Kernel of the Day has invalid signature

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Kernel of the Day has invalid signature

Michael Melcher
Hi,

I have Secure Boot enabled in UEFI. Both, Leap and Tumbleweed boot fine.
I added Kernel of the Day and now Grub complains that it has the
invalid signature.

If I change Secure Boot settings from "Microsoft & 3rd party CA" to
"none" I can boot the kernel fine. However, that makes for an ugly
UEFI startup screen.

Kind regards,
Michael
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Kernel of the Day has invalid signature

Richard Brown
On 28 April 2016 at 18:51, Michael Melcher <[hidden email]> wrote:

> Hi,
>
> I have Secure Boot enabled in UEFI. Both, Leap and Tumbleweed boot fine.
> I added Kernel of the Day and now Grub complains that it has the
> invalid signature.
>
> If I change Secure Boot settings from "Microsoft & 3rd party CA" to
> "none" I can boot the kernel fine. However, that makes for an ugly
> UEFI startup screen.
>
> Kind regards,
> Michael


Are you sure this is not intentional? I am not sure, but I imagine it
would be hard to offer a KOTD that was correctly signed given it
typically takes longer than a day to get them signed..
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Kernel of the Day has invalid signature

Andrei Borzenkov
28.04.2016 20:45, Richard Brown пишет:

> On 28 April 2016 at 18:51, Michael Melcher <[hidden email]> wrote:
>> Hi,
>>
>> I have Secure Boot enabled in UEFI. Both, Leap and Tumbleweed boot fine.
>> I added Kernel of the Day and now Grub complains that it has the
>> invalid signature.
>>
>> If I change Secure Boot settings from "Microsoft & 3rd party CA" to
>> "none" I can boot the kernel fine. However, that makes for an ugly
>> UEFI startup screen.
>>
>> Kind regards,
>> Michael
>
>
> Are you sure this is not intentional? I am not sure, but I imagine it
> would be hard to offer a KOTD that was correctly signed given it
> typically takes longer than a day to get them signed..
>

Yes, KOTD is not signed by standard openSUSE key. I still think it would
be useful to ship key together with kernel package, so that users could
enroll it manually. We do it for GRUB.
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Kernel of the Day has invalid signature

Michal Marek
On 2016-04-29 05:38, Andrei Borzenkov wrote:

> 28.04.2016 20:45, Richard Brown пишет:
>> On 28 April 2016 at 18:51, Michael Melcher <[hidden email]> wrote:
>>> Hi,
>>>
>>> I have Secure Boot enabled in UEFI. Both, Leap and Tumbleweed boot fine.
>>> I added Kernel of the Day and now Grub complains that it has the
>>> invalid signature.
>>>
>>> If I change Secure Boot settings from "Microsoft & 3rd party CA" to
>>> "none" I can boot the kernel fine. However, that makes for an ugly
>>> UEFI startup screen.
>>>
>>> Kind regards,
>>> Michael
>>
>>
>> Are you sure this is not intentional? I am not sure, but I imagine it
>> would be hard to offer a KOTD that was correctly signed given it
>> typically takes longer than a day to get them signed..
>>
>
> Yes, KOTD is not signed by standard openSUSE key. I still think it would
> be useful to ship key together with kernel package, so that users could
> enroll it manually. We do it for GRUB.

It used to be done this way and the code for that is still in
kernel-binary.spec.in, but has not been updated for 4.3+. Can you enter
a bugreport for this?

Thanks,
Michal

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]