https://bugzilla.suse.com/show_bug.cgi?id=1191480 https://bugzilla.suse.com/show_bug.cgi?id=1191480#c2 --- Comment #2 from Michal Suchanek <msuchanek@suse.com> --- The kernel is signed but pesign signatures are apprently write-only there is no tool to tell you with which key specifically. sbverify --list kernel-default-5.14.10-2.1.g2878fd1.x86_64/usr/lib/modules/5.14.10-2.g2878fd1-default/vmlinuz signature 1 image signature issuers: - /CN=Kernel OBS Project/emailAddress=Kernel@build.opensuse.org image signature certificates: - subject: /CN=Kernel OBS Project/emailAddress=Kernel@build.opensuse.org issuer: /CN=Kernel OBS Project/emailAddress=Kernel@build.opensuse.org It verifies with the project certificate here: https://build.opensuse.org/projects/Kernel:stable/ssl_certificate sbverify --cert ~/Downloads/ssl_certificate.txt ~/Downloads/kernel-default-5.14.10-2.1.g2878fd1.x86_64/usr/lib/modules/5.14.10-2.g2878fd1-default/vmlinuz Signature verification OK The kernel package contains etc/uefi/certs/6A4E915C.crt so you can check that mokutil --list contains a certificate with hash starting with 6A4E915C and enroll it if not. Verifies with this certificate as well: openssl x509 --inform DER --outform PEM --in ~/Downloads/kernel-default-5.14.10-2.1.g2878fd1.x86_64/etc/uefi/certs/6A4E915C.crt
/tmp/cert sbverify --cert /tmp/cert ~/Downloads/kernel-default-5.14.10-2.1.g2878fd1.x86_64/usr/lib/modules/5.14.10-2.g2878fd1-default/vmlinuz Signature verification OK
-- You are receiving this mail because: You are the assignee for the bug.