Quadro K420, ubuntu 16.04 LTS, driver 430.50 gives: PKCS#7 signature not signed with a trusted key

PKCS#7 signature not signed with a trusted key (after recent kernel updates to Ubuntu 16.04.6 LTS), and login loop.

Bare metal Dell workstation running Uubuntu 16.04.6 LTS xenial without issues for some years, with no hardware changes.

Nvidia Quadro K420 adapter, with latest nvidia proprietary linux driver 430.50 (september 2019).

I’ve always used the nvidia proprietary driver because the open source drivers gave too many issues.
In the past I have regularly updated the nvidia driver manually after stopping lighdm and executing the relevant runfile without difficulty.

But following recent kernel updates that software-update applied , I cannot login at the console (it just flashes and re-displays the login screen in a loop)
and also I cannot get a login prompt from Ctrl-Alt-F1 (just shows the five dots progress bar indefinitely) on an otherwise blank screen.

From grub, if I boot to 4-15.0-64 recovery mode and drop to a root shell, I can see in /var/log/syslog:

[...] nvidia: loading out-of-tree module taints kernel
[...] nvidia: module license 'NVIDIA' taints kernel
[...] nvidia: nvidia: module verification failed: signature and/or required key missing -tainting kernel
[...] NVRM: loading NVIDIA UNIX x86_64 Kernel Module 430.50 ...
[...] PKCS#7 signature not signed with a trusted key

Secure-Boot is already permanently disabled in the BIOS (and the machine can successfully dual boot to Win10 via grub).

What must I do to configure to avoid the need to sign the driver?

nvidia-bug-report.log.gz (1.12 MB)
430_26-nvidia-bug-report.log.gz (1.11 MB)
430_50-nvidia-bug-report.log.gz (1.13 MB)

Has nothing to do with module signing/secure boot, the 16.04 driver 430 packages are broken. See this how to fix it manually:

Thank you for your reply.

The issue happened with driver 418.56 originally yesterday after kernel updates required a reboot.

I manually upgraded that driver from 418.56 to 430.50 via the runfile to see if that would fix it, but the symptom is unchanged.

So if the symptom happened originally with 418.56, how can the packaging of 430.50 be the suspect?

In the /var/log/syslog and /var/log/Xorg.0.log I don’t see evidence that XServer is crashing, is there somewhere else I should look?

In directory /usr/lib/nvidia-430, there is no such file or link named libGL* ( as mentioned in the link you gave).

The libGL.so.1.7.0 was in /usr/lib/x86-64-linux-gnu, and a symlink to that from /usr/lib/nvidia-430 did not change the symptom.

From your logs:

[    71.691] (EE) 
[    71.691] (EE) Backtrace:
[    71.701] (EE) 0: /usr/lib/xorg/Xorg (xorg_backtrace+0x4e) [0x556c67ee9e0e]
[    71.701] (EE) 1: /usr/lib/xorg/Xorg (0x556c67d38000+0x1b5b79) [0x556c67eedb79]
[    71.701] (EE) 2: /lib/x86_64-linux-gnu/libpthread.so.0 (0x7ff70d224000+0x11390) [0x7ff70d235390]
[    71.701] (EE) 3: /lib/x86_64-linux-gnu/libc.so.6 (0x7ff70ce5a000+0x14dafa) [0x7ff70cfa7afa]
[    71.701] (EE) 4: /usr/lib/nvidia-430/libnvidia-glcore.so.430.26 (0x7ff70945f000+0x118b139) [0x7ff70a5ea139]
[    71.701] (EE) 5: /usr/lib/nvidia-430/libnvidia-glcore.so.430.26 (0x7ff70945f000+0x118b29d) [0x7ff70a5ea29d]
[    71.701] (EE) 6: /usr/lib/nvidia-430/libnvidia-glcore.so.430.26 (0x7ff70945f000+0xe74848) [0x7ff70a2d3848]
[    71.701] (EE) 7: /usr/lib/x86_64-linux-gnu/xorg/extra-modules/libglxserver_nvidia.so (0x7ff707188000+0x8784a2) [0x7ff707a004a2]
[    71.701] (EE) 
[    71.701] (EE) Segmentation fault at address 0x7ff707b44000

This is from when you installed 418.56 from ppa, but you got the broken 430.26.
You shouldn’t use any .run installer especially on Ubuntu 16.04, that will just break things more.
What’s the output of
ls -l /usr/lib/libGL* /usr/lib/nvidia-430/libGL*
on your system now?

