Bug 1283475

Summary: Could not initialize nss: The certificate/key database is in an old, unsupported format.
Product: [Fedora] Fedora Reporter: poma <pomidorabelisima>
Component: pesignAssignee: Peter Jones <pjones>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: rawhideCC: aoliva, bnocera, clive.m.messer, eocallaghan, gansalmon, hongjiu.lu, ipilcher, itamar, jonathan, kernel-maint, lantw44, madhu.chinakonda, mchehab, pahan, pjones
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: pesign-0.111-7.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-28 23:00:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Actual ACL fix for the local kernel build
none
Obsoletes pesign-rh-test-certs
none
Obsoletes pesign-rh-test-certs, (re)sets ACLs via service none

Description poma 2015-11-19 04:53:47 UTC 
Description of problem:
Could not initialize nss: The certificate/key database is in an old, unsupported format.

Version-Release number of selected component (if applicable):
pesign-0.111-1.fc24.x86_64

How reproducible:
101%

Steps to Reproduce:
1. Local Kernel Build, via rpmbuild

Actual results:
Broken Local Kernel Build

Expected results:
Working Local Kernel Build

Additional info:

Rawhide-Local-Build (pesign-0.111):
- kernel-4.4.0-0.rc1.git0.2.fc24
...
+ '[' -f arch/x86_64/boot/zImage.stub ']'
+ '[' -x /usr/bin/pesign ']'
+ '[' x86_64 == x86_64 -o x86_64 == aarch64 ']'
+ '[' 0 -ge 7 -a -f /usr/bin/rpm-sign ']'
+ '[' -S /var/run/pesign/socket ']'
+ /usr/bin/pesign -c 'Red Hat Test Certificate' -i arch/x86/boot/bzImage -o vmlinuz.signed -s
Could not initialize nss: The certificate/key database is in an old, unsupported format.
error: Bad exit status from /var/tmp/rpm-tmp.MRMhok (%build)


RPM build errors:
    Bad exit status from /var/tmp/rpm-tmp.MRMhok (%build)


rpms:
pesign-0.111-1.fc24.x86_64
nss-tools-3.21.0-3.fc24.x86_64 (certutil)


# rpm -ev pesign-rh-test-certs
Preparing packages...
pesign-rh-test-certs-0.111-1.fc24.x86_64
certutil: could not find certificate named "Red Hat Test Certificate": SEC_ERROR_BAD_DATABASE: security library: bad database.
Comment 1 poma 2015-11-19 04:55:58 UTC 
Rawhide-Koji-Build (pesign-0.111):
- kernel-4.4.0-0.rc1.git0.2.fc24

https://kojipkgs.fedoraproject.org//packages/kernel/4.4.0/0.rc1.git0.1.fc24/data/logs/x86_64/build.log
...
+ '[' -f arch/x86_64/boot/zImage.stub ']'
+ '[' -x /usr/bin/pesign ']'
+ '[' x86_64 == x86_64 -o x86_64 == aarch64 ']'
+ '[' 0 -ge 7 -a -f /usr/bin/rpm-sign ']'
+ '[' -S /var/run/pesign/socket ']'
+ /usr/bin/pesign-client -t 'OpenSC Card (Fedora Signer)' -c '/CN=Fedora Secure Boot Signer' -i arch/x86/boot/bzImage -o vmlinuz.signed -s
+ '[' '!' -s -o vmlinuz.signed ']'
+ '[' '!' -s vmlinuz.signed ']'
+ mv vmlinuz.signed arch/x86/boot/bzImage
...
+ exit 0


https://kojipkgs.fedoraproject.org//packages/kernel/4.4.0/0.rc1.git0.1.fc24/data/logs/x86_64/root.log
rpms:
pesign.x86_64 0.111-1.fc24
nss-tools-3.21.0-3.fc24.x86_64 (certutil)
Comment 2 poma 2015-11-19 04:56:30 UTC 
Fedora-22-Local-Build (pesign-0.108):
- kernel-4.4.0-0.rc1.git0.2.fc22
...
+ '[' -f arch/x86_64/boot/zImage.stub ']'
+ '[' -x /usr/bin/pesign -a x86_64 == x86_64 ']'
+ '[' 0 -ge 7 ']'
+ '[' -S /var/run/pesign/socket ']'
+ /usr/bin/pesign -c 'Red Hat Test Certificate' -i arch/x86/boot/bzImage -o vmlinuz.signed -s
+ '[' '!' -s -o vmlinuz.signed ']'
+ '[' '!' -s vmlinuz.signed ']'
+ mv vmlinuz.signed arch/x86/boot/bzImage
...
+ exit 0


