Leap / Tumbleweed - "Invalid signature detected ..."

Hello,
I’m trying to install Leap 15.6 / Tumbleweed on an MSI GL62 7RD notebook with an external SSD drive and Secure Boot enabled. I can complete the full installation process without any problems, but when I try to boot into the OS from the external drive, I get the error: “invalid signature detected. Check secure boot policy in setup.” I have Windows 10 installed on the internal SSD. This error message appears for both Leap and Tumbleweed.

  1. Secure boot was checked during installation
  2. I can boot into OS, but i have to disable secure boot in BIOS
  3. openSUSE:UEFI - openSUSE Wiki - stripping signature doesn’t help
  4. I have the latest BIOS available for my notebook
  5. ‘‘mokutil --set-sbat-policy delete’’ also doesn’t help

Any suggestions? I would like to keep secure boot enabled on my notebook.

Some questions:

  1. When you installed Leap 15.6, was secure-boot enabled during the install?

  2. Do you have both Leap 15.6 and Tumbleweed installed on the external drive?

  3. What is the output from

efibootmgr -v

You may need to disable secure-boot for now so that you can boot the system to get that output.

I’ll note that I have both Tumbleweed and Leap installed here (on an internal drive). To get this to work with secure-boot enabled, I boot using the “shim.efi” from Leap 15.6. I will get SBAT errors if I try to boot with the “shim.efi” from Tumbleweed.

I have enrolled the certificate “4659838C-shim.crt” from Tumbleweed (it is at “/etc/uefi/certs”) so that the Tumbleweed kernel is not flagged as having an invalid signature when boot with the Leap shim.

1 Like
  1. Yes, Secure Boot was enabled.
  2. No, currently I have only Leap (I tried to install Tumbleweed earlier, but as you know, there are problems with different shim versions).
BootCurrent: 0005 
Timeout: 1 seconds
BootOrder: 0005,0000,0006
Boot0000* Windows Boot Manager  HD(2,GPT,c45a36d4-89d8-42c7-935d-2408967d8df0,0x109000,0x32000)/File(\EFI\MICROSOFT\BOOT\BOOTMGFW.EFI)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}...,................
Boot0005* opensuse-secureboot   HD(1,GPT,7d2da3d6-ec72-4712-98e1-8bb35298701c,0xffff,0xffff0)/File(\EFI\OPENSUSE\SHIM.EFI)
Boot0006* opensuse      HD(1,GPT,7d2da3d6-ec72-4712-98e1-8bb35298701c,0xffff,0xffff0)/File(\EFI\OPENSUSE\GRUBX64.EFI)..BO

I did a fresh install just before answering you and suddenly it started working! :upside_down_face:

This time, I completely wiped my disk using diskpart in Windows before the installation - maybe that made a difference (besides that, I did everything the same as before).

Anyway, thanks for your time Neil!

EDIT:
I removed the external SSD, booted windows, then plugged in the SSD again and tried to boot Leap - it no longer works and “opensuse-secureboot” entry in boot menu seems to be gone (i can only choose between “Windows boot manager” and “opensuse”).

This varies, depending on computer manufacturer.

On some systems, the EFI firmware will delete boot entries that no longer exist. And when you unplugged that SSD, the “opensuse-secureboot” entry no longer existed.

Here’s something you might try:

1: Delete that entry for “opensuse”. You can do that with:

efibootmgr -b 0006 -B

2: As root, set up booting in the directory: “/boot/efi/EFI/BOOT”
That’s the standard place for booting a removable drive. And that last part of the path might be “Boot” rather than “BOOT”.

Assuming that directory is your current directory:

rm *
cp -p ../opensuse/shim.efi bootx64.efi
cp -p ../opensuse/MokManager.efi .
cp -p ../opensuse/grub.efi .
cp -p ../opensuse/grub.cfg .

When you next boot, there should be a boot entry, possibly with a name similar to “UEFI DISK” or “UEFI HD”. That should boot into your Leap system, and should work with secure-boot enabled.

Try erase ftpm nv for factory reset if your UEFI offers something like this. But be careful, if you use bitlocker in Windows, have the revovery key ready.
Then you have to start Leap or Tumbleweed with Secure Boot disabled and run YaST Boot Loader once.

I will try to do what @nrickert suggested. If that doesn’t help, I will just install Leap on internal disk (or stick to disabling secure boot when needed).

Thanks for help guys.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.