Since today booting my NitroPad T430 with Heads v2.5 stops:
gpg: verify signature failed: Unknown system error
!!! ERROR: Invalid signatrue in kexec boot params !!!
!!!!! Failed default boot
New value of ...
!!!!! Starting recovery shell
The message shows when booting
using a Nitrokey and
not using a Nitrokey, after choosing “Default Boot”.
Booting the OS using the “Boot Options” > “Ignore tampering and force a boot (unsafe)” works fine.
Any idea how to fix this?
I read the other 3 posts in this forum with the same error message - but my issue seems to be different.
In Heads TOTP has a value and HOTP shows “Success”.
The NitroPad runs a Debian 13 with standard kernel 6.12.74-2.
The Nitrokey itself is usable. E. g. I can change the PINs for admin and user using the nitrokey app.
What I tried so far:
Update checksums leads to an error
Heads > Options > “Update checksums and sign all files in /boot” leads to an error.
OEM Factory Reset, which hangs
Successfully ran
Reset TPM
Reset USB Security Dongles GPG smartcard
Changing the GPG Admin PIN to default
Changing the GPG User PIN to default
But re-flashing the firmware hangs:
Adding generated key to current firmware and re-flashing ...
Board t430-hotp-maximized detected, continuing ...
(long number) /tmp/t430-hotp-maximized.rom
Initializing Flash Programmer
Reading old flash contents. Please wait...
Flashing: [* ] 0%
Hello what is the version of Heads your NitroPad is running?
Heads v2.5 (I wrote this in the first line in my previous post).
I updated Heads 28 days ago and the T430 booted every day without any issues until April 22nd.
Is your Debian OS encrypted?
Yes. Encryption was done using LUKS of the standard Debian installer.
The day before the error was shown the first time, an “apt upgrade” installed some packages (only Debian stable repo is used). These 3 packages may be interesting (I found them in the /var/log files):
initramfs-tools:all 0.148.3
libc-bin:amd64 2.41-12+deb13u2
upgrade libngtcp2-crypto-gnutls8:amd64 1.11.0-1 1.11.0-1+deb13u1
This means the /boot initramfs was updated. If you are sure the notebook was not tampered with, that’s no problem - note your quoted error contains a typo
that’s not a heads typo, I believe.
Also, with updating initramfs you should have landed at the “boot issue” described in System update - Nitrokey Documentation on next boot. Check if the debian update completed successfully in /var/log. It may have failed to generate the boot entry, which lead to heads not processing it fully. If there was an error, you need to use something like debian’s “regenerate-grub” (I’m not sure of the exact script name now, standard debian update call for grub).
Now, there is another problem in that you apparently reset the Nitrokey gpg key linked to heads in your trial-error (your “Reset USB Security Dongles GPG smartcard”). You can check if the Nitrokey gpg keyring is empty via the recovery console or from booted system. To fix, you need to re-generate a new one from the heads menu.
it will again reset the Nitrokey and then you might be able to follow documentation. The gpg reset via heads is not described in the documentation, but upstream: Step 3 - Configuring-Keys | Heads - Wiki (not all of it, read up on what’s called “OEM factory reset / re-ownership”). DO NOT let heads add LUKS key on re-generation. This won’t work. Further, only do this if you are sure the notebook is not tampered with. If unsure, remove the SSD and back it up first.
