Comment # 30 on bug 947816 from Joey Lee

(In reply to Mike Galbraith from comment #25)
>   
> > So the question is whether you still get this particular error even with the
> > local kernels without CONFIG_KEXEC_VERIFY_SIG.  Please clarify it: whether
> > the same error "kexec_file_load failed: Key was rejected by service" appears
> > even for kernels without that kconfig.
> 
> Yeah, it's SLE/SLERT kernels, and my mainline/stable/tip -rt trees, which I
> also configure with an enterprise derived config.
> 
> With maintenance lag time being what it is, if I want tools that can handle
> all of the kernels I work on, I'm gonna have to fix them up myself anyway,
> so it's not a big hairy deal, it just seems to that you should be able to
> use a stock suse workstation to work on any suse kernel, which you can't.

hm... I tried to build and install a self-signed SLE12-SP2 kernel on openSUSE
42.1. I found the result of loading kernel through kexec-file result that it
doesn't like SLE12-SP2.

On SLE12-SP2, the self-signed kernel works fine to load through kexec-file. But
on openSUSE 42.1, it already returns "Key was rejected by service" then I found
this log in dmesg:

[    3.392659] PKCS7: Sig 1: X.509 chain contains auth-skid nonmatch (1->1)

The same kernel, the same signing process but it got different result on
openSUSE with SLE12 SP2. I guess that it is about the pesign,  mozilla-nss or
openssl.

Hi Mike, 

Did you see the same PKCS7 error message? If yes, then I prefer create another
bug to reflect this situation. 

Thanks