[dripton]

I installed Linux on a new laptop yesterday, and couldn't get either NixOS or Debian to install until I turned off secure boot. So I guess these distros don't bother getting every release signed by Microsoft.

At least it was easy to turn off. I just wish the error message mentioned Secure Boot -- it took me a few minutes to figure out what was wrong. At first I thought I had a corrupt USB stick or something.

[cesarb]

There are two separate Secure Boot keys Microsoft uses: one which they use to sign Windows, and another which they use to sign everything else (the "Microsoft 3rd Party UEFI CA"). AFAIK, some recent laptops with Windows preinstalled come by the default with the second one disabled in the BIOS (it's a new Microsoft requirement). To install Linux on these laptops without disabling Secure Boot, you have to go into the BIOS and enable that key.

[teddyh]

You don’t always have to disable Secure Boot; it usually works with just changing some “OS Type” from “Microsoft” to “Other”.

[hiimshort]

You can set up secure boot on NixOS with lanzaboote: https://github.com/nix-community/lanzaboote