https://bugzilla.suse.com/show_bug.cgi?id=1191480 https://bugzilla.suse.com/show_bug.cgi?id=1191480#c6 Yan Huang <yan.huang@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(yan.huang@suse.co | |m) | --- Comment #6 from Yan Huang <yan.huang@suse.com> --- Created attachment 853088 --> https://bugzilla.suse.com/attachment.cgi?id=853088&action=edit mokutil --list-enrolled The current state of my system:
# mokutil --sb-state SecureBoot enabled # uname -r 5.14.9-2.gd0ace7f-default # dmesg | grep -i secure [ 0.009083] Secure boot enabled [ 1.461959] integrity: Loaded X.509 cert 'openSUSE Secure Boot CA: 6842600de22c4c477e95be23dfea9513e5971762' [ 1.463127] integrity: Loaded X.509 cert 'openSUSE Secure Boot Signkey: 0332fa9cbf0d88bf21924b0de82a09a54d5defc8' [ 6.485674] Bluetooth: hci0: Secure boot is enabled
~~~~~~~~~ The mentioned certificate 6A4E915C.crt has been available only since the kernel 5.14.10-2.1.g2878fd1:
# rpm -q --whatprovides /etc/uefi/certs/6A4E915C.crt kernel-default-5.14.10-2.1.g2878fd1.x86_64 kernel-default-5.14.11-1.1.g834dddd.x86_64
More information about 6A4E915C.crt:
# openssl x509 --inform DER --outform PEM --in /etc/uefi/certs/6A4E915C.crt > /tmp/6A4E915C.crt-pem # openssl x509 -in /tmp/6A4E915C.crt-pem -text | grep -e Before -e After Not Before: Oct 5 16:48:55 2021 GMT Not After : Dec 14 16:48:55 2023 GMT
~~~~~~~~~ The previous, known-to-be-working kernel 5.14.9-2.1.gd0ace7f provided a different certificate 1AA60533.crt: # rpm -q --whatprovides /etc/uefi/certs/1AA60533.crt kernel-default-5.14.9-2.1.gd0ace7f.x86_64 More information about 1AA60533.crt:
# openssl x509 --inform DER --outform PEM --in /etc/uefi/certs/1AA60533.crt > /tmp/1AA60533.crt-pem # openssl x509 -in /tmp/1AA60533.crt-pem -text | grep -e Before -e After Not Before: Aug 11 16:46:49 2019 GMT Not After : Oct 19 16:46:49 2021 GMT
~~~~~~~~~ I tried to enroll the new certificate 6A4E915C.crt:
# mokutil --import /etc/uefi/certs/6A4E915C.crt Already in kernel trusted keyring. Skip /etc/uefi/certs/6A4E915C.crt
However, 6A4E915C.crt is still not seen in "mokutil --list-enrolled" (judging by the certificates' validity) - I attached the output. -- You are receiving this mail because: You are the assignee for the bug.