I have an AppVM, template is up to date, has been updated and rebooted multiple times. But in this particular AppVM I keep getting the systemcheck MOK warning. Updating and rebooting has not worked.
The only difference between this AppVM and my others based on the same template is that it has no NetVM.
How do I make it stop?
Hmm, that shouldnât show up on Qubes. In the template, can you run apt-mark showhold and see if legacy-dist is listed as being held back for some reason? It would also be useful to see the output of sudo journalctl --status legacy-dist.servce (again, run from within the template).
If all else fails and you just want the dialog box out of your face, itâs possible to do that, but Iâm curious as to why things arenât automatically working on your end even after rebooting the template multiple times.
Also try run systemcheck - Security Check Application as it would report any held back packages, broken DPKG / APT, pending updates, etc.
systemcheck
Empty output.
Output:
sysmaint@host:~$ sudo journalctl --status legacy-dist.servce
journalctl: unrecognized option '--status'
sysmaint@host:~$ sudo journalctl --status legacy-dist.service
journalctl: unrecognized option '--status'
Did you mean systemctl status?
sysmaint@host:~$ sudo systemctl status legacy-dist.service
â legacy-dist.service - Derivative Distribution Legacy Versions Fixes
Loaded: loaded (/usr/lib/systemd/system/legacy-dist.service; enabled; preset: enabled)
Active: active (exited) since Thu 2026-02-19 12:38:10 UTC; 2min 17s ago
Invocation: 8e4f1799a04f451c88a540ea7174062b
Docs: https://github.com/Kicksecure/legacy-dist
Process: 908 ExecStart=/usr/libexec/legacy-dist/fixes (code=exited, status=0/SUCCESS)
Main PID: 908 (code=exited, status=0/SUCCESS)
Mem peak: 2.3M
CPU: 23ms
Feb 19 12:38:09 host systemd[1]: Starting legacy-dist.service - Derivative Distribution Legacy Versions Fixes...
Feb 19 12:38:10 host systemd[1]: Finished legacy-dist.service - Derivative Distribution Legacy Versions Fixes.
Yes, please.
Fails in AppVM because no NetVM. Reports no error in TemplateVM.
For debugging, could you please run:
sudo safe-rm -f /var/lib/legacy-dist/do_once/check_image_builtin_mok
And.
sudo bash -x /usr/libexec/helper-scripts/check-image-builtin-mok
systemcheck bug, Weâll fix that in the near future.
Meanwhile could you please run systemcheck in an online App Qube?
In TemplateVM?
[template workstation sysmaint ~]% sudo bash -x /usr/libexec/helper-scripts/check-image-builtin-mok
+ source /usr/sbin/shim-signed-mok-setup
++ source /usr/libexec/helper-scripts/check_runtime.bsh
++ was_executed /usr/sbin/shim-signed-mok-setup
++ local caller_bash_source_zero=/usr/sbin/shim-signed-mok-setup
++ [[ /usr/sbin/shim-signed-mok-setup == \/\u\s\r\/\l\i\b\e\x\e\c\/\h\e\l\p\e\r\-\s\c\r\i\p\t\s\/\c\h\e\c\k\-\i\m\a\g\e\-\b\u\i\l\t\i\n\-\m\o\k ]]
+++ command -v /usr/libexec/helper-scripts/check-image-builtin-mok
++ [[ /usr/sbin/shim-signed-mok-setup == \/\u\s\r\/\l\i\b\e\x\e\c\/\h\e\l\p\e\r\-\s\c\r\i\p\t\s\/\c\h\e\c\k\-\i\m\a\g\e\-\b\u\i\l\t\i\n\-\m\o\k ]]
++ return 1
++ shim_signed_mok_setup_sourced=true
++ '[' true = false ']'
++ '[' true = false ']'
+ source /usr/libexec/helper-scripts/has.sh
+ source /usr/libexec/helper-scripts/secure_boot_enabled_check.bsh
++ source /usr/libexec/helper-scripts/has.sh
+ check_image_builtin_mok
+ '[' -f /var/lib/legacy-dist/do_once/check_image_builtin_mok_version_1 ']'
+ dkms_mok_variables_set
+ dkms_mok_dir=/var/lib/dkms
+ dkms_mok_public_file=/var/lib/dkms/mok.pub
+ dkms_mok_private_file=/var/lib/dkms/mok.key
+ shim_mok_dir=/var/lib/shim-signed/mok
+ shim_mok_public_file=/var/lib/shim-signed/mok/MOK.der
+ shim_mok_private_file=/var/lib/shim-signed/mok/MOK.priv
+ has mokutil
+ local _cmd
++ command -v mokutil
+ _cmd=
+ return 1
+ return 0
I donât understand the instructions. Delete the script then try to run the deleted file? This is what the commands would do in the order you put them, no?
No error or related output when running systemcheck in online App Qube. Remember, the MOK pop-up only happens in 1 particular AppVM. No other qube is affected. Unfortunately that AppVM must be remain offline (I cannot run systemcheck there with network connectivity right now).
Oops. Will correct soon.
Corrected. Edit my previous post. But it doesnât matter. Thank you for providing the debug output. Weâll look into it soonish.
Yes, sorry, mis-typed.
For further debugging, could you share the exact text of the error youâre getting (maybe as a screenshot)? There are two different MOK errors that can pop up, knowing which one youâre seeing would be quite helpful.
It would also help to know what the results of sudo lsattr /var/lib/dkms/mok.key and sudo lsattr /var/lib/dkms/mok.pub show. You will probably have to run these from a Qubes Root Console.
In the template:
sudo mkdir --parents -- /var/lib/legacy-dist/do_once
sudo touch /var/lib/legacy-dist/do_once/check_image_builtin_mok_version_1
This is what the scripts are supposed to do in the background to signal that the MOK cleanup is complete, itâs unclear why this isnât happening. Do you happen to have /var or some part thereof set up to be persistent in this AppVM (i.e. bind-mounted from a dir under /rw)?
systemcheck has detected that a Machine Owner Key (MOK) embedded in the installation image is present on the disk. It can be automatically deleted, but has not been yet. Most likely this means that you did not upgrade âlegacy-distâ, or did not reboot after upgrading it. Run a full system update and reboot to fix this.
root@host:~# lsattr /var/lib/dkms/mok.key
--------------e------- /var/lib/dkms/mok.key
root@host:~# lsattr /var/lib/dkms/mok.pub
--------------e------- /var/lib/dkms/mok.pub
Not /var but /etc. I noticed this message, systemcheck[2770]: ERROR: Account 'user' (1000) is unauthorized to run action 'check-image-builtin-mok'.
I removed my bind-dirs for /etc and made it more specific and it works now.