Bug 1827902

Summary: pesign uses deprecated NSS DB format, leading to kernel build failing on Rawhide
Product: [Fedora] Fedora Reporter: Ondrej Mosnacek <omosnace>
Component: pesignAssignee: Peter Jones <pjones>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: rawhideCC: dueno, fmartine, jcline, kernel-maint, mjg59, pbrobinson, pjones, zbyszek
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pesign-0.112-31.fc33 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-21 15:07:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
certs.tar.gz with sql database files none

Description Ondrej Mosnacek 2020-04-25 10:19:54 UTC 
Description of problem:
The latest Rawhide build of NSS removed support for the legacy DBM format [1]. Pesign still ships DBs in this old format and thus it becomes unusable with the new NSS and breaks kernel build on Rawhide.

[1] https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/YZ2UCDLZIFXRREYTAS6CPJQY54SCGNK7/


Version-Release number of selected component (if applicable):
pesign-0.112-30.fc33
nss-3.51.1-1.fc33

How reproducible:
100%

Steps to Reproduce:
1. Run a scratch build of kernel on x86_64 rawhide.

Actual results:
The build fails with:

+ /usr/bin/pesign -c 'Red Hat Test Certificate' --certdir /etc/pki/pesign-rh-test -i arch/x86/boot/bzImage -o vmlinuz.signed -s
pesign: Could not initialize nss.
NSS says "The certificate/key database is in an old, unsupported format." errno says "No such file or directory"
error: Bad exit status from /var/tmp/rpm-tmp.FGCBoV (%build)
RPM build errors:
    Bad exit status from /var/tmp/rpm-tmp.FGCBoV (%build)
Child return code was: 1

Example failed scratch build: https://koji.fedoraproject.org/koji/taskinfo?taskID=43737603

Expected results:
Pesign doesn't fail the build.

Additional info:
There is a 2+ years old upstream ticket for this: https://github.com/rhboot/pesign/issues/34
Comment 1 Daiki Ueno 2020-06-02 09:49:38 UTC 
Created attachment 1694375 [details]
certs.tar.gz with sql database files

Hello Peter,

Is there any blocker on this? I think only certs.tar.xz needs an update to have both sqlite and dbm database files. I'm attaching one I created with:

 $ fedpkg prep
 $ tar xf certs.tar.xz
 $ cd etc/pki
 $ certutil --merge -d pesign --source-dir pesign
 $ certutil --merge -d pesign-rh-test --source-dir pesign-rh-test
 $ cd -
 $ tar jcf certs.tar.xz etc
Comment 2 Javier Martinez Canillas 2020-06-08 16:34:46 UTC 
(In reply to Daiki Ueno from comment #1)
> Created attachment 1694375 [details]
> certs.tar.gz with sql database files
> 
> Hello Peter,
> 
> Is there any blocker on this? I think only certs.tar.xz needs an update to
> have both sqlite and dbm database files. I'm attaching one I created with:
> 
>  $ fedpkg prep
>  $ tar xf certs.tar.xz
>  $ cd etc/pki
>  $ certutil --merge -d pesign --source-dir pesign
>  $ certutil --merge -d pesign-rh-test --source-dir pesign-rh-test
>  $ cd -
>  $ tar jcf certs.tar.xz etc

Thanks, at the end I just updated the certs.tar.xz to the SQLite database file format since there isn't really a reason to keep the old Berkeley DB.
Comment 3 Zbigniew Jędrzejewski-Szmek 2020-07-18 14:07:48 UTC 
F33 now has pesign-113-10.fc33, i.e. a later version. Can this be closed?