On 23.07.2021 19:49, Larry Finger wrote:
In boo#1188475, a user with secure boot enabled is having trouble loading the VirtualBox modules. When he runs the 'mokutil -l' command, the only key he has installed is "SUSE Linux Enterprise Secure Boot CA", but the vbox modules are signed with "openSUSE Secure Boot CA".
There have been no other complaints about this problem. Either most users have secure boot off as I do, or a fresh install (not upgrade) gets different keys.
Is there any easy way to instruct him to add that additional key? What package is supposed to have that key?
The key /etc/uefi/certs/BDD31A9E-kmp.crt is provided by openSUSE-signkey-cert:
Issuer: CN = openSUSE Secure Boot CA, C = DE, L = Nuremberg, O = openSUSE Project, emailAddress = email@example.com Subject: CN = openSUSE Secure Boot Signkey, C = DE, L = Nuremberg, O = openSUSE Project, emailAddress = firstname.lastname@example.org SHA1 Fingerprint=BD:D3:1A:9E:0F:7E:D3:12:76:84:65:E6:57:8E:0D:C0:00:64:46:16
This package is not required by anything, it is recommended by base pattern and suggested by openSUSE-release. So if you disabled recommends (solver.onlyRequires=true) you won't get it.
Of course installing this package just creates enrollment request; it is easy to miss MokManager on reboot and my feeling is that no user is aware what password is expected anyway so they just give up even if they happen to actually see MokManager. And shim deletes all enrollment requests so it is one time offer.