Marcus Meissner schrieb:
On Fri, Aug 29, 2014 at 10:27:24AM -0500, Neil Rickert wrote:
On Fri, 29 Aug 2014 08:08:21 +0000 (GMT) Ludwig Nussel <ludwig.nussel@suse.de> wrote:
==== shim ====
- Add shim-update-openssl-0.9.8zb.patch to update openssl to 0.9.8zb
I am getting "Invalid secure-boot signature". Is there a problem with shim?
I can boot with secure-boot off, or I can boot using opensuse 13.1 and the appropriate boot menu entry. But I cannot secure-boot with factory installed shim.efi.
If shim was not resigned after above change, this seems expected.
Yes. We don't check for valid MS signatures in staging projects so sources changes of shim that break the signature are not detected. The question is whether we want that or not. If we only allow shim into Factory if it has a valid MS signature we make our rolling distro depend on the UEFI signing service and the poor guy who has to manually submit shim for signing all the time. If we don't want to wait for MS, a machine with secure boot enabled may not boot Factory. One has to either disable secure boot or import the openSUSE CA into the UEFI firmware. So we can take a conscious decision here and define a policy. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org