Bug 991808

Summary: pesign returning 0 length files on SC error
Product: [Fedora] Fedora Reporter: Richard W.M. Jones <rjones>
Component: pesignAssignee: Peter Jones <pjones>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: awilliam, dgboles, gansalmon, itamar, joachim.backes, jonathan, kernel-maint, kevin, madhu.chinakonda, marbolangos, pjones
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: kernel-3.10.5-201.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-09 17:12:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
screenshot of failed boot none

Description Richard W.M. Jones 2013-08-04 15:14:17 UTC 
Created attachment 782502 [details]
screenshot of failed boot

Description of problem:

(See attached screenshot)

The rawhide kernel is truncated (zero bytes long).  I first
noticed this because it breaks libguestfs tests in Rawhide.

Version-Release number of selected component (if applicable):

kernel-3.11.0-0.rc3.git4.1.fc20 (x86-64)
build: http://koji.fedoraproject.org/koji/buildinfo?buildID=448178

How reproducible:

100%

Additional info:

See size of vmlinuz file here:
http://koji.fedoraproject.org/koji/rpminfo?rpmID=4275086
Comment 1 Kevin Fenzi 2013-08-04 16:58:18 UTC 
This may be a builder failure. 

I noticed some errors related to pesign about that time. Will investigate more.
Comment 2 Kevin Fenzi 2013-08-04 21:20:00 UTC 
Yeah, so it looks like pesign failed: 

Aug  4 01:28:15 bkernel01.phx2.fedoraproject.org pesignd[16677]: attempting to sign with key "OpenSC Card (Fedora Signer):/CN=Fedora Secure Boot Signer"
Aug  4 01:28:15 bkernel01.phx2.fedoraproject.org pcscd: openct/proto-t1.c:177:t1_transceive() T=1 state machine is DEAD. Reset the card first.
Aug  4 01:28:15 bkernel01.phx2.fedoraproject.org pcscd: ifdwrapper.c:527:IFDTransmit() Card not transacted: 612
Aug  4 01:28:15 bkernel01.phx2.fedoraproject.org pcscd: winscard.c:1606:SCardTransmit() Card not transacted: 0x80100016
Aug  4 01:28:15 bkernel01.phx2.fedoraproject.org pesignd[16677]: error signing data: A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred.

I updated and rebooted the builder and it seems ok now. 

We should likely add some checks to the pesign call in the kernel spec to fail the build if signing fails or produces a 0 length vmlinuz.sign.
Comment 3 Josh Boyer 2013-08-05 00:27:54 UTC 
(In reply to Kevin Fenzi from comment #2)
> Yeah, so it looks like pesign failed: 
> 
> Aug  4 01:28:15 bkernel01.phx2.fedoraproject.org pesignd[16677]: attempting
> to sign with key "OpenSC Card (Fedora Signer):/CN=Fedora Secure Boot Signer"
> Aug  4 01:28:15 bkernel01.phx2.fedoraproject.org pcscd:
> openct/proto-t1.c:177:t1_transceive() T=1 state machine is DEAD. Reset the
> card first.
> Aug  4 01:28:15 bkernel01.phx2.fedoraproject.org pcscd:
> ifdwrapper.c:527:IFDTransmit() Card not transacted: 612
> Aug  4 01:28:15 bkernel01.phx2.fedoraproject.org pcscd:
> winscard.c:1606:SCardTransmit() Card not transacted: 0x80100016
> Aug  4 01:28:15 bkernel01.phx2.fedoraproject.org pesignd[16677]: error
> signing data: A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that
> an unrecoverable error has occurred.
> 
> I updated and rebooted the builder and it seems ok now. 
> 
> We should likely add some checks to the pesign call in the kernel spec to
> fail the build if signing fails or produces a 0 length vmlinuz.sign.

Adding Peter to CC.

If the pesign client fails and returns a correct return code, the %pesign macro should probably catch it.

Otherwise (or in addition to), we can test for a zero file length, but the kernel isn't the only thing using pesign so it's likely best to fix it in the macro if we can.
Comment 4 Josh Boyer 2013-08-05 00:35:02 UTC 
And... now actually adding Peter on CC.  Because I just wanted to fake everyone out the first time I said that.
Comment 5 Adam Williamson 2013-08-07 05:23:57 UTC 
Sounds like this is affecting the latest f19 build too:

https://lists.fedoraproject.org/pipermail/test/2013-August/117289.html
Comment 6 Josh Boyer 2013-08-07 12:56:20 UTC 
Moving this to pesign.  The check for zero length files should probably be done in the %pesign macro.
Comment 7 Josh Boyer 2013-08-07 12:56:42 UTC 
*** Bug 994333 has been marked as a duplicate of this bug. ***
Comment 8 Josh Boyer 2013-08-07 12:57:00 UTC 
*** Bug 994386 has been marked as a duplicate of this bug. ***
Comment 9 Fedora Update System 2013-08-07 20:48:07 UTC 
kernel-3.10.5-201.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/kernel-3.10.5-201.fc19
Comment 10 Fedora Update System 2013-08-09 17:12:40 UTC 
kernel-3.10.5-201.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.