fix would have to be repeated every time shim is updated.

nrickert · February 5, 2019, 8:24pm

I continue to be puzzled by this.

In my experience, an “invalid signature” should mean that you can only boot by disabling secure-boot. But you seem to only be able to boot if you do not disable secure-boot. That’s what’s puzzling.

I’m not seeing an obvious problem in the output from “efibootmgr -v”.

arvidjaar · February 5, 2019, 8:39pm

The first entry in boot order is Debian bootloader. I bet that

This file is unsigned so firmware displays warning and goes to the next entry which is openSUSE
Debian is not even there anymore, so when Secure Boot is disabled Debian grub is launched and fails.

gannicus · February 5, 2019, 8:40pm

The first entry in boot order is Debian bootloader. I bet that

I noticed that too. I thought the installation of opensuse had wiped out debian but debian is still listed in the BIOS. I’ve tried changing the boot order in the bios but the change doesn’t persist.

nrickert · February 5, 2019, 9:37pm

I have a Lenovo ThinkServer, and it has its own ideas about boot order.

Assuming that Debian no longer exists, then – as root


cd /boot/efi/EFI
rm -rf debian  ## but check -- it might need to be DEBIAN

Just remove that entire debian directory from the EFI partition.

And then (as root)

efibootmgr -b1 -B

That should remove the boot entry for Debian. On reboot, your Lenovo BIOS probably won’t put it back, because you have deleted that debian directory. At least that’s how my Lenovo system behaves.

You should be able to set the boot order in the BIOS. But it is confusing because there are several boot orders (a default boot order, a fallback boot order – or something like that). It took me a couple of tries to get it right, but I now have the boot order that I want.

If I set the BIOS to turn CSM (legacy support) on, then I lose the boot order and have to reset it when I turn CSM off again.

gannicus · February 5, 2019, 9:48pm

That should remove the boot entry for Debian. On reboot, your Lenovo BIOS probably won’t put it back, because you have deleted that debian directory. At least that’s how my Lenovo system behaves.

That worked–thank you!

gogalthorp · February 6, 2019, 5:47am

With EFI booting you need to do more then just remove any old OS. You need to also fix the EFI boot partition and the UEFI flash settings.

gannicus · February 6, 2019, 6:21am

Is there something else I should do now beyond what I’ve already done?

nrickert · February 6, 2019, 6:45am

I think it is okay now.

Are you still getting that “invalid signature” message? Or has that gone away?

gannicus · February 6, 2019, 7:09pm

Are you still getting that “invalid signature” message? Or has that gone away?

The message has gone away now and everything seems to be working smoothly, thanks.