diff --git a/flake.nix b/flake.nix
index 229af44..04ea3e5 100644
--- a/flake.nix
+++ b/flake.nix
@@ -139,7 +139,10 @@
             };
           };
         };
-        mkUnsignedTest = { name, path }: mkSecureBootTest {
+
+        # Execute a boot test that is intended to fail.
+        #
+        mkUnsignedTest = { name, path, appendCrap ? false }: mkSecureBootTest {
           inherit name;
           testScript = ''
             import json
@@ -156,10 +159,14 @@
             src_path = ${path.src}
             dst_path = ${path.dst}
             machine.succeed(f"cp -rf {src_path} {dst_path}")
+          '' + lib.optionalString appendCrap ''
+            machine.succeed(f"echo Foo >> {dst_path}")
+          '' +
+          ''
             machine.succeed("sync")
             machine.crash()
             machine.start()
-            machine.wait_for_console_text("panicked")
+            machine.wait_for_console_text("Hash mismatch")
           '';
         };
       in
@@ -211,13 +218,21 @@
             assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
           '';
           };
+
+          # The initrd is not directly signed. Its hash is embedded
+          # into lanzaboote. To make integrity verification fail, we
+          # actually have to modify the initrd. Appending crap to the
+          # end is a harmless way that would make the kernel still
+          # accept it.
           is-initrd-secured = mkUnsignedTest {
             name = "unsigned-initrd-do-not-boot-under-secureboot";
             path = {
               src = "bootspec.get('initrd')";
               dst = "convert_to_esp(bootspec.get('initrd'))";
             };
+            appendCrap = true;
           };
+
           is-kernel-secured = mkUnsignedTest {
             name = "unsigned-kernel-do-not-boot-under-secureboot";
             path = {