Why Ubuntu stopped publishing signed linux kernel images since 4.16.4?

Looking at this kernel-ppa, I noticed that the kernel images for amd64 since 4.16.4 are all unsigned.

Is there a reason why Ubuntu stopped publishing signed kernel images?


I don't think mainline kernel images have been signed previously either. Latest releases just changed the package names.

To verify I checked images against Canonical certificate: https://github.com/slytomcat/UEFI-Boot/blob/master/keys/canonical-uefi-ca.crt

❯ sudo sbverify --cert canonical-uefi-ca.crt /boot/vmlinuz-4.16.1-041601-generic
warning: file-aligned section .text extends beyond end of file
warning: checksum areas are greater than image size. Invalid section table?
No signature table present
Unable to read signature data from /boot/vmlinuz-4.16.1-041601-generic
Signature verification failed

❯ sudo sbverify --cert canonical-uefi-ca.crt /boot/vmlinuz-4.15.0-23-generic
Signature verification OK

Yes! all the recent Ubuntu maintenance kernels after K4.16.3> are all unsigned, the frustration I have is that there is NO Explanation given for this!.

Heads Up NOTE: Do NOT even try to install these current "unsigned linux-images" not recommended as doing so trashed my system, my system borked when attempting to install said kernel.

IMO wait until the next major kernel release which is K4.17 when I am hoping the linux-images will contain the required signatures.

**Also no notes or explanation for users who don’t have, or use UEFI secure boot based systems i.e. old fashioned Bios. I still have no idea why these kernels don’t work or install. I have read that these signatures are designed to prevent malware invasions. Just would be helpful to have some documentation.