Bug 1284063
| Summary: | Need pesign-rh-test-certs to build kernel | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | H.J. Lu <hongjiu.lu> |
| Component: | kernel | Assignee: | Kernel Maintainer List <kernel-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 23 | CC: | clive.m.messer, gansalmon, ipilcher, itamar, jonathan, kernel-maint, lantw44, madhu.chinakonda, mchehab, pahan, pjones |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-12-28 23:00:19 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
H.J. Lu
2015-11-20 16:58:43 UTC
This isn't accurate. The kernel builds just fine in koji because pesign-rh-test-certs is not used and we use the real HSM. A more accurate assessment would be that it is needed to build locally or scratch kernels. However, I'm not sure we can blindly BuildRequire this in kernel.spec, as it might cause issues with the real koji builds. (In reply to Josh Boyer from comment #1) > This isn't accurate. The kernel builds just fine in koji because > pesign-rh-test-certs is not used and we use the real HSM. A more accurate > assessment would be that it is needed to build locally or scratch kernels. > However, I'm not sure we can blindly BuildRequire this in kernel.spec, as it > might cause issues with the real koji builds. It seems like the answer is some sort of virtual requires/provides that will normally pull in pesign-rh-test-certs. For example: kernel: BuildRequires: kernel-signing-certs pesign-rh-test-certs: Provides: kernel-signing-certs kernel-signing-certs-empty: Provides: kernel-signing-certs Ideally, a weak dependency could be used to make DNF choose pesign-rh-test-certs by default: pesign: Suggests: pesign-rh-test-certs (AFAIK, there's no such thing as BuildSuggests, so it can really go in the kernel.) pesign-0.111-5.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55 pesign-0.111-5.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55 pesign-0.111-5.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402 pesign-0.111-5.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402 pesign-0.111-6.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402 pesign-0.111-5.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55 pesign-0.111-6.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update pesign' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402 pesign-0.111-6.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update pesign' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55 pesign-0.111-6.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55 pesign-0.111-6.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update pesign' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55 pesign-0.111-7.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402 pesign-0.111-7.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55 pesign-0.111-7.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update pesign' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55 pesign-0.111-7.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update pesign' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402 pesign-0.111-7.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. pesign-0.111-7.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. |