http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c17
Gary Ching-Pang Lin
It actually looks like shim is simply ignoring any enrolled key. Leap shim is not able to load anything except grub.efi shipped with openSUSE, even though my key is claimed to be enrolled.
Same problem with Ubunut 14.04 shim BTW. Ubuntu has shim 0.8 and Leap shim 0.9. But with both of them I am not able to load anything signed by non-default key. I am able to load another shim which is signed by Microsoft though ...
This makes it rather hard to test anything. Gary, are there any known issues here? I try to test custom grub2 and shim cannot verify image although I enrolled my custom key (packaged with grub2) using MokManager.
In case you're using the key from open build service. There is a known issue that the updated openssl(1.0.2d) in shim checks the key attributes more strictly. The open build service used to generate the self-signed key without the "key signing" attribute. It's accepted by openssl-0.9.8* but openssl-1.0.* treats it as an invalid key. The open build service already fixed the key attribute but the user has to do "osc signkey --extend" to update the key attribute and enroll the updated key. -- You are receiving this mail because: You are on the CC list for the bug.