rpms:
pesign-0.108-4.fc22.x86_64
nss-tools-3.20.1-1.0.fc22.x86_64 (certutil)
Comment 3 poma 2015-11-19 04:57:01 UTC 
Rawhide-Local-Build (pesign-0.108):
- kernel-4.4.0-0.rc1.git0.2.fc24
...
+ '[' -f arch/x86_64/boot/zImage.stub ']'
+ '[' -x /usr/bin/pesign -a x86_64 == x86_64 ']'
+ '[' 0 -ge 7 ']'
+ '[' -S /var/run/pesign/socket ']'
+ /usr/bin/pesign -c 'Red Hat Test Certificate' -i arch/x86/boot/bzImage -o vmlinuz.signed -s
+ '[' '!' -s -o vmlinuz.signed ']'
+ '[' '!' -s vmlinuz.signed ']'
+ mv vmlinuz.signed arch/x86/boot/bzImage
...
+ exit 0


rpms:
pesign-0.108-4.fc24.x86_64 (fc22 rebuild)
nss-tools-3.21.0-3.fc24.x86_64 (certutil)
Comment 4 poma 2015-11-19 05:00:01 UTC 
%global signmodules 0 - is not an option.
Comment 5 poma 2015-11-19 05:02:56 UTC 
Interesting, pesign-0.111 works for Koji-Build but not for Local-Build.
Comment 6 poma 2015-11-19 05:06:23 UTC 
Mister Jones, comment?
Comment 7 Clive Messer 2015-11-19 11:02:25 UTC 
Yep, I've just run into this as well, having updated pesign. 

/usr/bin/pesign -c 'Red Hat Test Certificate' -i arch/x86/boot/bzImage -o vmlinuz.signed -s
Could not initialize nss: The certificate/key database is in an old, unsupported format.
error: Bad exit status from /var/tmp/rpm-tmp.Yl84lN (%build)
Comment 8 Fedora Update System 2015-11-19 18:43:10 UTC 
pesign-0.111-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55
Comment 9 Fedora Update System 2015-11-19 18:45:11 UTC 
pesign-0.111-2.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402
Comment 10 Peter Jones 2015-11-19 19:34:44 UTC 
This update should fix mock builds with no additional action.  To fix local builds, add your username to /etc/pesign/users and run /usr/libexec/pesign/pesign-authorize-users as root.
Comment 11 Clive Messer 2015-11-19 23:55:51 UTC 
Peter, to obtain the previous behaviour, ie. pesign works for any local user without additional configuration, what should I do? Will wildcards work? Can I put '*' in /etc/pesign/users?
Comment 12 Clive Messer 2015-11-20 00:58:37 UTC 
Am I doing something wrong? I've started the pesign service, added my local user name, (the user running the kernel rpmbuild), to /etc/pesign/users, run /usr/libexec/pesign/pesign-authorize-users....

Now when building, I get....

/usr/bin/pesign -c 'Red Hat Test Certificate' -i arch/x86/boot/bzImage -o vmlinuz.signed -s
cms_common.c:find_certificate:469: could not find certificate in list: security library: bad database.
pesign: Could not find certificate Red Hat Test Certificate
error: Bad exit status from /var/tmp/rpm-tmp.MkAwDm (%build)
Comment 13 H.J. Lu 2015-11-20 02:40:30 UTC 
(In reply to Fedora Update System from comment #8)
> pesign-0.111-2.fc23 has been submitted as an update to Fedora 23.
> https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55

Mock still failed to build Fedora 23 kernel on Fedora 22:

