Replying to Martin Wilck comment #48 >The scriptlets in the kernel rpm are written so that the keys won't be >deleted as long as the system still has one kernel installed that needs them. That cannot actually work. I might have more than one openSUSE system installed on my computer, and those systems all share the same list of enrolled keys. The rpm scripts can only check what is needed for the particular system where it is running.