Earlier this year I bought a new Dell laptop (with windows) and I installed Leap 15
(Linux 4.12.14-lp150.12.58) in a dual boot EFI environment.
Everything worked well in both partitions until Linux decided to upgrade to 5.0.6 via the standard upgrade procedure.
The new entries appeared in the boot menu but 5.0.6 would not load giving this error:
Loading Linux 5.0.6-lp150.5-default
error : /boot/vmlinuz-5.0.6-lp150.5-default has invalid signature.
Loading initial ramdisk …
error: you need to load the kernel first
Fortunately Linux 4.12.14-lp150.12.58 would still load and Windows was unaffected.
Not long after another upgrade came along and I upgraded hoping the problem would be fixed
but not so:
Loading Linux 5.1.4-lp150.7-default
error : /boot/vmlinuz-5.1.4-lp150.7-default has invalid signature.
4.12.14 still boots ok but not the later versions.
I’ve had a look in the forum but can’t find anything relevant.
Can anyone help?
My disk configuration is:
fdisk -l
Device Start End Sectors Size Type
/dev/sda1 2048 1333247 1331200 650M EFI System
/dev/sda2 1333248 1595391 262144 128M Microsoft reserved
/dev/sda3 1595392 431091711 429496320 204.8G Microsoft basic data
/dev/sda4 1924073472 1926100991 2027520 990M Windows recovery environment
/dev/sda5 1926100992 1951277055 25176064 12G Windows recovery environment
/dev/sda6 1951279104 1953523711 2244608 1.1G Windows recovery environment
/dev/sda7 431091712 483520511 52428800 25G Linux filesystem
/dev/sda8 483520512 487714815 4194304 2G Linux swap
/dev/sda9 487714816 1924073471 1436358656 684.9G Linux filesystem
Check your repos. You probably did a “one click install”, and that added a Tumbleweed repo. And that’s a problem.
List your repos with:
zypper lr -d
and post here with CODE tags.
Thanks for your reply nrickert, here is the output to zypper lr -d
zypper lr -d
Repository priorities in effect:
90 (raised priority) : 1 repository
99 (default priority) : 10 repositories
| Alias | Name | Enabled | GPG Check | Refresh | Priority | Type | URI | Service
—±------------------------------------±----------------------------------------±--------±----------±--------±---------±-------±-----------------------------------------------------------------------------±-------
1 | http-download.opensuse.org-13133cd8 | home:regataos | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/repositories/home:/regataos/openSUSE_Leap_15.0/ |
2 | http-download.opensuse.org-3828de13 | home:regataos | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/repositories/home:/regataos/openSUSE_Leap_15.0/ |
3 | http-download.opensuse.org-aeb6b0be | editors | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/repositories/editors/openSUSE_Leap_15.0/ |
4 | http-download.opensuse.org-bb14ae9b | home:regataos | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/repositories/home:/regataos/openSUSE_Leap_15.0/ |
5 | http-download.opensuse.org-e3391f03 | home:regataos | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/repositories/home:/regataos/openSUSE_Leap_15.0/ |
6 | http-opensuse-guide.org-fbd0a1e9 | libdvdcss repository | Yes | (r ) Yes | Yes | 99 | rpm-md | http://opensuse-guide.org/repo/openSUSE_Leap_15.0/ |
7 | openSUSE-Leap-15.0-1 | openSUSE-Leap-15.0-1 | No | ---- | ---- | 99 | rpm-md | hd:///?device=/dev/disk/by-id/usb-Generic_Flash_Disk_516D61ED-0:0-part2 |
8 | packman | packman | Yes | (r ) Yes | Yes | 90 | rpm-md | http://ftp.gwdg.de/pub/linux/misc/packman/suse/openSUSE_Leap_15.0/ |
9 | repo-debug | openSUSE-Leap-15.0-Debug | No | ---- | ---- | 99 | NONE | http://download.opensuse.org/debug/distribution/leap/15.0/repo/oss/ |
10 | repo-debug-non-oss | openSUSE-Leap-15.0-Debug-Non-Oss | No | ---- | ---- | 99 | NONE | http://download.opensuse.org/debug/distribution/leap/15.0/repo/non-oss/ |
