Comment # 17 on bug 1191480 from Michal Suchanek

Proposed fix

https://github.com/openSUSE/suse-module-tools/pull/48/commits/1bbbe4c04286ba917c9f5dc5817927d017447d95

(In reply to Joey Lee from comment #13)
> (In reply to Michal Suchanek from comment #12)
> > The key should be enrolled automagically but the --ignore-keyring option is
> > not used.
> > 
> > If it's now needed to successfully enroll the key it needs to be adde in the
> > scripts.
> 
> I prefer to keep the logic for checking keyring (--ignore-keyring option can
> disable it) but not add it to scripts. 
> 
> This mokutil function be added to prevent that the nvram space be wasted.
> When a shim and kernel be produced by the same project. The shim should be
> embedded a openSUSE CA that it can verify the kernel that be signed by
> openSUSE signkey. And, the kernel is emabedded a openSUSE signkey. So we
> don't need enroll openSUSE signkey to MOK. It can save limited nvraom space
> of firmware.
> 
> About this issue, user installed a kernel be signed by another project
> (Kernel OBS Project/emailAddress=Kernel@build.opensuse.org, in this case).
> So shim's embedded CA can not verify the non-openSUSE signed kernel. And,
> mokutil checks the signkey is in kernel keyring because it be embedded by
> kernel. So the key can not be auto-enrolled.

Then the check is wrong. The CA check should suffice to not enroll keys
needlessly. On the other hand, kernel keys should be enrolled and they are
expected to be in the kernel keyring so checking against the kernel keyring is
pointless for kernel keys.