Sign grub

Please sign (with a gpg key) the grub you distribute. This is because on a system where I have enabled secure boot and have signed sysresccd's EFI & vmlinuz and use shim, grub doesn't display the menu but its command line.

I tried loading the configuration file boot/grub/grubsrcd.cfg manually from the grub command line like this:

configfile /boot/grub/grubsrcd.cfg

but it reports:

prohibited by secure boot policy

It is apparently because when secure boot is enabled, grub enforces signature checking.

To sign, I guess you would have to invoke

grub-mkstandalone ... --pubkey sysresccd-gpg.key

https://www.gnu.org/software/grub/manual/grub/html_node/Using-digital-signatures.html

There are also other methods apparently, but they look less easy.

Trying the grub command

set check_signatures=no
export check_signatures

doesn't help as the subsequent configfile ... also leads to prohibited by secure boot policy.

A few URLs that might be of interest:

https://bbs.archlinux.org/viewtopic.php?pid=2179129#p2179129
https://bbs.archlinux.org/viewtopic.php?pid=2103579#p2103579
https://unix.stackexchange.com/a/659570
https://blog.viruser.net/2023/05/grub2-add-custom-font-with-secureboot/

Edited May 31, 2025 by tenzap