On Wed, Sep 27, 2023 at 3:42 PM cagsm
On Tue, Sep 26, 2023 at 7:27 PM Andrei Borzenkov
wrote: This key is embedded into shim. Normally you do not need to explicitly enroll any key as long as your shim, kernel and additional kernel modules all come from the same vendor (in this case SUSE).
embedded in the shim? is this some superior security means in contrast to that MOK stuff?
I do not understand this question, I do not even understand if this is a question or rant.
anyhow that mokutil listing keys only shows opensuse enterprise corporate linux secureboot key.
Which is your problem.
but this virtualbox rpm is built / signed (?) by the opensuse folks and not by the suse enterprise linux folks
...
so is this really a virtual box package bug in opensuse leap 15.5, is
I do not have 15.5 right now, but on 15.4 openSUSE-signkey-cert is recommended by minimal base pattern. And openSUSE-signkey-cert enrolls its key when it is installed. It does require explicit user intervention during the next boot which is easy to miss or to misunderstand and ignore. But yes, in general I believe this is the wrong way to do it. Each package that installs signed modules should at least recommend a package containing its signing key.