MOK key error when using installer on ubuntu

BrineWyrm · February 13, 2026, 6:36pm

Working on installing Whonix/Virtualbox on Ubuntu 25.10, but running into an error when the installer tries to add the vboxdrv module to the kernel using the MOK key that I set up. SInce I am on Ubuntu, the generated keys from the Virtualbox setup end up in /var/lib/shim-signed/mok/, which is different from the path that the installer is using (/var/lib/dkms/). I tried to work around this by generating another key in /var/lib/dkms/ using

$ sudo openssl req -new -x509 -newkey rsa:2048 -keyout mok.key -out mok.pub -nodes -days 36500 -subj “/CN=DKMS/”

$ sudo openssl x509 -in mok.pub -outform DER -out mok.der

then enrolling the key, reboot, enter password, etc. However, when I run the installer it gives the following error

$ whonix-lxqt-installer-cli: [NOTICE]: Command executing: $ sudo – modprobe vboxdrv
$ whonix-lxqt-installer-cli: [NOTICE]: secure_boot_mokutil_dkms_test_key: ‘Not a valid x509 certificate’
$ whonix-lxqt-installer-cli: [ERROR]: Secure Boot DKMS Signing Key Enrollment Check Result: ‘FAIL’

Secure Boot is enabled, but the DKMS signing key is not enrolled.
VirtualBox kernel modules cannot be loaded due to this issue.
For instructions on DKMS Signing Key Enrollment, visit:
(secure boot instructions link)

$ whonix-lxqt-installer-cli: [ERROR]: Aborting.
$ whonix-lxqt-installer-cli: [NOTICE]: Executed script, function, command executed: ‘./softwareResources/whonix-lxqt-installer-cli’ ‘die’ ‘exit “${1}”’
$ whonix-lxqt-installer-cli: [ERROR]: Installer exited with code: ‘1’

Since the key is enrolled and in the right place this should not be happening, what am I missing?

arraybolt3 · February 13, 2026, 8:10pm

I think something probably went wrong when you created the key; that message Not a valid x509 certificate has to come from the command mokutil --test-key "/var/lib/dkms/mok.pub" 2>&1. Source code line:

github.com/Kicksecure/usability-misc

usr/bin/dist-installer-cli

3835d5b30


      
          if mokutil_output_sb_state=$(root_cmd mokutil --sb-state 2>&1) ; then
            if printf '%s' "$mokutil_output_sb_state" | grep --ignore-case --fixed-strings -- "enabled" >/dev/null; then
              secure_boot_status_pretty="'enabled' (mokutil_output_sb_state: '$mokutil_output_sb_state')"
              secure_boot_status_short='true'
              ## sudo mokutil --test-key /var/lib/dkms/mok.pub
              ## > /var/lib/dkms/mok.pub is already enrolled
              ## > zsh: exit 1     sudo mokutil --test-key /var/lib/dkms/mok.pub#
              ## Added "|| true" to handle the non-zero exit code.
              ## Redirection '2>&1' not necessary yet but that could be considered a minor bug in mokutil to write to stdout instead
              ## of writing to stderr.
              secure_boot_mokutil_dkms_test_key="$(root_cmd mokutil --test-key "/var/lib/dkms/mok.pub" 2>&1)" || true
              if printf '%s' "$secure_boot_mokutil_dkms_test_key" | grep --ignore-case --fixed-strings -- "already enrolled" >/dev/null ; then
                secure_boot_dkms_key_enrolled=true
              fi
            elif printf '%s' "$mokutil_output_sb_state" | grep --ignore-case --fixed-strings -- "disabled" >/dev/null ; then
              secure_boot_status_short='false'
              secure_boot_status_pretty="'disabled' (mokutil_output_sb_state: '$mokutil_output_sb_state')"
            else
              secure_boot_status_short='false'
              secure_boot_status_pretty="'unknown-please-report-this-minor-bug' (mokutil_output_sb_state: '$mokutil_output_sb_state')"
            fi

Ideally though the installer should just use the key in /var/lib/shim-signed/mok under Ubuntu. I see it doesn’t, but I think it should. @Patrick mind if I create a task for that?

Patrick · February 15, 2026, 1:16pm

That would be good, yes.