+ '[' -f arch/x86_64/boot/zImage.stub ']'
+ '[' -x /usr/bin/pesign ']'
+ '[' x86_64 == x86_64 -o x86_64 == aarch64 ']'
+ '[' 0 -ge 7 -a -f /usr/bin/rpm-sign ']'
+ '[' -S /var/run/pesign/socket ']'
+ /usr/bin/pesign -c 'Red Hat Test Certificate' -i arch/x86/boot/bzImage -o vmlinuz.signed -s
Could not initialize nss: The certificate/key database is in an old, unsupported format.
RPM build errors:
error: Bad exit status from /var/tmp/rpm-tmp.hp1NTW (%build)
    Bad exit status from /var/tmp/rpm-tmp.hp1NTW (%build)
Child return code was: 1
Comment 14 poma 2015-11-20 06:37:16 UTC 
(In reply to Peter Jones from comment #10)
> This update should fix mock builds with no additional action.

mockbuild didn't fall into:
...
  Installing : pesign-0.111-2.fc24.x86_64
Module "opensc" added to database.
  Installing : pesign-rh-test-certs-0.111-2.fc24.x86_64
warning: %post(pesign-rh-test-certs-0.111-2.fc24.x86_64) scriptlet failed, exit status 2
Non-fatal POSTIN scriptlet failure in rpm package pesign-rh-test-certs-0.111-2.fc24.x86_64
  Verifying  : pesign-rh-test-certs-0.111-2.fc24.x86_64
  Verifying  : pesign-0.111-2.fc24.x86_64
...

POSTIN:
certutil --merge -d /etc/pki/pesign/ --source-dir /etc/pki/pesign/rh-test-certs/
getent passwd mockbuild >/dev/null && \
	echo mockbuild >> /etc/pesign/users &&
	/usr/libexec/pesign/pesign-authorize-users


# file /etc/pesign/users
/etc/pesign/users: empty

> To fix local builds,
> add your username to /etc/pesign/users and run
> /usr/libexec/pesign/pesign-authorize-users as root.

I set it as pesign-0.108:

/usr/libexec/pesign/pesign-authorize-others:
#!/bin/bash
#
# Set file permissions to other
# man 1 setfacl
#
# License: GPLv2

if [[ -r /etc/pki/pesign ]]; then
        setfacl -m o::rx /var/run/pesign
        setfacl -m o::rw /var/run/pesign/socket
        setfacl -m o::rx /etc/pki/pesign
        setfacl -m o::r /etc/pki/pesign/{cert8,key3,secmod}.db
        setfacl -m o::rx /etc/pki/pesign/rh-test-certs
        setfacl -m o::r /etc/pki/pesign/rh-test-certs/{cert8,key3,secmod}.db
fi

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# getfacl -R /etc/pki/pesign | egrep file\|other
...
# file: etc/pki/pesign
other::r-x
# file: etc/pki/pesign/cert8.db
other::r--
# file: etc/pki/pesign/secmod.db
other::r--
# file: etc/pki/pesign/rh-test-certs
other::r-x
# file: etc/pki/pesign/rh-test-certs/cert8.db
other::r--
# file: etc/pki/pesign/rh-test-certs/secmod.db
other::r--
# file: etc/pki/pesign/rh-test-certs/key3.db
other::r--
# file: etc/pki/pesign/key3.db
other::r--

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
...
+ '[' -f arch/x86_64/boot/zImage.stub ']'
+ '[' -x /usr/bin/pesign ']'
+ '[' x86_64 == x86_64 -o x86_64 == aarch64 ']'
+ '[' 0 -ge 7 -a -f /usr/bin/rpm-sign ']'
+ '[' -S /var/run/pesign/socket ']'
+ /usr/bin/pesign -c 'Red Hat Test Certificate' -i arch/x86/boot/bzImage -o vmlinuz.signed -s
+ '[' '!' -s -o vmlinuz.signed ']'
+ '[' '!' -s vmlinuz.signed ']'
+ mv vmlinuz.signed arch/x86/boot/bzImage
...
+ exit 0
Comment 15 Bastien Nocera 2015-11-20 09:58:47 UTC 
(In reply to Fedora Update System from comment #8)
> pesign-0.111-2.fc23 has been submitted as an update to Fedora 23.
> https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55

That worked for me.
Comment 16 Fedora Update System 2015-11-20 10:21:45 UTC 
pesign-0.111-2.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update pesign'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402
Comment 17 Fedora Update System 2015-11-20 11:24:12 UTC 
pesign-0.111-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update pesign'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55
Comment 18 Fedora Update System 2015-11-21 00:37:07 UTC 
pesign-0.111-3.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402
Comment 19 Fedora Update System 2015-11-21 00:37:36 UTC 
pesign-0.111-3.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55
Comment 20 Fedora Update System 2015-11-21 17:53:02 UTC 
pesign-0.111-3.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update pesign'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402
Comment 21 Fedora Update System 2015-11-22 14:26:42 UTC 
pesign-0.111-3.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update pesign'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55
Comment 22 poma 2015-11-23 13:49:09 UTC 
Created attachment 1097647 [details]
Actual ACL fix for the local kernel build


