https://bugzilla.suse.com/show_bug.cgi?id=1191480
https://bugzilla.suse.com/show_bug.cgi?id=1191480#c2
--- Comment #2 from Michal Suchanek ---
The kernel is signed but pesign signatures are apprently write-only there is no
tool to tell you with which key specifically.
sbverify --list
kernel-default-5.14.10-2.1.g2878fd1.x86_64/usr/lib/modules/5.14.10-2.g2878fd1-default/vmlinuz
signature 1
image signature issuers:
- /CN=Kernel OBS Project/emailAddress=Kernel@build.opensuse.org
image signature certificates:
- subject: /CN=Kernel OBS Project/emailAddress=Kernel@build.opensuse.org
issuer: /CN=Kernel OBS Project/emailAddress=Kernel@build.opensuse.org
It verifies with the project certificate here:
https://build.opensuse.org/projects/Kernel:stable/ssl_certificate
sbverify --cert ~/Downloads/ssl_certificate.txt
~/Downloads/kernel-default-5.14.10-2.1.g2878fd1.x86_64/usr/lib/modules/5.14.10-2.g2878fd1-default/vmlinuz
Signature verification OK
The kernel package contains etc/uefi/certs/6A4E915C.crt so you can check that
mokutil --list contains a certificate with hash starting with 6A4E915C and
enroll it if not.
Verifies with this certificate as well:
openssl x509 --inform DER --outform PEM --in
~/Downloads/kernel-default-5.14.10-2.1.g2878fd1.x86_64/etc/uefi/certs/6A4E915C.crt
/tmp/cert
sbverify --cert /tmp/cert
~/Downloads/kernel-default-5.14.10-2.1.g2878fd1.x86_64/usr/lib/modules/5.14.10-2.g2878fd1-default/vmlinuz
Signature verification OK
--
You are receiving this mail because:
You are the assignee for the bug.