Invalid signature detected. Check secure boot policy in setup #1666
Comments
|
Did you update your Ventoy to the latest 1.0.76 and make sure have enabled the |
Yes, I did both. I always update Ventoy when a new version is released. I have been using Ventoy for a while so I'm aware of this. I even completely removed from Ventoy from my flash drive and reinstalled it with version 1.0.75 and then updated it to 1.0.76 yesterday. Secure boot option is also enabled. But still getting the error. |
|
OK. Your BIOS reported Only the BIOS accept |
|
Oh, I see. I tried the Enroll efi image option in my BIOS and selected the BOOTX64.EFI which then added it to something like Authorized certificate or something. Forgot the exact name. I thought it might work but it didn't. |
|
Does the BIOS have an option to 'Load default keys'? |
Yeah, I think it has. Should I try it? |
|
yes. |
There is "Restore Factory Keys". But no luck even after doing that. |
|
Here are the screenshots. Screenshot:
|
|
@SeriousHoax try to erase the revocation key list in bios (forbidden keys) |
It worked after deleting the fourth item on the list, which contains 183 forbidden signatures. There's no way to choose. It deletes all of them. I guess among these there are malicious signatures also which could be used by malware that attacks UEFI. Deleting all 183 of them is not an ideal solution, I suppose. Maybe a new certificate has to be used that's not blacklisted. Otherwise, users won't be able to use Super-UEFIinSecureBoot-Disk or Ventoy in the future. |
|
Looks like they have 183 specific SHA256 hashes blacklisted. Probably the shim version used is one of them. My BIOS is the same also. |
Hmm, you're right, it seems. I hope the devs will be able to come up with a solution. |
|
Another report here https://www.youtube.com/watch?v=w8r-U2C7UMs |
Oh, so they did this a while ago. MSI has even a larger blacklist. |
|
That's strange. No hash from this firmware version DBX database matches any file in SUISBD or Ventoy 1.0.76. The revoked certificates of Canonical, Debian and Virtual UEFI are also not used as well. |
|
@ValdikSS |
|
@SeriousHoax, are you completely sure you're running Ventoy 1.0.76? What's the sha256 hash of BOOTX64.EFI on your drive? |
Yes, I am. As you can see from the screenshot I shared above. The sha256 hash is: e6cb6a3dcbd85954e5123759461198af67658aa425a6186ffc9b57b772f9158f |
|
@SeriousHoax, try these files. These are from just-released Fedora shim-15.6-1 |
First, I updated Ventoy to the latest 1.0.77 version which also shows the same error we're discussing here. |
|
I think that means the grub itself also is blacklisted by the BIOS, so it ignores mokmanager's enrollment. @SeriousHoax |
|
@SeriousHoax, you're right, this seem like a regression of new shim. |
|
@SeriousHoax, try this. |
|
@ValdikSS for some reason that file triggers ms defender, i wonder if it's intentional from ms |
|
@rwasef1830, virustotal says "undetected" on every file, including Microsoft. |
Just tested. It works :) |
Is it detecting the zip file? MS Defender's ML has lately become super aggressive against zip files and producing a lot of false positives. It even detects harmless zip files often. Yesterday, it detected a zip file of mine upon downloading which only had 5 harmless screenshots of a poem. It has been troubling me a lot lately. |
|
@SeriousHoax yes it's triggering on the zip file itself not the contents. it's very weird. |
Hmm, so I'm not the only one. The thing is MS doesn't care about home users. Unless an enterprise customer complaints, they won't do anything to fix it. |
|
https://github.com/ventoy/Ventoy/releases/tag/v1.0.78
I guess this issue could also be closed. |
Yes. It works in most cases. include my intel NUC. error: shim_lock protocol not found.
error: you need to load the kernel first.the archlinux.iso can boot if I sign the bootloader(systemd-boot) and regeneration the iso. when I try to boot ubuntu-22.04.1-desktop-amd64.iso: error: can't allocate initrd.
Press any key to continue...windows iso works. even when I disable secure boot. |
|
Manjaro ISO cannot boot with BOOT files fix. |
|
Ventoy 1.0.78 = Booting |
I was on v75 when I encountered this problem on my test machine. Then upgraded to v79 and it did not resolve it.. I had to replace my files with the ones in the BOOT.zip to get it to work. Am I missing something or should the upgrade not have handled that? |
|
still a problem on 1.0.80 for me (hp laptop) |
1.0.80 and hp laptop as well here. |
|
Same Problem on HP Pavilion Laptop (preinstall Win11) and Ventoy 1.0.80 |
I have not updated Ventoy since this, which is version 1.0.78. It still works for me, so I'm sticking to this one unless there's a new version that works for all. |
|
Solved: #1243 (comment) |
Hello @Bananaman , |
|
👍👌 |
I have the latest Ventoy 1.0.86 released December 24th, yes.
The "Option: Secure Boot" is enabled, and style is set to GPT. Booted it with Secure Boot enabled in my motherboard's UEFI-mode BIOS (without legacy BIOS support). Ventoy came up without any errors. I then booted Fedora 37's ISO from Ventoy. And then inside Fedora I ran Ventoy is definitely working. But I cannot guarantee that your particular motherboard contains a fixed BIOS, so you must be sure to first update your BIOS to the latest version. Old AMD BIOS don't support Ventoy's secure boot. That's the issue that affected me before I updated my BIOS. |
|
The error you're seeing is related to the BIOS, not Ventoy. Try a full update of your BIOS, a full CMOS reset, re-enroll default keys, and be sure that your BIOS is set to a Secure Boot mode that allows you to enroll more keys. In some BIOS you may have to enable some "Custom Secure Boot" mode to let it enroll keys, otherwise the motherboard will refuse custom keys and will only use Microsoft's Windows keys. Good luck. :) The boot process is: Ventoy boots via SHIM (works on all sufficienty-updated motherboards, and it's signed by Microsoft's key). The SHIM then runs MokUtil to enroll the custom Ventoy signing key. Then it finally boots Ventoy. |
|
j'ai déjà rencontré ce type de soucis avec signature non validée détectée après une mis a jour MS . le problème venait du bios qui une fois la mise à jour faite, le bios s'est mis en état d'usine , par défaut., le pc ne voulait plus démarrer car le disque était protégé tout simplement par bitlocker. une fois la clé désactivé le pc a redémarré et j'ai donc pu remettre le bitlocker . |
Official FAQ
Ventoy Version
1.0.76
What about latest release
Yes. I have tried the latest release, but the bug still exist.
BIOS Mode
UEFI Mode
Partition Style
MBR
Disk Capacity
16
Disk Manufacturer
ADATA
Image file checksum (if applicable)
No response
Image file download link (if applicable)
No response
What happened?
I updated my motherboard's BIOS yesterday to the latest version F63b, which includes fixes for TPM related stuttering.
https://www.gigabyte.com/Motherboard/B450M-S2H-rev-1x/support#support-dl-biosAfter that, my BIOS settings were changed and I had to restore keys to default in order to enable Secure Boot. I guess after that imported Ventoy certificate that I did a long time ago while installing Ventoy for the first time got removed.
Now when I try to boot my Flash drive by selecting the ventoy partition which is partition 2 in my case, I can't get into ventoy. The BIOS throws an error saying, "Invalid signature detected. Check secure boot policy in setup".
I can't go into the mokmanager to enroll certificate. I'm stuck. The only way to use Ventoy now is to disable secure boot.
I guess the latest BIOS don't trust the certificate anymore. Anyway, I'm not an expert.
Can you do something to fix this?
The text was updated successfully, but these errors were encountered: