http://bugzilla.opensuse.org/show_bug.cgi?id=1173551 Bug ID: 1173551 Summary: OBS-built modules (like zfs) are signed by an untrusted key Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: screening-team-bugs@suse.de Reporter: asarai@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Leap 15.2 blocks loading of modules which are not signed by a trusted key (which is an entirely reasonable policy)[1], however this means that if you wish to use modules which are built and signed by OBS it is now much more complicated. Unlike modules compiled locally, OBS manages the signing keys (and rotates them fairly frequently) meaning that your system may end up failing to boot cleanly after a routine system update. In addition, you'd need to do the following in order to fix the issue: % osc signkey <project> --sslcert > cert.pem % openssl x509 -inform PEM -in cert.pem -outform DER cert.der % mokutil --import cert.der And then reboot and enroll the key. In fairness this is technically documented in [2] but I doubt most users would be able to get to that point (not to mention I think OBS has changed their interface so downloading the project signing key is a little more hidden now). Is it possible for this process to be more automated -- ideally such that key rotations are handled automatically by either zypper (since this is a problem that affects all kernel modules signed by OBS) or by the individual packages? For a concrete example of this problem, I just upgraded from Leap 15.1 to the 15.2 beta and my system was fairly broken because ZFS wouldn't load (as well as wireguard -- though luckily that is in the Leap kernel package now). I've imported the filesystems key into the MOK, but that key expires in November 2020 and I guarantee I'm going to forget about this hack and will need to re-troubleshoot why my box was broken after a reboot. [1]: https://doc.opensuse.org/release-notes/x86_64/openSUSE/Leap/15.2/#sec.driver... [2]: https://en.opensuse.org/openSUSE:UEFI#Booting_a_kernel_from_Kernel:stable_re... -- You are receiving this mail because: You are on the CC list for the bug.