Once upon a time, Michael Cronenworth <m...@cchtml.com> said: > # dnf install efivar > $ efivar --list | grep -i kek > $ efivar -p -n <kek name from previous command> > > It will be a hexdump so you will need to look at the ASCII output > for "Microsoft Corporation KEK CA 2011" or "Microsoft Corporation > KEK 2K CA 2023".
Thanks, that works, and also handles curiousity on the systems with SecureBoot disabled (where mokutil doesn't). Looking at my systems, looks like neither of my Thinkpads have the 2023 key yet (although the newest one is a BIOS version behind due to power-management issues in the latest). Those are my only systems with SB enabled (due to still having factory Windows on there; I never use it but keep it around "just in case"). A couple of systems I do find the new key on are a 5+ year old Gigabyte motherboard and an Intel/ASUS NUC (both of which have had BIOS updates released this year). I'm not familiar with the intricacies of the signing; can a single shim be signed by multiple keys? And if so... will MS still sign with the old key for a while once they start signing with the new key? -- Chris Adams <li...@cmadams.net> -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
