Assuming I'm understanding this correctly, the issue here is that the system that you are booting on doesn't have Canonical's secure boot signing key in the secure boot db. This is because grub2-signed isn't signed by microsoft directly, as microsoft's secure boot signing requirements specifically disallow signing GPLv3 binaries due to a GPLv3 restriction on releasing signing keys. This is why the signed-shim packages exists, to my understanding: it's non GPLv3 code for the express purpose to load grub2.
To make it easier: grubx64.efi is signed by Canonical. bootx64.efi is signed by Microsoft (this is the shim-signed binary). If Canonical's signing key isn't in the key db, secure boot will refuse to load that code. If it is, it will. But if you have shim-signed installed, bootx64.efi IS signed by Microsoft's key, which is pretty much guaranteed to exist in the key db, so it will load. It then can install Canonical's signing key into the key db (as it's signed and likely includes the public key in the binary), and then boots grubx64.efi. Since Canonical's signing key is now installed, it will load just fine. I should note I'm actually not entirely sure if it actually installs Canonical's key into the db: But if it does, you could likely remove the shim-signed package after a boot and reboot. If it does install it, grub2-signed should be all you need to boot successfully: But personally it's just as well keep the shim installed, just in case. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1086983 Title: Signed grub doesn't depend on shim-signed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1086983/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
