You are not logged in.
Hey folks, glad you are here. My first post. I am a mid-range Arch user, ex MCSE.
Anyway, secure boot appears to be function properly but an receiving errors with sbctl. I have two machines, both Arch, two different desktops (for testing stuff) and both are now receiving these errors:
First and main machine:
[root@CygnusX1 ~]# sbctl status
Installed: ✓ sbctl is installed
Owner GUID: 69eb0f51-ef8a-405b-ae8c-440f03fc51eb
Setup Mode: ✓ Disabled
Secure Boot: ✓ Enabled
Vendor Keys: microsoft
sbctl verify:
[root@CygnusX1 ~]# sbctl verify
Verifying file database and EFI images in /boot...
✓ /boot/EFI/BOOT/BOOTX64.EFI is signed
✓ /boot/EFI/Linux/arch-linux-lts-fallback.efi is signed
✓ /boot/EFI/Linux/arch-linux-lts.efi is signed
✓ /boot/EFI/systemd/systemd-bootx64.efi is signed
✓ /boot/vmlinuz-linux-lts is signed
failed to verify file /boot/initramfs-linux-fallback.img: /boot/initramfs-linux-fallback.img: invalid pe header
failed to verify file /boot/initramfs-linux-lts-fallback.img: /boot/initramfs-linux-lts-fallback.img: invalid pe header
failed to verify file /boot/initramfs-linux-lts.img: /boot/initramfs-linux-lts.img: invalid pe header
failed to verify file /boot/initramfs-linux.img: /boot/initramfs-linux.img: invalid pe header
failed to verify file /boot/intel-ucode.img: /boot/intel-ucode.img: invalid pe header
failed to verify file /boot/loader/entries.srel: /boot/loader/entries.srel: invalid pe header
failed to verify file /boot/loader/loader.conf: /boot/loader/loader.conf: invalid pe header
failed to verify file /boot/loader/random-seed: /boot/loader/random-seed: invalid pe header
✓ /boot/vmlinuz-linux is signed
Second machine (used for testing (has a clean install as of yesterday (04/29/2025)))
[root@Zenith ~]# sbctl status
Installed: ✓ sbctl is installed
Owner GUID: c5e58e92-76e7-4a27-adbd-9cab8e265e37
Setup Mode: ✓ Disabled
Secure Boot: ✓ Enabled
Vendor Keys: microsoft
[root@Zenith ~]# sbctl verify
Verifying file database and EFI images in /boot...
✓ /boot/EFI/BOOT/BOOTX64.EFI is signed
✓ /boot/EFI/systemd/systemd-bootx64.efi is signed
✓ /boot/vmlinuz-linux-hardened is signed
✓ /boot/EFI/Linux/arch-linux-hardened-fallback.efi is signed
✓ /boot/EFI/Linux/arch-linux-hardened.efi is signed
failed to verify file /boot/amd-ucode.img: /boot/amd-ucode.img: invalid pe header
failed to verify file /boot/loader/entries.srel: /boot/loader/entries.srel: invalid pe header
failed to verify file /boot/loader/loader.conf: /boot/loader/loader.conf: invalid pe header
failed to verify file /boot/loader/random-seed: /boot/loader/random-seed: invalid pe header
First machine is a manual install with encrypted / fstype xfs.
Second machine is archinstall with encrypted / fstype btrfs.
No hurry on this for secure boot is functioning but error messages are annoying.
Thanks for your time!
Offline
It's an upstream bug in sbctl: https://github.com/Foxboron/sbctl/issues/433
It's harmless. sbctl incorrectly reports files which are not expected to be signed, but works as usual apart from that. According to the bug report, a fix is on the way.
Offline
Thanks. I figured is was something like that.
Offline