Which version of the tools? Can you please post your .bif file and the bootgen command you used?

I am on 2018.3

This generates hashes :

bootgen -arch zynqmp -image hash.bif -generate_hashes -w on -log error

hash:
{
[auth_params] ppk_select=0; spk_select=spk-efuse; spk_id=0
[ppkfile] PPK0_pubkey.txt
[sskfile] SPK0_privkey.txt
[spksignature] SPK0_pubkey.pem.sha384.sig
[destination_device=ps,
authentication=rsa,
] temp.bin

I sign with openssl and then insert sig into certificate:

AC:
{
[auth_params] ppk_select=0; spk_select=spk-efuse; spk_id=0
[ppkfile] PPK0_pubkey.txt
[sskfile] SPK0_privkey.txt
[spksignature] SPK0_pubkey.pem.sha384.sig
[destination_device=ps,
authentication=rsa,
presign=temp.bin.0.sha384.sig
] temp.bin
}

using 

bootgen -arch zynqmp -image ac.bif -o temp.bin.auth -nonbooting -w on -log error

This gives me an image which "secure" is happy with i.e. no errors. I am finding it strange that BH sig is missing from Header AC. I know that "secure" is working as I tried changing SPK/ppk-select and it would fail for me...

In the HSM flow described in UG1283 you have to add the BH signature explictly to the partititon using the attribute  [bhsignature]bootheader.sha384.sig. It's stage 7 in Figure 16 page 74.

Now for single independent partititon, teh BH signature might nor be used by XilSecure when loading since there's no BH to authenticate in that step.

It is not just for the bif files I attached. I looked at my boot.bin which follows the HSM model, and the Header Table AC section does not have bhsignature as well.  I think it this is due to the fact that the header table partition signature is essentially bhsignature. 

 you missing the bhsignature entry in your bif?

Stage7a:

{

   [fsbl_config] bh_auth_enable

   [ppkfile] primary.pub

   [spkfile] secondary.pub

   [spksignature]secondary.pub.sha384.sig

   [bhsignature]bootheader.sha384.sig

   [bootimage,authentication=rsa,presign=fsbl.elf.0.sha384.sig]fsbl_e.bin

}