# cat /etc/pesign/users
test

# cat /etc/pesign/groups
builders

# getent passwd test
test:x:1002:1002::/home/test:/bin/bash

# getent group builders 
builders:x:1001:poma

~~~~~~~~~~~~~~~~~~~~~~~~~~
...
Transaction test succeeded
Running transaction (shutdown inhibited)
  Updating   : pesign-0.111-4.fc24.x86_64
  Updating   : pesign-rh-test-certs-0.111-4.fc24.x86_64
  Cleanup    : pesign-rh-test-certs-0.111-3.fc24.x86_64
  Cleanup    : pesign-0.111-3.fc24.x86_64
  Verifying  : pesign-rh-test-certs-0.111-4.fc24.x86_64
  Verifying  : pesign-0.111-4.fc24.x86_64
  Verifying  : pesign-0.111-3.fc24.x86_64
  Verifying  : pesign-rh-test-certs-0.111-3.fc24.x86_64

Updated:
  pesign.x86_64 0:0.111-4.fc24
  pesign-rh-test-certs.x86_64 0:0.111-4.fc24             

Complete!


No more "Non-fatal POSTIN scriptlet failure"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# getfacl /etc/pki/pesign
getfacl: Removing leading '/' from absolute path names
# file: etc/pki/pesign
# owner: pesign
# group: pesign
user::rwx
user:test:r-x
group::rwx
group:builders:r-x
mask::rwx
other::---


# getfacl /etc/pki/pesign/{cert8,key3,secmod}.db
getfacl: Removing leading '/' from absolute path names
# file: etc/pki/pesign/cert8.db
# owner: pesign
# group: pesign
user::rw-
user:test:r--
group::rw-
group:builders:r--
mask::rw-
other::---

# file: etc/pki/pesign/key3.db
# owner: pesign
# group: pesign
user::rw-
user:test:r--
group::rw-
group:builders:r--
mask::rw-
other::---

# file: etc/pki/pesign/secmod.db
# owner: pesign
# group: pesign
user::rw-
user:test:r--
group::rw-
group:builders:r--
mask::rw-
other::---


groups to groups, users to users

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[poma@lnx SPECS]$ rpmbuild -ba kernel.spec
...
+ '[' -f arch/x86_64/boot/zImage.stub ']'
+ '[' -x /usr/bin/pesign ']'
+ '[' x86_64 == x86_64 -o x86_64 == aarch64 ']'
+ '[' 0 -ge 7 -a -f /usr/bin/rpm-sign ']'
+ '[' -S /var/run/pesign/socket ']'
+ /usr/bin/pesign -c 'Red Hat Test Certificate' -i arch/x86/boot/bzImage -o vmlinuz.signed -s
+ '[' '!' -s -o vmlinuz.signed ']'
+ '[' '!' -s vmlinuz.signed ']'
+ mv vmlinuz.signed arch/x86/boot/bzImage
...
Comment 23 poma 2015-11-23 13:55:49 UTC 
http://pkgs.fedoraproject.org/cgit/pesign.git/tree/pesign.spec#n159
Related: rhbz#1283745

Mister Jones, will it be 745 or 475? ;)
Comment 24 poma 2015-11-23 14:26:00 UTC 
Here is a test build:
http://goo.gl/Gm4ffO
signum/
pesign-0.111-4.fc24.src.rpm
pesign-0.111-4.fc24.x86_64.rpm
pesign-rh-test-certs-0.111-4.fc24.x86_64.rpm
pesign.sha256sum.txt
Comment 25 Ian Pilcher 2015-11-23 15:20:51 UTC 
(In reply to poma from comment #24)
> Here is a test build:

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1284561
Comment 26 Ian Pilcher 2015-11-23 16:33:46 UTC 
(In reply to Clive Messer from comment #12)
> Am I doing something wrong? I've started the pesign service, added my local
> user name, (the user running the kernel rpmbuild), to /etc/pesign/users, run
> /usr/libexec/pesign/pesign-authorize-users....
> 
> Now when building, I get....
> 
> /usr/bin/pesign -c 'Red Hat Test Certificate' -i arch/x86/boot/bzImage -o
> vmlinuz.signed -s
> cms_common.c:find_certificate:469: could not find certificate in list:
> security library: bad database.
> pesign: Could not find certificate Red Hat Test Certificate
> error: Bad exit status from /var/tmp/rpm-tmp.MkAwDm (%build)

I'm now getting this error with pesign-0.111-4.fc24.x86_64.rpm.
Comment 27 poma 2015-11-24 02:23:17 UTC 
(In reply to Ian Pilcher from comment #26)
> (In reply to Clive Messer from comment #12)
> > Am I doing something wrong? I've started the pesign service, added my local
> > user name, (the user running the kernel rpmbuild), to /etc/pesign/users, run
> > /usr/libexec/pesign/pesign-authorize-users....
> > 
> > Now when building, I get....
> > 
> > /usr/bin/pesign -c 'Red Hat Test Certificate' -i arch/x86/boot/bzImage -o
> > vmlinuz.signed -s
> > cms_common.c:find_certificate:469: could not find certificate in list:
> > security library: bad database.
> > pesign: Could not find certificate Red Hat Test Certificate
