[Bug 1870955] Re: MokManager - Only DER encoded certificate (*.cer/der/crt) is supported

[Adrian Feliks]

Manually steps in grub:
chainloader mmx64.efi, then "Enroll key from disk" -> /var/lib/shim-signed/mok/MOK.der.

shim-signed/focal,now 1.40+15+1533136590.3beb971-0ubuntu1 amd64

In this case there is no problem with the certificate. I think there are two possibilities:
MokManager or UEFI firmware.

I tested several versions (shim + MokManager):
- Ubuntu: 19.10, 20.04-beta -> certificate error
- Fedora: 31 -> certificate error
- openSUSE: tumbleweed -> work, possible to add this any other certificates (https://download.opensuse.org/tumbleweed/repo/oss/EFI/BOOT/).

Today I compiled (from https://github.com/rhboot/shim/releases) and
signed MokManager with my own key, versions 14 and 15. Both work.

I'm attaching the keys from UEFI: pk, kek, db.

** Attachment added: "pk.txt"
   https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1870955/+attachment/5351885/+files/pk.txt

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1870955

Title:
  MokManager - Only DER encoded certificate (*.cer/der/crt) is supported

Status in shim-signed package in Ubuntu:
  Incomplete

Bug description:
  Installation of VirtualBox requires signing kernel modules.
  During installation a certificate is generated. It should be automatically added during system reboot. However, this is not happening.

  Manual attempt to add a certificate:
  After selecting the generated certificate the following error occurs:
  "Only DER encoded certificate (*.cer/der/crt) is supported".
  I managed to establish that it was MokManager's fault. It does not allow adding ANY certificate.

  Laptop: Acer Aspire 7 A715-74G-78PH
  UEFI:   Vendor: Insyde Corp.
   Version: V1.27
   Release Date: 03/05/2020

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1870955/+subscriptions