Hi everyone - I'm new here!

Sorry for going with my problem directly to the grub-devel maling list, but
I'm pretty sure my problem is GRUB related. Still, I've spent some hours
trying to find a solution on the Internet and I failed :( So, here it comes
- if anyone has time to explain my problem to a layman, it would be
awesome. Even better, if you can maybe answer here on stackoverflow, where
it can be easier to find, I believe (
https://unix.stackexchange.com/questions/701612/cant-load-self-signed-kernel-with-secure-boot-on-bad-shim-signature
).

I'm running ubuntu with Secure Boot on. Everything works fine when I use a
kernel that comes packaged from cannonical. Still, I have issues running a
self-signed kernel (this is actually an externally built kernel, that I
have verified and want to use for my own machine). I'm pretty sure my
signature with MOK key is OK (verification below), but still when I try to
boot the kernel from grub, after selecting the correct entry, I get an
error that reads "Loading ... error: bad shim signature." I'm wrapping my
head around it and can't find a solution. Why, even though both kernels are
signed with MOK keys, one of them works and the other doesn't?

Here's info about kernel signatures:

root@T495:~# sbsign --key /var/lib/shim-signed/mok/MOK.priv --cert
/var/lib/shim-signed/mok/MOK.pem /boot/vmlinuz
Image was already signed; adding additional signature

root@T495:~# sbverify --list /boot/vmlinuz
signature 1
image signature issuers:
 - /C=PL/ST=Poznan/L=Poznan/O=none/CN=Secure Boot Signing/emailAddress=
example@example.com
image signature certificates:
 - subject: /C=PL/ST=yes/L=yes/O=none/CN=Secure Boot Signing/emailAddress=
example@example.com
   issuer:  /C=PL/ST=yes/L=yes/O=none/CN=Secure Boot Signing/emailAddress=
example@example.com
signature 2
image signature issuers:
 - /CN=ubuntu Secure Boot Module Signature key
image signature certificates:
 - subject: /CN=ubuntu Secure Boot Module Signature key
   issuer:  /CN=ubuntu Secure Boot Module Signature key


And here about MOK keys:

root@T495:~# openssl x509 -in /var/lib/shim-signed/mok/MOK.pem -fingerprint
-noout
SHA1 Fingerprint=81:A2:93:CB:06:6F:52:BA:D9:E2:39:68:9D:FA:E2:2B:0C:95:3C:F7
root@T495:~# mokutil --list-enrolled | grep "81:a2:93"
SHA1 Fingerprint:
81:a2:93:cb:06:6f:52:ba:d9:e2:39:68:9d:fa:e2:2b:0c:95:3c:f7

If there are any docs that help understand that, I'm happy to be redirected
there :)

piontec