http://bugzilla.opensuse.org/show_bug.cgi?id=1159531
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531#c8
--- Comment #8 from Joey Lee
(In reply to Dominique Leuenberger from comment #0)
## Observation [...snip] ## Reproducible
Fails since (at least) Build [20191217](https://openqa.opensuse.org/tests/1116837)
There have "auth-skid nonmatch" warning in the log:
09:20:07 <2> +0x30d0b : digest ok [ 46.993433] PKCS7: Sig 1: X.509 chain contains auth-skid nonmatch (1->1) [ 46.994295] kexec_file: kernel signature verification failed (-129). 09:20:07 <2> util_run+0xb8 : exec: kexec -a -l /download/file_0017 --initrd=/download/file_0018 --append='initrd=initrd splash=silent install=http://download.opensuse.org/tumbleweed/repo/oss/ Y2DE kexec=0' = 255
The issuer_check_skid case in pkcs7_verify_one()->pkcs7_verify_sig_chain() is in "Verify the internal certificate chain" failed. But I do not see changes in this code path between v5.3 and v5.4.
The public_key_verify_signature() function should be success before kernel runs into pkcs7_verify_sig_chain(). Did our kernel be signed success?
Sorry for I was wrong, the public_key_verify_signature() is success. But the pkcs7_verify_sig_chain() verification is failed. The built-in certificate be loaded success by kernel when booting: [ 2.841526] Loaded X.509 cert 'openSUSE Secure Boot Signkey: 0332fa9cbf0d88bf21924b0de82a09a54d5defc8' Base on the code in pkcs7_verify_one(), kernel found the key (I think the built-in key) that it matches with the pkcs7 signature information on crash kernel. The strange thing is that the signature pass the verification with the built-in kerenl. But the further pkcs7_verify_sig_chain() step is failed in found_issuer_check_skid case. Can anyone help to attach the certificate of "openSUSE Secure Boot Signkey" please? -- You are receiving this mail because: You are on the CC list for the bug.