How to upgrade Zorin 16.2 to a newer kernel

In this tutorial we are going to explain how to upgrade the Kernel of Zorin to a newer or latest Kernel.
The reasons for upgrading are not only to be found in the necessity for latest and new drivers, but as well in better battery-management, as well in better processor-management, as well for developpers in global.

Frist we are going to install Ubuntu's Mainline Tool that helps us managing Kernels in a decent and easy to interprete GUI.

sudo add-apt-repository ppa:cappelikan/ppa

sudo apt update

sudo apt install -y mainline

After the installation you'll find Ubuntu Mainline Kernel ...... in your Global Menu of Zorin.
In the Kernels higher than there is a global upgrade of the libssl3 package. This package is not installable in Zorin, because Zorin is based on Ubuntu 20.04 and on that point all is running behind of the latest development.
So we are going to drag in the REPO of Ubuntu 22.04 Jammy Jellyfish

> sudo add-apt-repository "deb jammy main"

This will add the REPO of 22.04 into Zorin ! Run after the adding a simpel

sudo apt update

sudo apt install libssl3

This will install the required pack for the latest kernels higher than
Remove now the REPO of Ubuntu 22.04 before you do anything else

> sudo add-apt-repository --remove "deb jammy main"

sudo apt update

reloading the indexes of your Zorin installation.

Now we are simply install a newer Kernel. I did the install of version 6.0.9 -xxxx what is the latest stable kernel for Zorin to use.
Open Ubuntu Mainline Tool and search in the field for 6.0.9 kernel and simply click install
During this install you get a prompt for upgrading some requirements. click YES on that point Mainline will install the Kernel as well as some upgrade system packs (THIS WILL NOT BREAK THE SYSTEM AT ALL !!!)
Click close screen when the installer is done.
Reboot, and you are now on Kernel 6.0.9 or the kernel you have installed.

Ubuntu Mainline offers as well an uninstaller of older kernels , if you don't want the remains of 5.15 on the system just use the tool for easy removal (one by one ! )
You'll have Zorin 16.2 ,Gnome 3.38 shell running on the latest stable kernel.
Better Boot-times is a benefit on the way lol .


A piece of advise extra and a warning :

There is an update for Kernel 6.0.9 , being Kernel 6.0.19 -- that is stable and good : no issues at all with Zorin 16.2

However, the mainline tool will show that Kernel 6.1.15 is also ready for testing and download.
Don't install this Kernel yet. It causes total freezes of Gnome after resume from suspend. I saw there is an issue on 'reloading' the Nouveau-driver when resuming from suspend. Reported of course as a 'bug' by many now.

So keep away from now from the latest Kernel 6.1.xxxxxxx as there seem to be a lot of bugs.
The total freeze requiers a Hard Reset ... no KB, no terminal, no ... nothing .....

1 Like

One error in your first post, due to the forum code misinterpreting the text:

sudo add-apt-repository "deb Index of /ubuntu jammy main"

sudo add-apt-repository --remove "deb Index of /ubuntu jammy main"

... isn't showing up correctly. It shows up as:
sudo add-apt-repository "deb Index of /ubuntu 1 jammy main"
sudo add-apt-repository --remove "deb Index of /ubuntu 1 jammy main"
... and that borks /etc/apt/sources.list such that one cannot even do a sudo apt update.

The fix is to manually edit /etc/apt/sources.list to remove the errant entry, then do sudo apt update, then issue the proper commands:

sudo add-apt-repository "deb jammy main"

sudo add-apt-repository --remove "deb http://ca/ jammy main"

I wrapped the text above in preformatted text tags... otherwise the forum code did the same to that text as it did to yours.

I tried 6.0.19... SecureBoot borked it, it said the signature was invalid, so I disabled SecureBoot and tried to boot 6.0.19 again... it stalled mid-boot, just after mounting the last drive (/dev/sdg).

So I rebooted into the current kernel, uninstalled 6.0.19, and installed 6.0.9. It, too, stalled mid-boot, just after mounting the last drive.

The same thing happens for any kernel later than the current one... apparently it's not loading ZFS.

But I will say, with SecureBoot disabled and libssl3 installed, boot is much snappier on the current kernel.

1 Like

Edited OP to include markdown backticks, removing the issue of Index of /ubuntu as a link.

1 Like

Well, I got from the Forumbot now a little training on some things. Thank you for correcting the code .

ZFS I had not yet tested ... I figured it would work ootb. Turns out to be indeed a no show. So I tuned up Ubuntu 22.10 to see what happens, but I ran (run ) a little out of time of private small issues.

3 posts were split to a new topic: Issues and results of How to upgrade Zorin 16.2 to a newer kernel

In the upgrades to a latest kernel development is going very fast.
We are at the point that kernel 6.1.12 is now patched AND is a release canditate for LTS .... so a version you can use for a long time.

However Kernel 6.2 is out as well, but STAY AWAY from this version if you have a Broadcom Wifi situation. Reason: the bug makes your hardware as 'unknown' to the system and comments as PCI-bridge error , unknown hardware found.
Lspci - k in the Terminal showed regardless the errror, indeed the Broadcom Wifi-card as ready to use. This was a Kernel bug !!!!!

Newest Kernel 6.2.1 is now up and running smooth and well. No Broadcom errors anymore. No freezes, no problems of any kind.

