[opensuse-factory] Kernel of the Day has invalid signature
Hi, I have Secure Boot enabled in UEFI. Both, Leap and Tumbleweed boot fine. I added Kernel of the Day and now Grub complains that it has the invalid signature. If I change Secure Boot settings from "Microsoft & 3rd party CA" to "none" I can boot the kernel fine. However, that makes for an ugly UEFI startup screen. Kind regards, Michael -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 28 April 2016 at 18:51, Michael Melcher
Hi,
I have Secure Boot enabled in UEFI. Both, Leap and Tumbleweed boot fine. I added Kernel of the Day and now Grub complains that it has the invalid signature.
If I change Secure Boot settings from "Microsoft & 3rd party CA" to "none" I can boot the kernel fine. However, that makes for an ugly UEFI startup screen.
Kind regards, Michael
Are you sure this is not intentional? I am not sure, but I imagine it would be hard to offer a KOTD that was correctly signed given it typically takes longer than a day to get them signed.. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
28.04.2016 20:45, Richard Brown пишет:
On 28 April 2016 at 18:51, Michael Melcher
wrote: Hi,
I have Secure Boot enabled in UEFI. Both, Leap and Tumbleweed boot fine. I added Kernel of the Day and now Grub complains that it has the invalid signature.
If I change Secure Boot settings from "Microsoft & 3rd party CA" to "none" I can boot the kernel fine. However, that makes for an ugly UEFI startup screen.
Kind regards, Michael
Are you sure this is not intentional? I am not sure, but I imagine it would be hard to offer a KOTD that was correctly signed given it typically takes longer than a day to get them signed..
Yes, KOTD is not signed by standard openSUSE key. I still think it would be useful to ship key together with kernel package, so that users could enroll it manually. We do it for GRUB. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 2016-04-29 05:38, Andrei Borzenkov wrote:
28.04.2016 20:45, Richard Brown пишет:
On 28 April 2016 at 18:51, Michael Melcher
wrote: Hi,
I have Secure Boot enabled in UEFI. Both, Leap and Tumbleweed boot fine. I added Kernel of the Day and now Grub complains that it has the invalid signature.
If I change Secure Boot settings from "Microsoft & 3rd party CA" to "none" I can boot the kernel fine. However, that makes for an ugly UEFI startup screen.
Kind regards, Michael
Are you sure this is not intentional? I am not sure, but I imagine it would be hard to offer a KOTD that was correctly signed given it typically takes longer than a day to get them signed..
Yes, KOTD is not signed by standard openSUSE key. I still think it would be useful to ship key together with kernel package, so that users could enroll it manually. We do it for GRUB.
It used to be done this way and the code for that is still in kernel-binary.spec.in, but has not been updated for 4.3+. Can you enter a bugreport for this? Thanks, Michal -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (4)
-
Andrei Borzenkov
-
Michael Melcher
-
Michal Marek
-
Richard Brown