Boot fails with "bad shim signature" in atomic desktops and IoT


In June 2024, updates for Fedora atomic desktops and Fedora IoT were distributed which might fail to boot on systems with Secure Boot enabled, if those systems were originally installed with an older version than Fedora Linux 40.

You might see the following error:

error: ../../grub-core/kern/efi/sb.c:182:bad shim signature.
error: ../../grub-core/loader/i386/efi/linux.c:258:you need to load the kernel first.

Press any key to continue...


This was caused by 39.20240617.0 and 40.20240617.0 updates for atomic desktops and the 40.20240617.0 update for IoT.

Shim and GRUB were signed with an old key on systems installed prior to Fedora 40, but the latest kernel 6.9 is no longer signed with a matching key.

You can read a longer explanation of what happened here:

Related Issues

Silverblue report: Boot fails with "vmlinuz has invalid signature" or "bad shim signature, you need to load the kernel first" · Issue #543 · fedora-silverblue/issue-tracker · GitHub


Please follow the steps described in this article:


You can discuss this topic here.