> > error: Bad exit status from /var/tmp/rpm-tmp.MkAwDm (%build)
> 
> I'm now getting this error with pesign-0.111-4.fc24.x86_64.rpm.


Can you paste here output of:

$ rpm -q pesign pesign-rh-test-certs
$ getent passwd $(whoami)
$ getent group | grep $(whoami)
# cat /etc/pesign/groups
# cat /etc/pesign/users
# getfacl /etc/pki/pesign
# getfacl /etc/pki/pesign/{cert8,key3,secmod}.db

PRIOR TO starting building kernel locally:
$ rpmbuild -ba kernel.spec
Comment 28 Ian Pilcher 2015-11-24 16:12:16 UTC 
(In reply to poma from comment #27)
> 
> Can you paste here output of:
> 
> $ rpm -q pesign pesign-rh-test-certs

$ rpm -q pesign pesign-rh-test-certs
pesign-0.111-4.fc24.x86_64
package pesign-rh-test-certs is not installed

So there's the problem.  Shouldn't that be a buildreq?
Comment 29 H.J. Lu 2015-11-24 16:30:20 UTC 
(In reply to Ian Pilcher from comment #28)
> 
> So there's the problem.  Shouldn't that be a buildreq?

See PR 1284063.
Comment 30 Josh Boyer 2015-11-24 17:56:15 UTC 
No, it cannot be.  At least not until Peter and I figure it out.  It's being tracked in the bug H.J. points to.
Comment 31 Alexandre Oliva 2015-11-28 04:47:28 UTC 
I've got pesign-0.111-3.fc[23] installed onto f2[23] mock roots before trying x86_64 kernel builds, but the mock build still fails with the error from the initial report.  Do I have to install pesign in the build root, too?  Would it matter that it's a chroot itself?
Comment 32 Pavel Alexeev 2015-11-28 17:27:33 UTC 
It still fails even in koji:
https://kojipkgs.fedoraproject.org//work/tasks/3949/12003949/build.log:
+ /usr/bin/pesign -c 'Red Hat Test Certificate' -i arch/x86/boot/bzImage -o vmlinuz.signed -s
Could not initialize nss: The certificate/key database is in an old, unsupported format.
Comment 33 Fedora Update System 2015-12-01 20:51:24 UTC 
pesign-0.111-5.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55
Comment 34 Fedora Update System 2015-12-01 20:53:04 UTC 
pesign-0.111-5.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402
Comment 35 poma 2015-12-02 08:17:39 UTC 
http://pkgs.fedoraproject.org/cgit/pesign.git/commit/?id=d983376
-  Related: rhbz#1283745
+  Related: rhbz#1283475
Comment 36 Edward O'Callaghan 2015-12-02 16:15:57 UTC 
(In reply to Fedora Update System from comment #33)
> pesign-0.111-5.fc23 has been submitted as an update to Fedora 23.
> https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55

This update fixed the issue for me. Thanks!
Comment 37 Fedora Update System 2015-12-02 19:00:41 UTC 
pesign-0.111-6.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402
Comment 38 Fedora Update System 2015-12-02 19:04:35 UTC 
pesign-0.111-5.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55
Comment 39 Fedora Update System 2015-12-02 22:52:26 UTC 
pesign-0.111-6.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update pesign'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402
Comment 40 Fedora Update System 2015-12-04 01:38:36 UTC 
pesign-0.111-6.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update pesign'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55
Comment 41 poma 2015-12-07 13:39:32 UTC 
# yum -q --disablerepo \* --enablerepo updates-testing update pesign
Error: Package: pesign-rh-test-certs-0.111-1.fc22.x86_64 (@updates)
           Requires: pesign = 0.111-1.fc22
           Removing: pesign-0.111-1.fc22.x86_64 (@updates)
               pesign = 0.111-1.fc22
           Updated By: pesign-0.111-6.fc22.x86_64 (updates-testing)
               pesign = 0.111-6.fc22
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest


# dnf --disablerepo \* --enablerepo updates-testing update pesign
Last metadata expiration check performed 0:04:15 ago on Mon Dec  7 14:17:35 2015.
Dependencies resolved.
==================================================================================
 Package        Arch           Version              Repository               Size
==================================================================================
Skipping packages with conflicts:
(add '--best --allowerasing' to command line to force their upgrade):
