Secure Boot CA certs to verfiy tumbleweed appx-file to be installed on WSL

Hi,

                                    I downloaded the tumbleweed appx file from the opensuse site. I followed the instructions mentioned in https://en.opensuse.org/WSL/Manual_Installation.

The certificate mentioned in the appx is issued by "openSUSE Secure Boot CA’.

But when I want to install the appx I get the message: “Windows does not have enough information to verify this certificate”.

How do I get this verified?

That page indicates I will almost assuredly also need the “Secure Boot CA” certs for openSUSE/SUSE SLE:

“openSUSE Secure Boot CA” or “SUSE Linux Enterprise Secure Boot CA”

They can be obtained from a distros “shim” package, for example: http://download.opensuse.org/source/distribution/leap/15.3/repo/oss/src

But it doesn’t say how nor do I find any reference how to do this.

Many thanks in advance!

For Tumbleweed, you need the openSUSE CA certificate. For Leap 15.3 you will instead need the SUSE CA certificate.

The easiest way that I know, is with a running Tumbleweed on a UEFI box. If you use:

mokutil --export

it will export all enrolled certificates to files in the current directory. The file name is the number of that certificate in the list you will see with

mokutil -l

If you don’t have an installed Tumbleweed, you can probably do this with running the downloaded live Tumbleweed media. I’m not sure whether “mokutil” is already installed in the live media, but you should be able to install it if needed. You will have to boot that in UEFI mode.

shim package installs certificates in /etc/uefi/certs. Unfortunately it does not name them “openSUSE Secure Boot CA” or similar, names are derived from certificates SHA1 fingerprint. For openSUSE and SLES there should be one certificate XXXXXXXX-shim.crt that is openSUSE/SLES CA. Format is DER. You can verify its name and purpose when importing.

If you have same version of openSUSE on bare metal/VM you should already have this file. You can extract it on basically any Linux without installation using rpm2cpio utility (OK, “any Linux” that supports rpm zstd compression …). Under Windows I usually used 7-Zip to extract files from RPM, unfortunately TW switched to zstd compression method that is not supported by 7-Zip yet, so it no more works. Although there is external project that offers plugins for standard 7-Zip (GitHub - mcmilk/7-Zip-zstd: 7-Zip with support for Brotli, Fast-LZMA2, Lizard, LZ4, LZ5 and Zstandard); I have not tested it so far.

nor do I find any reference how to do this.

Quoting page you yourself referred to:

installed in the same manner as described above.

where “above” refers to detailed screenshots of Windows certificate management tool.

After all, if you install under Windows you are supposed to know how to manage Windows or at least how to find help on Windows management topics.

But in general I agree - there should be easy to find page (ideally referred to from main download resources) that lists certificates and allows to download them.

I already got a tumbleweed running on hyper-v.
mokutil --export resulted in one .der file.
This I could import as Trusted Root CA and the appx can now be launched without certificate problems.

Thank you! You made my week.

I found 2 crt files in this directory of the form XXXXXXX.crt. To be sure I followed the previous post.

My problem was not on windows level, It was how to get/extract the certificate, so more an opensuse issue…

Thanks for your input