What | Removed | Added |
---|---|---|
Flags | needinfo?(glin@suse.com) |
(In reply to Andrei Borzenkov from comment #15) > It actually looks like shim is simply ignoring any enrolled key. Leap shim > is not able to load anything except grub.efi shipped with openSUSE, even > though my key is claimed to be enrolled. > > Same problem with Ubunut 14.04 shim BTW. Ubuntu has shim 0.8 and Leap shim > 0.9. But with both of them I am not able to load anything signed by > non-default key. I am able to load another shim which is signed by Microsoft > though ... > > This makes it rather hard to test anything. Gary, are there any known issues > here? I try to test custom grub2 and shim cannot verify image although I > enrolled my custom key (packaged with grub2) using MokManager. In case you're using the key from open build service. There is a known issue that the updated openssl(1.0.2d) in shim checks the key attributes more strictly. The open build service used to generate the self-signed key without the "key signing" attribute. It's accepted by openssl-0.9.8* but openssl-1.0.* treats it as an invalid key. The open build service already fixed the key attribute but the user has to do "osc signkey --extend" to update the key attribute and enroll the updated key.