 pesign         x86_64         0.111-6.fc22         updates-testing         108 k

Transaction Summary
==================================================================================
Skip  1 Package

Nothing to do.
Complete!
Comment 42 poma 2015-12-07 13:41:35 UTC 
Created attachment 1103224 [details]
Obsoletes pesign-rh-test-certs


# yum -q --disablerepo \* update ./pesign-0.111-7.fc22.x86_64.rpm
 
===================================================================================
 Package     Arch        Version            Repository                        Size
===================================================================================
Installing:
 pesign      x86_64      0.111-7.fc22       /pesign-0.111-7.fc22.x86_64      440 k
     replacing  pesign-rh-test-certs.x86_64 0.111-1.fc22

Transaction Summary
===================================================================================
Install  1 Package

Is this ok [y/d/N]: y


# dnf --disablerepo \* update ./pesign-0.111-7.fc22.x86_64.rpmDependencies resolved.
===================================================================================
 Package         Arch            Version               Repository             Size
===================================================================================
Upgrading:
 pesign          x86_64          0.111-7.fc22          @commandline          107 k
     replacing  pesign-rh-test-certs.x86_64 0.111-1.fc22

Transaction Summary
===================================================================================
Upgrade  1 Package

Total size: 107 k
Is this ok [y/N]: y
Comment 43 Peter Jones 2015-12-07 18:38:28 UTC 
So - this looks like it means this will work against the actual repos, it just failed because you have things from updates-testing that were never pushed past that installed?
Comment 44 poma 2015-12-08 09:57:22 UTC 
(In reply to Peter Jones from comment #43)
> So - this looks like it means this will work against the actual repos, it
> just failed because you have things from updates-testing that were never
> pushed past that installed?

This is stable Fedora 22, with no related updates-testing pkgs,
so at least to me, it is relevant for this particular testing.

Here is an example with the actual local repo,

# yum -q --disablerepo \* --enablerepo signum-testing update
Error: Package: pesign-rh-test-certs-0.111-1.fc22.x86_64 (@updates)
           Requires: pesign = 0.111-1.fc22
           Removing: pesign-0.111-1.fc22.x86_64 (@updates)
               pesign = 0.111-1.fc22
           Updated By: pesign-0.111-6.fc22.x86_64 (signum-testing)
               pesign = 0.111-6.fc22
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest


# dnf --disablerepo \* --enablerepo signum-testing update
Fedora Signum 22 - x86_64 - Updates              76 kB/s | 1.7 kB     00:00    
Last metadata expiration check performed 0:00:01 ago on Tue Dec  8 10:42:32 2015.
Dependencies resolved.
================================================================================
 Package       Arch          Version                Repository             Size
================================================================================
Skipping packages with broken dependencies:
 pesign        x86_64        0.111-6.fc22           signum-testing        107 k

Transaction Summary
================================================================================
Skip  1 Package

Nothing to do.
Complete!
Comment 45 poma 2015-12-08 10:12:32 UTC 
w/ Obsoletes: pesign-rh-test-certs,

# yum -q --disablerepo \* --enablerepo signum-testing update

================================================================================
 Package       Arch          Version                Repository             Size
================================================================================
Installing:
 pesign        x86_64        0.111-7.fc22           signum-testing        107 k
     replacing  pesign-rh-test-certs.x86_64 0.111-1.fc22

Transaction Summary
================================================================================
