Grub-install ignores `--pubkey`

Sk7Str1p3 · February 28, 2026, 7:32pm

This seems to be nixos problem, I did not experience this on Arch Linux

Im trying to get GRUB detached signatures to work as part of my Secure Boot setup. I sign grub resource in extraInstallCommands, and add –pubkey=${path/to/publicKey} to extraGrubInstallArgs. But, then I enable secure boot, grub falls into rescue mode with error: prohibited by secure boot policy. Then it’s disabled and I try to verify signatures, it throws “public key … not found”, and list_trusted prints nothing.

I also added –verbose to flags and it seems like grub-install reads key, but it does not appear in resulting EFI executable.

Had someone experienced same thing? How can I fix it (I do not want to use lanzaboote)

tejing · February 28, 2026, 7:56pm

Did you actually reinstall grub afterwards? nixos-rebuild doesn’t do this unless you pass the --install-bootloader flag.

Sk7Str1p3 · March 1, 2026, 4:11am

Yes, I did. I used --install-bootloader, i tried adding –force to extraGrubInstallArgs, and even deleted entire /boot folder, it took no effect.

tejing · March 1, 2026, 4:12am

Then I’m not sure what else to check. Maybe someone more familiar with secure boot can help you.

Sk7Str1p3 · March 2, 2026, 8:37pm

Solved by adding --modules=verifiers gcry_sha256 gcry_sha512 gcry_dsa gcry_rsa into extraGrubInstallArgs.

But I faced another problem: grub refuses to boot, it throws prohibited by secure boot policy. I’m not sure what could be the cause if all signatures are valid which i checked before trying booting with Secure Boot

ElvishJerricco · March 2, 2026, 10:35pm

You’ll have to share the code you’re using to do the signing. Are you signing the mod files too?

jnixuser · March 3, 2026, 3:11am

arch user here who recently had problems for not embedding the pgp module in grub 2.14. I will leave my setup steps here so it can help you. I believe you already know how to sign the efi files. If you don’t I extend with the sbctl segment of my script.

### GRUB PART ###

# install grub-sign command which pgp-signs files loaded by grub
git clone https://github.com/Bandie/grub2-signing-extension.git
sudo cp grub-signing/sbin/* /sbin

# create key and sign
sudo gpg --default-new-key-algo rsa4096 --gen-key # must be rsa for grub to check
sudo gpg --export -o /root/grub.pub

# be mindful of the efi directory and --removable
sudo grub-install --target=x86_64-efi --efi-directory=/boot/efi \
    --bootloader-id=GRUB --disable-shim-lock -k /root/grub.pub \
    --modules="pgp gcry_sha256 gcry_sha512 gcry_dsa gcry_rsa" --removable

# enforce checking signatures
echo "set check_signatures=enforce" | sudo tee -a /etc/grub.d/40_custom 
sudo grub-mkconfig -o /boot/grub/grub.cfg 

sudo grub-sign # from the repo we justed cloned

### SBCTL PART ###
# i add later if you need so

Sk7Str1p3 · March 5, 2026, 7:48pm

I forgot to disable shim lock. It boots normally. Thank you all