bad shim signature- you need to load the kernel first [SOLVED]
Fixing “Bad Shim Signature – You Need to Load the Kernel First” When Installing Pop!_OS

If you’ve ever tried installing Pop!_OS and encountered the frustrating “Bad Shim Signature – You Need to Load the Kernel First” error, don’t worry—you’re not alone! 🤯 This issue usually rears its head on systems with Secure Boot enabled. Luckily, there’s a straightforward fix to get you past this roadblock and on your way to enjoying Pop!_OS. Let’s dive in! 🐧
The Culprit: Secure Boot 🛡️
Secure Boot is a UEFI feature designed to ensure only trusted operating systems boot on your machine. While its intentions are good (protecting against malicious code), it can get in the way when trying to boot custom Linux distros like Pop!_OS. Instead of letting the installer do its thing, Secure Boot throws a fit and blocks the kernel from loading. 😤
The result? That pesky bad shim signature message.
The Solution: Disable Secure Boot
Here’s how to disable Secure Boot on most systems:
Step 1: Restart and Enter Your BIOS/UEFI
- Restart your computer and press the key to enter the BIOS/UEFI setup. This key varies by manufacturer:
- Dell: F2
- HP: Esc or F10
- Lenovo: F1 or F2
- Asus: F2 or Del
- Check your system’s manual if unsure.
Step 2: Navigate to the Secure Boot Settings
- Look for something labeled Secure Boot, typically under:
- Boot Options
- Security
- Advanced Settings
Step 3: Disable Secure Boot
- Highlight the Secure Boot option and set it to Disabled.
- Save your changes (usually by pressing F10) and exit.

Step 4: Boot the Installer Again
- With Secure Boot disabled, your system should now load the kernel without any drama. 🎉
Optional: Re-Enable Secure Boot After Installation
Once Pop!_OS is installed, you can re-enable Secure Boot if you’re security-conscious. However, you’ll need to manage your own keys (using MOKs or similar tools), which can get a bit technical. If you’re new to Linux, it’s okay to leave Secure Boot off for now.
Why Does Pop!_OS Trigger This?
Pop!_OS includes its own bootloader (Systemd-boot) and custom kernel configuration, which aren’t always compatible with preloaded Secure Boot certificates. Until System76 adds more widespread shim signature support, disabling Secure Boot is the easiest workaround.
Final Thoughts 💡
This quick fix should get you up and running with Pop!_OS in no time. 🐧 Whether you’re a seasoned Linux user or a newcomer, it’s all part of the adventure. Remember, Secure Boot exists to protect your system, but sometimes, we just need to remind it who’s boss. 😉
Happy computing, and welcome to the world of Pop!_OS! 🚀
Got questions or hit another snag? Drop a comment below, and I’ll do my best to help! 🙌
TL;DR: If you’re stuck with the “bad shim signature” error when installing Pop!_OS, disable Secure Boot in your BIOS/UEFI. Problem solved! 🌟
- pop is install + bad shim signature (1)