Bug 2223712

Summary: pesign fails rather than asking for token's password
Product: Red Hat Enterprise Linux 9 Reporter: sgardner
Component: pesignAssignee: Bootloader engineering team <bootloader-eng-team>
Status: NEW --- QA Contact: Oliver GutiƩrrez <ogutierr>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.3CC: sbarcomb
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description sgardner 2023-07-18 15:29:13 UTC 
Description of problem:
The commit 12f16710ee44ef64ddb044a3523c3c4c4d90039a introduced a regression that makes pesign fail instantly instead of asking for a token's password.

This has been noted in upstream issue https://github.com/rhboot/pesign/issues/105.





Version-Release number of selected component (if applicable):
WORKS - pesign-113-21.el9
FAILS - pesign-114-2.el9





How reproducible:
Easily





Steps to Reproduce:
Additional information can be found at https://github.com/rhboot/pesign/issues/105

1. dnf install -y git rpmdevtools softhsm nss-tools pesign
2. mkdir -p $HOME/.config/softhsm2/tokens
3. echo "directories.tokendir = $HOME/.config/softhsm2/tokens" > $HOME/.config/softhsm2/softhsm2.conf
4. softhsm2-util --init-token --label HSM --so-pin Secret.123 --pin Secret.123 --free
5. git clone https://github.com/rhboot/shim.git
6. cd shim/
7. ./make-certs example
8. mkdir ~/.nssdb
9. pk12util -i example.p12 -d ~/.nssdb/ -h HSM
Enter Password or Pin for "HSM": Secret.123
Enter password for PKCS12 file:  (BLANK)
pk12util: PKCS12 IMPORT SUCCESSFUL
10. cd ~
11. dnf download shim
12. rpmdev-extract shim-x64-*.x86_64.rpm
13. cd shim-x64-*.x86_64/boot/efi/EFI/redhat/
14. pesign --remove-signature --signature-number=0 --in=shimx64.efi --out=shimx64.efi.unsigned
15. pesign -t HSM -n ~/.nssdb -c example -i ~/shim-x64-*.x86_64/boot/efi/EFI/redhat/shimx64.efi.unsigned -o ~/shimx64.efi.example -s





Actual results:
# pesign -t HSM -n ~/.nssdb -c example -i ~/shim-x64-*.x86_64/boot/efi/EFI/redhat/shimx64.efi.unsigned -o ~/shimx64.efi.example -s
authentication failed for token "HSM": The security password entered is incorrect.
pesign: Could not find certificate example



Expected results:
# pesign -t HSM -n ~/.nssdb -c example -i ~/shim-x64-*.x86_64/boot/efi/EFI/redhat/shimx64.efi.unsigned -o ~/shimx64.efi.example -s
Enter Password or Pin for "HSM":




Additional info: I Checked upstream package pesign-116-2, and this does NOT have a fix available.