openSUSE shim certificate for uefi secure boot

StackOverflow https://stackoverflow.com/questions/22373555

  •  14-06-2023
  •  | 
  •  

Question

Is openSUSE shim bootloader signed with openSUSE private key? If so, where can I find the corresponding openSUSE certificate for secure boot verification purpose?

Was it helpful?

Solution

A public key can be retrieved from the shim source package:

  1. Download http://download.opensuse.org/source/distribution/13.1/repo/oss/suse/src/shim-0.2-3.1.src.rpm
  2. Extract using e.g.: rpm2cpio shim-0.2-3.1.src.rpm | cpio -dium
  3. Unpack tar-ball that is inside: tar-xJf shim-12.3-update.tar.xz

  4. The certificate can now be found in the usr/lib64/efi subdir: openssl x509 -inform der -in usr/lib64/efi/shim-opensuse.der -text

    Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=openSUSE Secure Boot CA, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build@opensuse.org

You can verify 2nd stage bootloaders and kernels using sbverify from the sbsigntool package (that's what its called on Ubuntu)

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top