Note: Kernel 6.2.1 installs with a lot of Nvidia/ firmware - errors and missing links.
This kernel has now ALL Broadcom-drivers onboard: meaning no extra drivers to install, no special requirements for using this Brand in the system.
Of course, this kernel is a lot more than just Broadcom on board, and a big reason for using this version is : a LOT of RUST is used in the coding of kernel-parts.

Hi, I think secure boot is enabled on your computer, and if I remember well, installing kernel through mainline will not sign it. I wrote some script to sign kernel with OS installation generated certificate.
Tomorrow I will search for it and share here.

Hi, so 2 scripts, one to install mainline, one to sign latest kernel for secure boot:


sudo add-apt-repository "deb jammy main"

sudo apt update -y && sudo apt install -y libssl3

sudo add-apt-repository --remove "deb http://ca/ jammy main"

sudo apt update -y

sudo add-apt-repository -y ppa:cappelikan/ppa

sudo apt update -y && sudo apt install -y mainline


# we create alias ll
alias ll='ls -alFh'

# we use OS installation certificate to sign the new kernel for secure boot

# we find the last kernel version and files to sign
LASTKERNEL=$(ls -td /lib/modules/*/ | head -1) && LASTKERNEL=$(echo $LASTKERNEL| cut -d'/' -f 4)

SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )


# we create openssl.cnf to sign files
function generation {

    \rm /tmp/openssl.cnf

    tee -a /tmp/openssl.cnf >/dev/null <<'EOF'
# This definition stops the following lines choking if HOME isn't
# defined.
HOME                    = .
RANDFILE                = /var/lib/shim-signed/mok/.rnd 
[ req ]
distinguished_name      = req_distinguished_name
x509_extensions         = v3
string_mask             = utf8only
prompt                  = no

[ req_distinguished_name ]
countryName             = FR
stateOrProvinceName     = PARIS
localityName            = PARIS
0.organizationName      = ZORIN
commonName              = Secure Boot Signing
emailAddress            =

[ v3 ]
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer
basicConstraints        = critical,CA:FALSE
extendedKeyUsage        = codeSigning,
nsComment               = "OpenSSL Generated Certificate"

     openssl req -config /tmp/openssl.cnf \
        -new -x509 -newkey rsa:2048 \
        -nodes -days 36500 -outform DER \
        -keyout "/var/lib/shim-signed/mok/MOKKERNEL.priv" \
        -out "/var/lib/shim-signed/mok/MOKKERNEL.der"


# we sign files and create MOK.pem, because it doesn't exist
if [ -f "$FILE" ]
    echo "$FILE exists."
   sudo bash -c "$(declare -f generation); generation"

if [ -f "$FILE" ]
    echo "$FILE exists."
   sudo openssl x509 -in $MOKDER -inform DER -outform PEM -out $MOKPEM
    sudo mokutil --import $MOKDER

sudo sbsign --key $MOKPRIV --cert $MOKPEM $KERNELFILE --output $KERNELFILE.signed

sudo cp $INITFILE $INITFILE.signed

if [ -f "$FILE" ]
    sudo \rm /tmp/openssl.cnf

sudo update-grub

SIGNED="/boot/"$(ls /boot|grep signed|grep vm)

echo "Your signed kernel file is: $SIGNED"

Hi, I corrected names because is installation generated (and from memory it can't sign kernels).

So this corrected script will create your own signing certificate dedicated to kernel signing, don't use it for anything else, it's only meant to sign kernels...

For now everything is OK, you can keep secure boot enabled (security in mind) and sign your fresh kernel.

Mokutil is the tool wich will load your cert in your bios, and it will ask for a password, use some easy one like ertyerty wich is not dependent on your keyboard layout azerty/qwerty...

Then reboot, bios will load blue screen mok manager, select enroll key, type your password you entered in my script, and tada, you can boot your kernel.signed

Capture d’écran du 2023-04-21 08-19-21

To the mainline dev, you can use my script, I don't care.

While the devs may appreciate a way to faux-sign their ISOs, wouldn't it be easier for a user just to disable secure boot?

Wouldn't users have to inject this into the iso for secure boot not to scream?

This helps installed kernels, but it is recommended that newer kernels only be used when hardware requires. Upgrading beyond the recommended and offered kernels are a recipe for issues. While this tutorial is very well defined, the error prone human element can not be removed. Some will find themselves in Ubuntu, while others may crash their systems. Having them attempt to self-sign the kernels as well could have disastrous results.

Are all of the kernels coming from Paris then? Does this script need to be adjusted for locale? How does this benefit the user when a simple solution and the Zorin recommendation is to disable secure boot until the installation is complete?

Hi, in my case, I have the famous essx8336 sound chip, and I need a newer kernel.
So with my script I can update my kernel and sign it for secure boot.
With last linux mint iso and my fresh bios update (thanks to dell), I can't boot, even by manually adding keys to secure boot. Cert problem. SO I disable secure boot, install, boot new os, update kernel from official updates (no mainline), resign the kernel and enable secure boot, no issue.

When I read all your work, I confess that I am more a noob compared to this expertise and great work. Schooling just might be the answer for me, when I see what a Pro all can do. Really congratulations on this script, I never saw that kind of quality in my life before. It makes me even happy that the learning curve goes much more further.
Are there any, if any, books you would recommend for a experienced noob like me ?
You really blew me out of the water with this ...... 'job'- script.
If I understand a little bit of it, then 90% of the script I don't even understand at all.
Linux and Facebook does not learn much .... I understand now.
Congratulations on this fine piece of work !
--- Joris

1 Like