11 | repo-debug-update | openSUSE-Leap-15.0-Update-Debug | No | ---- | ---- | 99 | NONE | http://download.opensuse.org/debug/update/leap/15.0/oss/ |
12 | repo-debug-update-non-oss | openSUSE-Leap-15.0-Update-Debug-Non-Oss | No | ---- | ---- | 99 | NONE | http://download.opensuse.org/debug/update/leap/15.0/non-oss/ |
13 | repo-non-oss | openSUSE-Leap-15.0-Non-Oss | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/distribution/leap/15.0/repo/non-oss/ |
14 | repo-oss | openSUSE-Leap-15.0-Oss | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/distribution/leap/15.0/repo/oss/ |
15 | repo-source | openSUSE-Leap-15.0-Source | No | ---- | ---- | 99 | NONE | http://download.opensuse.org/source/distribution/leap/15.0/repo/oss/ |
16 | repo-source-non-oss | openSUSE-Leap-15.0-Source-Non-Oss | No | ---- | ---- | 99 | NONE | http://download.opensuse.org/source/distribution/leap/15.0/repo/non-oss/ |
17 | repo-update | openSUSE-Leap-15.0-Update | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/update/leap/15.0/oss/ |
18 | repo-update-non-oss | openSUSE-Leap-15.0-Update-Non-Oss | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/update/leap/15.0/non-oss/ |
Yes I think I did do a ‘one click install’ but I don’t recognise a Tumbleweed repo. Is it one of the above?
Maybe its something else causing the problem…?
I am not seeing a Tumbleweed repo. So things might not be too bad.
I do see a “home:regataos” repo. You probably installed something from there. And actually, that repo shows up 4 times in your repo list. That’s a waste. It means that your software searches it 4 times. So I suggest you remove three of those (or remove all, if you prefer).
I don’t know anything about that repo, or whether it can be trusted. But that’s up to you to decide.
Your problem is, that you have installed kernels from that “home:regataos” repo. Now maybe they are good kernels. But they are not signed in a way that your system can verify them with secure-boot.
Your choices, at this stage are:
(1) disable secure-boot in your firmware (BIOS);
(2) find out whether those kernels are signed, request the signing key, and add it to MokManager so that it can be used during secure-boot;
(3) remove those kernels and keep only the original 4.12.14 kernels that have been working for you.
Of those choices, the third is what I would recommend.
To remove the kernels, use Yast Software Manager. Search for kernel. Then click on the “Versions” tab. Remove all kernels that are not from the standard repos. If you have “kernel-devel” or “kernel-default-devel” installed, also remove the bad versions of those. And if there are any “kmp” packages associated with those kernels, remove those too (search for “kmp”).
Once those are removed, I don’t think they will come back unless you do something to bring them back.
Thanks nrickert,
I got rid of all regataos and the bad kernels as you suggested, so all is well again with only 4.12.14.
I’ll be a bit more critical of updates when they come down in future.
Thanks again
P
I’m glad things are now working as they should.
Signing key is part of kernel package in /etc/uefi/certs and as I mentioned in another thread kernel installation should already make request to enroll it - as long as mokutil is installed. If this did not happen it likely means mokutil is not available.
However, this was a kernel from the “home:regataos” repo. And we really don’t know a lot about packages from that repo.
Guess what? I actually downloaded kernel from this repo and checked. I did not verify kernel signature, that’s true. But certificate is there.
Fair enough. I didn’t try that.
There’s a problem that MokManager pops up a prompt when it is not expected, and people don’t know what to do. So they do nothing (or click “Cancel”). There needs to be a better message after installing a kernel, that warns people to expect this prompt.
Yes. At least wiki page certainly needs update.