Bug 1196563 - VirtualBox modules are signed with wrong key
VirtualBox modules are signed with wrong key
Status: RESOLVED DUPLICATE of bug 1195118
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Installation
Leap 15.3
x86-64 Other
: P5 - None : Major (vote)
: ---
Assigned To: E-mail List
Jiri Srain
Depends on:
  Show dependency treegraph
Reported: 2022-02-28 18:50 UTC by Larry Finger
Modified: 2022-03-01 20:19 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Larry Finger 2022-02-28 18:50:26 UTC
On some Leap 15.3 systems, the signer for the VirtualBox modules is "openSUSE Secure Boot CA", whereas the only key in the MOK system is  "SUSE Linux Enterprise Secure Boot CA" - thus the VB modules cannot load on a system with secure boot. I think this situation arises with systems that are upgraded from 15.2 to 15.3.

See boo#1186784 for more information.

Would it be possible to change the signing of the VB modules to match that of the rest of the kernel, i.e. "SUSE Linux Enterprise Secure Boot CA"?

Note that in TW, which is the only secure boot system that I have, the kernel and all modules are signed with "openSUSE Secure Boot CA", thus the problem does not arise.
Comment 1 Lukas Ocilka 2022-03-01 08:17:49 UTC
This may a duplicate of bug #1195118

Larry, please check, whether it has similar symptoms
Comment 2 Larry Finger 2022-03-01 16:13:17 UTC
Yes, I think that is a duplicate, and comment #43 by Joey Lee gives a hint of the origin of this whole problem:

"You can reference bsc#1182641.

The original feature request is after the SLE-Leap closing gap, some KMPs be signed by openSUSE signkey because they are in Leap repo but not in SLE. Those kernel modules can not be loaded by SLE-Leap kernel (closing gap) when secure boot is enabled.

So, we need a package to help user to enroll openSUSE signkey to MOK when they want to use those Leap-only KMPs. But user doesn't know they need to install the signkey RPM. So I ask Max Lin's help to add it in installation pattern."

It seems the problem arises from the attempt to keep SLE users with secure boot from installing VB from the Leap repos. Note that bsc#1182641 is another duplicate and discusses the need for installing the openSUSE-signkey-cert package. My suspicion is that most people with this problem blew past the key installation MOK screen at boot. I sent an NEEDINFO to the latest reporter at bsc#1186784 to see if the key package is installed.

If it is not, I may need to add a "Requires: openSUSE-signkey-cert" to the kmp part of the VB build. Of course, I cannot make them pay attention when adding a new key at reboot.
Comment 3 Josef Reidinger 2022-03-01 20:19:54 UTC
thanks for confirmation. So closing as duplicate.

*** This bug has been marked as a duplicate of bug 1195118 ***