Comment # 21 on bug 1195118 from Lukas Ocilka

(In reply to Takashi Iwai from comment #18)
> Currently it's a simple %post script triggering from openSUSE-signkey-cert
> package.  If we need an extra procedure after the root passwd setup in the
> installation step, it has to be executed manually?

Has this actually ever worked during installation? Has the feature been tested
only on a running system where root obviously already has their hash in shadow?
I'm trying to track it down by finding a working state and this one (15.3) to
find the difference.

The reason why I mentioned 15.4 is that we were changing some internal logic
recently, but that would not change already release products.

As far as I can see, this is actually a new thing in 15.3:
https://build.opensuse.org/package/view_file/openSUSE:Leap:15.3/openSUSE-signkey-cert/openSUSE-signkey-cert.changes?expand=1