Comment # 6 on bug 1173115 from 
ok, got it. It's caused by CONFIG_MODULE_SIG=y. With that enabled, the %post
snippet wants to import the extra cert. It's not imported directly but rather
added to some "to be imported queue" for next reboot. On reboot, a dialog with
a 10s timeout is shown before grub. It asks to press a key to enter Mok key
management. To actually import the key, one has to perform several steps in
that wizard, including entering the root password.
Not pressing a key will just continue boot, not import the key and don't bother
anymore (until the next kernel update?).

In other words, the whole stunt seems pointless and just confusing. Since
kernel module signatures chain back to the secure boot CA built into shim we
don't need that extra cert anyways, right? So can we just skip importing it?

You are receiving this mail because: