https://bugzilla.suse.com/show_bug.cgi?id=1191480 https://bugzilla.suse.com/show_bug.cgi?id=1191480#c13 Joey Lee <jlee@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(jlee@suse.com) | --- Comment #13 from Joey Lee <jlee@suse.com> --- (In reply to Michal Suchanek from comment #12)
The key should be enrolled automagically but the --ignore-keyring option is not used.
If it's now needed to successfully enroll the key it needs to be adde in the scripts.
I prefer to keep the logic for checking keyring (--ignore-keyring option can disable it) but not add it to scripts. This mokutil function be added to prevent that the nvram space be wasted. When a shim and kernel be produced by the same project. The shim should be embedded a openSUSE CA that it can verify the kernel that be signed by openSUSE signkey. And, the kernel is emabedded a openSUSE signkey. So we don't need enroll openSUSE signkey to MOK. It can save limited nvraom space of firmware. About this issue, user installed a kernel be signed by another project (Kernel OBS Project/emailAddress=Kernel@build.opensuse.org, in this case). So shim's embedded CA can not verify the non-openSUSE signed kernel. And, mokutil checks the signkey is in kernel keyring because it be embedded by kernel. So the key can not be auto-enrolled. -- You are receiving this mail because: You are the assignee for the bug.