Before today, I had not previously used the ppa for the nvidia drivers, the only mechanism that I used (always successfully) was the runfile method. Possibly because that was the first method in 2016 that I got working after giving up on the open-source driver.

Today I tried the ppa, and it applied 430.26 (as distinct from the runfile which delivered 430.50).
Applying the 430.26 from the ppa, did not change the overall symptom (login loop) but did allow control-alt-f1 to (eventually) work.

After I used the ppa, there was no file or link matching libGL* in /usr/lib/nvidia-430.
I did ln -s /usr/lib/x86_64-linux-gnu/libGL.so.1.7.0 libGL.so.1 while $PDW is /usr/lib/nvidia-430.
Rebooted. Same symptom.

If I apt remove the nvidia-430, and install again from the runfile and reboot then the /var/log/Xorg.0.log does not show a crash or a backtrace. that’s what’s confusing.
430_50-nvidia-bug-report.log.gz (1.13 MB)

I uninstalled the 430-50 driver (via runfile --uninstall method).
Then purged all nvidia modules
Then (with the ppa repository for graphics-drivers already added), apt update ;
apt install nvidia-430
I then ran nvidia-smi, and saw the PKCS#7 signature message.
Next I checked for /usr/lib/nvidia-430/libGL* files and found many, including a symlink for libGL.so.1 that was not pointing to libGL.so.1.7.0 as per the previously suggested link in the above responses.
Removed that broken symlink.
Added new symlink libGL.so.1 pointing to libGL.so.1.7.0
Ran nvidia-smi and this time did not get the PKCS#7 message.
The login screen appeared, but both the mouse and the keyboard were not active .
Did a cold boot, entered the recovery mode, and took a new nvidia-bug-report.sh (attached 430_26-nvidia-bug-report.log.gz ), and also attach file showing the ls -l libGL* in both the /usr/lib/x86_64-linux-gnu and /usr/lib/nvidia-430 directories (attached file checks.txt).

430_26-nvidia-bug-report.log.gz (1.11 MB)
checks.txt (2.48 KB)

Now this is weird. The libGL* setup is correct now.
in your first logs, you were running xorg-server 1.19.5, in your last log (with no input possible) the xserver was downgraded to 1.18.4(!?) and the input drivers were missing for that.
Looks like you somehow purged a bit too much. Please try upgrading it again to the latest available version:

Thank you for the information.

In the recovery mode root console:

apt-get install --install-recommends linux-generic-hwe-16.04 xserver-xorg-hwe-16.06
apt-get update

Recreate the symbolic link libGL.so.1 pointing to libGL.so.1.7.0 in /usr/lib/nvidia-430
shutdown -r now

Normal boot will not start the desktop, shows a blank screen that has the ubuntu 5 squares progress indicator indefinitely.

Entered recovery mode again, and see several messages: PKCS#7 signature not signed with a trusted key

the Xorg.0.log shows xorg server version is now 1.19.6, but there is still a segmentation violation visible at the end of the file.

Attaching two files, checks2.txt shows libGL* in /usr/lib/nvidia-430 and in /usr/lib/x86_64-linux-gnu tree,
and another report file named 1.nvidia-bug-report.log.gz
checks2.txt (2.41 KB)
1.nvidia-bug-report.log.gz (1.12 MB)

The xorg.log was from a previous boot when the correct symlink was not in place. It now looks like there’s not even an xserver starting now. Looks like Ubuntu 16.04 is now ultimately broken with the nvidia driver, you should rather upgrade to 18.04.

I’m not sure what ‘ultimately broken’ means , although I doubt that you mean irretrievably broken!

I was reluctant to give up on 16.04 for various reasons, not least because other recently reported the same PKCS#7 issue with 18.04, but also because I need a 16.04 environment to support some production apps.

So I persisted, and managed to login successfully.

I noticed that some actions caused the breaking of the symlink /usr/lib/nvidia-430/libGL.so.1 , so I had to fix it again.

Although I tried various options in the recovery mode root shell (with networking enabled), these may have been significant:

apt upgrade # this upgraded 5 packages
nvidia-xconfig # to remake /etc/X11/xorg.conf

This allowed desktop login, although the unity launchpad had lost some of its icons this is easy to restore.

So as regards the cause of the original PKCS#7 signature not signed with a trusted key, with the original 418.56 nvidia driver, I am none the wiser.

But the permanent change to use the graphics-driver ppa (instead of the runfile method) for nvidia driver is now in place.
Thank you for the support.