Yan Huang changed bug 1191480
What Removed Added
Flags needinfo?(yan.huang@suse.com)  

Comment # 6 on bug 1191480 from
Created attachment 853088 [details]
mokutil --list-enrolled

The current state of my system:
> # mokutil --sb-state
> SecureBoot enabled
> # uname -r
> 5.14.9-2.gd0ace7f-default
> # dmesg | grep -i secure
> [    0.009083] Secure boot enabled
> [    1.461959] integrity: Loaded X.509 cert 'openSUSE Secure Boot CA: 6842600de22c4c477e95be23dfea9513e5971762'
> [    1.463127] integrity: Loaded X.509 cert 'openSUSE Secure Boot Signkey: 0332fa9cbf0d88bf21924b0de82a09a54d5defc8'
> [    6.485674] Bluetooth: hci0: Secure boot is enabled

~~~~~~~~~

The mentioned certificate 6A4E915C.crt has been available only since the kernel
5.14.10-2.1.g2878fd1:
> # rpm -q --whatprovides /etc/uefi/certs/6A4E915C.crt
> kernel-default-5.14.10-2.1.g2878fd1.x86_64
> kernel-default-5.14.11-1.1.g834dddd.x86_64

More information about 6A4E915C.crt:
> # openssl x509 --inform DER --outform PEM --in /etc/uefi/certs/6A4E915C.crt > /tmp/6A4E915C.crt-pem
> # openssl x509 -in /tmp/6A4E915C.crt-pem -text | grep -e Before -e After
>             Not Before: Oct  5 16:48:55 2021 GMT
>             Not After : Dec 14 16:48:55 2023 GMT

~~~~~~~~~

The previous, known-to-be-working kernel 5.14.9-2.1.gd0ace7f provided a
different certificate 1AA60533.crt:
# rpm -q --whatprovides /etc/uefi/certs/1AA60533.crt
kernel-default-5.14.9-2.1.gd0ace7f.x86_64

More information about 1AA60533.crt:
> # openssl x509 --inform DER --outform PEM --in /etc/uefi/certs/1AA60533.crt > /tmp/1AA60533.crt-pem
> # openssl x509 -in /tmp/1AA60533.crt-pem -text | grep -e Before -e After
>             Not Before: Aug 11 16:46:49 2019 GMT
>             Not After : Oct 19 16:46:49 2021 GMT

~~~~~~~~~

I tried to enroll the new certificate 6A4E915C.crt:
> # mokutil --import /etc/uefi/certs/6A4E915C.crt
> Already in kernel trusted keyring. Skip /etc/uefi/certs/6A4E915C.crt

However, 6A4E915C.crt is still not seen in "mokutil --list-enrolled" (judging
by the certificates' validity) - I attached the output.


You are receiving this mail because: