Comment # 17 on bug 954126 from Gary Ching-Pang Lin

(In reply to Andrei Borzenkov from comment #15)
> It actually looks like shim is simply ignoring any enrolled key. Leap shim
> is not able to load anything except grub.efi shipped with openSUSE, even
> though my key is claimed to be enrolled.
> 
> Same problem with Ubunut 14.04 shim BTW. Ubuntu has shim 0.8 and Leap shim
> 0.9. But with both of them I am not able to load anything signed by
> non-default key. I am able to load another shim which is signed by Microsoft
> though ...
> 
> This makes it rather hard to test anything. Gary, are there any known issues
> here? I try to test custom grub2 and shim cannot verify image although I
> enrolled my custom key (packaged with grub2) using MokManager.

In case you're using the key from open build service. There is a known issue
that the updated openssl(1.0.2d) in shim checks the key attributes more
strictly. The open build service used to generate the self-signed key without
the "key signing" attribute. It's accepted by openssl-0.9.8* but openssl-1.0.*
treats it as an invalid key. The open build service already fixed the key
attribute but the user has to do "osc signkey --extend" to update the key
attribute and enroll the updated key.