Install  1 Package

Is this ok [y/d/N]: y


# dnf --disablerepo \* --enablerepo signum-testing update
Last metadata expiration check performed 0:00:33 ago on Tue Dec  8 11:08:40 2015.
Dependencies resolved.
================================================================================
 Package       Arch          Version                Repository             Size
================================================================================
Upgrading:
 pesign        x86_64        0.111-7.fc22           signum-testing        107 k
     replacing  pesign-rh-test-certs.x86_64 0.111-1.fc22

Transaction Summary
================================================================================
Upgrade  1 Package

Total download size: 107 k
Is this ok [y/N]: y
Comment 46 Peter Jones 2015-12-08 15:07:23 UTC 
But how do you have any dep about pesign-rh-test-certs?  It only ever existed in updates-testing.
Comment 47 Fedora Update System 2015-12-08 15:28:45 UTC 
pesign-0.111-6.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55
Comment 48 poma 2015-12-08 16:16:43 UTC 
(In reply to Peter Jones from comment #46)
> But how do you have any dep about pesign-rh-test-certs?  It only ever
> existed in updates-testing.

http://dl.fedoraproject.org/pub/fedora/linux/updates/22/x86_64/p/pesign-rh-test-certs-0.111-1.fc22.x86_64.rpm
Comment 49 poma 2015-12-08 16:21:08 UTC 
http://dl.fedoraproject.org/pub/fedora/linux/updates/23/x86_64/p/pesign-rh-test-certs-0.111-1.fc23.x86_64.rpm
It appears that one passed, Lucky Luke.
Comment 50 Fedora Update System 2015-12-08 22:58:52 UTC 
pesign-0.111-6.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update pesign'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55
Comment 51 Alexandre Oliva 2015-12-10 03:50:31 UTC 
pesign-0.111-6.fc* enabled me to build newer GNU Linux-libre Freed-ora RPMS in mock buildroots, thanks.  I tried to provide positive feedback through bodhi, but I guess it doesn't like my rejecting cookies or not running Javascript or somesuch, because my comments seem to have been dropped on the floor :-(
Comment 52 poma 2015-12-10 18:21:33 UTC 
Created attachment 1104471 [details]
Obsoletes pesign-rh-test-certs, (re)sets ACLs via service


"Automatically" - via service, resolves ACLs upon update and reinstall, 
so there is no need to manually run /usr/libexec/pesign/pesign-authorize-{groups,users}.
Comment 53 Fedora Update System 2015-12-10 20:39:05 UTC 
pesign-0.111-7.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402
Comment 54 Fedora Update System 2015-12-10 20:40:17 UTC 
pesign-0.111-7.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55
Comment 55 poma 2015-12-10 21:12:48 UTC 
Just for the record,

http://pkgs.fedoraproject.org/cgit/pesign.git/tree/pesign.spec#n88
%systemd_post pesign.service

probably has no effect,
see for yourself what "%systemd_post" macro actually is,

https://github.com/systemd/systemd/blob/master/src/core/macros.systemd.in#L39
%systemd_post() \
if [ $1 -eq 1 ] ; then \
        # Initial installation \
        systemctl --no-reload preset %{?*} >/dev/null 2>&1 || : \
fi \
%{nil}

"preset" is about

https://github.com/systemd/systemd/blob/master/man/systemctl.xml#L1077
...
... This has the same effect as ... disable ... or ... enable ...


# systemctl enable pesign.service
The unit files have no [Install] section. They are not meant to be enabled
using systemctl.
...


Arrivederci
Comment 56 Fedora Update System 2015-12-11 06:02:41 UTC 
pesign-0.111-7.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update pesign'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55
Comment 57 Fedora Update System 2015-12-11 19:58:16 UTC 
pesign-0.111-7.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update pesign'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402
Comment 58 Fedora Update System 2015-12-28 22:59:55 UTC 
pesign-0.111-7.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 59 Fedora Update System 2016-02-05 00:22:08 UTC 
pesign-0.111-7.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.