Secure boot asking for certificate permission

I wanted to try opensuse so i booted my pc using open suse live usb but it asked me if i wanted to use built in opensuse certificate to verify bootloaders. I read on opensuse wiki that opensuse supports secure boot and when i also used ubuntu live usb but it didn’t ask for any such permission, So is this normal, and is the certificate built in my laptops firmware or built in the live iso ? and How do I remove after accepting it.https://imgur.com/a/MgID5Chhttps://imgur.com/a/MgID5Chhttps://i.imgur.com/26mHALI.png

Yes, this is normal. Just go with “yes”. You will probably never see this screen again, until you buy a new computer. It is a one-time thing.

I never tried saying “no”, but I assume that your boot attempt will fail in that case. And I think this screen only comes up if secure-boot is enabled. If you don’t want to see the screen, then turn off secure-boot.

The way it all works:

When you boot the system, the first file loaded is “shim.efi”. And that is signed by Microsoft, so it should load. In turn, “shim.efi” knows about the “openSUSE” certificate, and can check signature by “openSUSE”. The kernel and the grub2-efi boot loader are signed by that “openSUSE” certificate. You are being asked to trust that certificate.

@nrickert,
Thanks for the explanations, they are very important information.

On the Asus notebook, it was necessary to disable Secure Boot.
I joined the openSUSE Leap 15 Gnome pendrive and managed to boot.

Thanks, so after exiting live environment, how do I remove the certificate?

Hi
Just had a look on an ASUS K55A I have here, press F2 for the BIOS and under Security -> Key Management, depends what options your BIOS offers… personally I wouldn’t worry about it… I have secure boot enabled on this machine and it works fine loading shim.efi and openSUSE Leap 15.0 is installed…

On the Notebook Asus UX301LA, when giving the boot with the pendrive openSUSE Leap 15 KDE has the following message.


Secure Boot Violation***
Invalid signature detected, check secure boot policy in setup.
Then click [OK].

I give the boot with the Pendrive two tries and continues the message.
Then you need to get into the BIOS and disable Secure Boot.
Now with Secure Boot disabled It is possible to give boot and use openSUSE Leap 15 KDE in live mode.

This is a known problem with some computers. I used to have that problem with a Lenovo, but a BIOS update fixed.

Booting linux with secure-boot depends on shim (the file “shim.efi”). The openSUSE “shim” has two signatures. It is signed by Microsoft and it is signed by openSUSE. Unfortunately, there are a few computers with firmware that does not properly handle a shim with two signatures, and some ASUS computers have this problem.

There is a workaround – just remove the openSUSE signature from “shim.efi”.

Check this web page: openSUSE:UEFI
and scroll down to look for the section “Booting the Machine that supports only one signature with vendor provided Keys”.

Personally, I found it easier to just disable secure-boot. Now, with an updated BIOS, I leave secure-boot enabled.

@nrickert,
Thanks for the explanations and the information.
I did not know openSUSE had two signatures.
I’ll check the link you sent and read.