Bad Shim Signature - Can't update boot files

olmaverick · July 14, 2024, 6:09pm

I’ve been trying to fix my Kinoite ‘bad shim signature’ boot error via this thread and this Magazine article:

I haven’t had any luck so far, and I’m guessing that’s because copying the boot files doesn’t actually change them:

root@monolith:~# sha1sum /usr/lib/ostree-boot/efi/EFI/fedora/shimx64.efi 
49dda68626b94ea6185ddd8498b4a14892cbbfc8  /usr/lib/ostree-boot/efi/EFI/fedora/shimx64.efi
root@monolith:~# sha1sum /boot/efi/EFI/fedora/shimx64.efi 
49e2c16367196e6c99f818da0bfcc03ff2c4b0dc  /boot/efi/EFI/fedora/shimx64.efi
root@monolith:~# sha1sum /usr/lib/ostree-boot/efi/EFI/fedora/grubx64.efi
7056e2b947bdf4293a4755533685266909f8c330  /usr/lib/ostree-boot/efi/EFI/fedora/grubx64.efi
root@monolith:~# sha1sum /boot/efi/EFI/fedora/grubx64.efi 
97bd969adc97fd840788927683098ca428578c3e  /boot/efi/EFI/fedora/grubx64.efi

This is after a sync.

I’ve tried doing this copy more than once and for some reason the file hashes remain different every time. The exact same ‘bad shim signature’ error comes up every time I attempt secure boot, so I can’t do that anymore.

I updated again today and tried again, so I am presently on version 40.20240714.0. I’ve tried on a couple of previous versions as well and had similar issues, though it never occurred to me to check the file hashes until today.

Any suggestions?

vekruse · July 14, 2024, 6:53pm

Run the copy again

cp -rp /usr/lib/ostree-boot/efi/EFI /boot/efi

The checksums should be

0982d9ae0c088e121a0836de768f9ca74c2624f2 */boot/efi/EFI/BOOT/BOOTIA32.EFI
0982d9ae0c088e121a0836de768f9ca74c2624f2 */boot/efi/EFI/fedora/shimia32.efi
0f248207b5bdcf8409c90631d93137d45e499446 */boot/efi/EFI/fedora/grubia32.efi
46cc94411df17ddecd9e15cfcd7e26630b90bbf3 */boot/efi/EFI/fedora/BOOTIA32.CSV
48a1bac3a6e13f17256964e15778f6acf3963094 */boot/efi/EFI/BOOT/fbia32.efi
49dda68626b94ea6185ddd8498b4a14892cbbfc8 */boot/efi/EFI/BOOT/BOOTX64.EFI
49dda68626b94ea6185ddd8498b4a14892cbbfc8 */boot/efi/EFI/fedora/shim.efi
49dda68626b94ea6185ddd8498b4a14892cbbfc8 */boot/efi/EFI/fedora/shimx64.efi
7056e2b947bdf4293a4755533685266909f8c330 */boot/efi/EFI/fedora/grubx64.efi
9b534d077f601d56777a3a4d35fa1bac9a06d081 */boot/efi/EFI/fedora/mmia32.efi
acaa8130210af65ab860e32ebfce0ac648ab5314 */boot/efi/EFI/fedora/grub.cfg
b546cc728e4b4d9efc541d9d5166b991aed8a38a */boot/efi/EFI/fedora/BOOTX64.CSV
b7bffa8e7000901f68b8a5f39263f96fef5ff0da */boot/efi/EFI/BOOT/fbx64.efi
d2b8b217d11d9c07a69311eb9ab32d05e8e4c42e */boot/efi/EFI/fedora/mmx64.efi

olmaverick · July 14, 2024, 7:03pm

I’m not sure exactly what I did to fix it, but I think it was copying the files manually instead of relying on cp -r to do it?? I don’t know why this would matter, but I guess it did.

In any case, once I got the files to the right place, the fix did work fine to resolve the ‘bad shim signature’ error. Apologies for the distraction.

vekruse · July 14, 2024, 7:09pm

It doesn’t really matter how you copy the file, just that they will be copied.

Topic		Replies	Views
Talk: Boot fails with “bad shim signature” in atomic desktops and IoT Ask Fedora silverblue-team , secure-boot , uefi , grub , kinoite , atomic-desktops , sway-atomic	10	804	July 17, 2024
Boot fails with "bad shim signature" in atomic desktops and IoT Common Issues secure-boot , boot , kernel , kinoite , silverblue , f40 , atomic-desktops	1	478	July 11, 2024
Bad Shim Signature \| Fedora Silverblue \| Ask Fedora silverblue , bug-reported	20	1727	June 29, 2024
Unable to boot latest Kinoite deployment (bad shim signature) Ask Fedora kernel , kinoite , silverblue	16	856	April 9, 2024
Secure Boot: Shim: Verification failed: (0x1A) Security Violation Ask Fedora secure-boot , grub , silverblue , f40 , shim , bootupd	9	1185	July 26, 2024

Bad Shim Signature - Can't update boot files

Related topics