[Bug 1870955] Re: MokManager - Only DER encoded certificate (*.cer/der/crt) is supported
My understanding from vorlon's comment is that this is fixed in current shim in groovy (and releases' -proposed pockets), so closing. ** Changed in: shim-signed (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1870955 Title: MokManager - Only DER encoded certificate (*.cer/der/crt) is supported To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1870955/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1870955] Re: MokManager - Only DER encoded certificate (*.cer/der/crt) is supported
Yes, I have just crashed into this. My system is now totally secure. To the point where it is impossible to get past this boot up screen to actually log in. I can't do anything. I can't upgrade anything. I can't fix anything. I can't access the boot disk. The box is not bricked. Great work guys! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1870955 Title: MokManager - Only DER encoded certificate (*.cer/der/crt) is supported To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1870955/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1870955] Re: MokManager - Only DER encoded certificate (*.cer/der/crt) is supported
The current shim in Ubuntu was built with 3.0.8. We have a signing request pending for a new one which was built with newer gnu-efi (3.0.9). So it sounds like this bug will be fixed as a matter of course once that newer shim has been signed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1870955 Title: MokManager - Only DER encoded certificate (*.cer/der/crt) is supported To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1870955/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1870955] Re: MokManager - Only DER encoded certificate (*.cer/der/crt) is supported
Seeing the same issue on a Hyper-V VM running 20.04. Workaround is to enroll the MOK with mokutil. Seems related to this bug: https://github.com/rhboot/shim/issues/143 . While it was closed in 2018, maybe no one has recompiled shim-signed with the fixed gnuefi? ** Bug watch added: github.com/rhboot/shim/issues #143 https://github.com/rhboot/shim/issues/143 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1870955 Title: MokManager - Only DER encoded certificate (*.cer/der/crt) is supported To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1870955/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1870955] Re: MokManager - Only DER encoded certificate (*.cer/der/crt) is supported
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: shim-signed (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1870955 Title: MokManager - Only DER encoded certificate (*.cer/der/crt) is supported To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1870955/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1870955] Re: MokManager - Only DER encoded certificate (*.cer/der/crt) is supported
** Changed in: shim-signed (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1870955 Title: MokManager - Only DER encoded certificate (*.cer/der/crt) is supported To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1870955/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1870955] Re: MokManager - Only DER encoded certificate (*.cer/der/crt) is supported
** Attachment added: "kek.txt" https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1870955/+attachment/5351886/+files/kek.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1870955 Title: MokManager - Only DER encoded certificate (*.cer/der/crt) is supported To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1870955/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1870955] Re: MokManager - Only DER encoded certificate (*.cer/der/crt) is supported
Manually steps in grub: chainloader mmx64.efi, then "Enroll key from disk" -> /var/lib/shim-signed/mok/MOK.der. shim-signed/focal,now 1.40+15+1533136590.3beb971-0ubuntu1 amd64 In this case there is no problem with the certificate. I think there are two possibilities: MokManager or UEFI firmware. I tested several versions (shim + MokManager): - Ubuntu: 19.10, 20.04-beta -> certificate error - Fedora: 31 -> certificate error - openSUSE: tumbleweed -> work, possible to add this any other certificates (https://download.opensuse.org/tumbleweed/repo/oss/EFI/BOOT/). Today I compiled (from https://github.com/rhboot/shim/releases) and signed MokManager with my own key, versions 14 and 15. Both work. I'm attaching the keys from UEFI: pk, kek, db. ** Attachment added: "pk.txt" https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1870955/+attachment/5351885/+files/pk.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1870955 Title: MokManager - Only DER encoded certificate (*.cer/der/crt) is supported To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1870955/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1870955] Re: MokManager - Only DER encoded certificate (*.cer/der/crt) is supported
** Attachment added: "db.txt" https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1870955/+attachment/5351887/+files/db.txt ** Description changed: Installation of VirtualBox requires signing kernel modules. During installation a certificate is generated. It should be automatically added during system reboot. However, this is not happening. Manual attempt to add a certificate: After selecting the generated certificate the following error occurs: "Only DER encoded certificate (*.cer/der/crt) is supported". I managed to establish that it was MokManager's fault. It does not allow adding ANY certificate. Laptop: Acer Aspire 7 A715-74G-78PH UEFI: Vendor: Insyde Corp. - Version: V1.23 - Release Date: 10/25/2019 + Version: V1.27 + Release Date: 03/05/2020 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1870955 Title: MokManager - Only DER encoded certificate (*.cer/der/crt) is supported To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1870955/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1870955] Re: MokManager - Only DER encoded certificate (*.cer/der/crt) is supported
What were the steps you took to try to manually add the certificate? The /var/lib/shim-signed/mok/MOK.der file that we populate is certainly a DER-encoded certificate, and users have been successfully registering these certificates through MokManager. What version of the shim-signed package do you have installed? ** Changed in: shim-signed (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1870955 Title: MokManager - Only DER encoded certificate (*.cer/der/crt) is supported To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1870955/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1870955] Re: MokManager - Only DER encoded certificate (*.cer/der/crt) is supported
** Package changed: mokutil (Ubuntu) => shim-signed (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1870955 Title: MokManager - Only DER encoded certificate (*.cer/der/crt) is supported To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1870955/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs