Bug 1283475 - Could not initialize nss: The certificate/key database is in an old, unsupported format.
Summary: Could not initialize nss: The certificate/key database is in an old, unsuppor...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: pesign
Version: rawhide
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Peter Jones
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-11-19 04:53 UTC by poma
Modified: 2016-02-05 00:22 UTC (History)
15 users (show)

Fixed In Version: pesign-0.111-7.fc23
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-12-28 23:00:10 UTC


Attachments (Terms of Use)
Actual ACL fix for the local kernel build (5.66 KB, patch)
2015-11-23 13:49 UTC, poma
no flags Details | Diff
Obsoletes pesign-rh-test-certs (1.03 KB, patch)
2015-12-07 13:41 UTC, poma
no flags Details | Diff
Obsoletes pesign-rh-test-certs, (re)sets ACLs via service (1.54 KB, patch)
2015-12-10 18:21 UTC, poma
no flags Details | Diff

Description poma 2015-11-19 04:53:47 UTC
Description of problem:
Could not initialize nss: The certificate/key database is in an old, unsupported format.

Version-Release number of selected component (if applicable):
pesign-0.111-1.fc24.x86_64

How reproducible:
101%

Steps to Reproduce:
1. Local Kernel Build, via rpmbuild

Actual results:
Broken Local Kernel Build

Expected results:
Working Local Kernel Build

Additional info:

Rawhide-Local-Build (pesign-0.111):
- kernel-4.4.0-0.rc1.git0.2.fc24
...
+ '[' -f arch/x86_64/boot/zImage.stub ']'
+ '[' -x /usr/bin/pesign ']'
+ '[' x86_64 == x86_64 -o x86_64 == aarch64 ']'
+ '[' 0 -ge 7 -a -f /usr/bin/rpm-sign ']'
+ '[' -S /var/run/pesign/socket ']'
+ /usr/bin/pesign -c 'Red Hat Test Certificate' -i arch/x86/boot/bzImage -o vmlinuz.signed -s
Could not initialize nss: The certificate/key database is in an old, unsupported format.
error: Bad exit status from /var/tmp/rpm-tmp.MRMhok (%build)


RPM build errors:
    Bad exit status from /var/tmp/rpm-tmp.MRMhok (%build)


rpms:
pesign-0.111-1.fc24.x86_64
nss-tools-3.21.0-3.fc24.x86_64 (certutil)


# rpm -ev pesign-rh-test-certs
Preparing packages...
pesign-rh-test-certs-0.111-1.fc24.x86_64
certutil: could not find certificate named "Red Hat Test Certificate": SEC_ERROR_BAD_DATABASE: security library: bad database.

Comment 1 poma 2015-11-19 04:55:58 UTC
Rawhide-Koji-Build (pesign-0.111):
- kernel-4.4.0-0.rc1.git0.2.fc24

https://kojipkgs.fedoraproject.org//packages/kernel/4.4.0/0.rc1.git0.1.fc24/data/logs/x86_64/build.log
...
+ '[' -f arch/x86_64/boot/zImage.stub ']'
+ '[' -x /usr/bin/pesign ']'
+ '[' x86_64 == x86_64 -o x86_64 == aarch64 ']'
+ '[' 0 -ge 7 -a -f /usr/bin/rpm-sign ']'
+ '[' -S /var/run/pesign/socket ']'
+ /usr/bin/pesign-client -t 'OpenSC Card (Fedora Signer)' -c '/CN=Fedora Secure Boot Signer' -i arch/x86/boot/bzImage -o vmlinuz.signed -s
+ '[' '!' -s -o vmlinuz.signed ']'
+ '[' '!' -s vmlinuz.signed ']'
+ mv vmlinuz.signed arch/x86/boot/bzImage
...
+ exit 0


https://kojipkgs.fedoraproject.org//packages/kernel/4.4.0/0.rc1.git0.1.fc24/data/logs/x86_64/root.log
rpms:
pesign.x86_64 0.111-1.fc24
nss-tools-3.21.0-3.fc24.x86_64 (certutil)

Comment 2 poma 2015-11-19 04:56:30 UTC
Fedora-22-Local-Build (pesign-0.108):
- kernel-4.4.0-0.rc1.git0.2.fc22
...
+ '[' -f arch/x86_64/boot/zImage.stub ']'
+ '[' -x /usr/bin/pesign -a x86_64 == x86_64 ']'
+ '[' 0 -ge 7 ']'
+ '[' -S /var/run/pesign/socket ']'
+ /usr/bin/pesign -c 'Red Hat Test Certificate' -i arch/x86/boot/bzImage -o vmlinuz.signed -s
+ '[' '!' -s -o vmlinuz.signed ']'
+ '[' '!' -s vmlinuz.signed ']'
+ mv vmlinuz.signed arch/x86/boot/bzImage
...
+ exit 0


rpms:
pesign-0.108-4.fc22.x86_64
nss-tools-3.20.1-1.0.fc22.x86_64 (certutil)

Comment 3 poma 2015-11-19 04:57:01 UTC
Rawhide-Local-Build (pesign-0.108):
- kernel-4.4.0-0.rc1.git0.2.fc24
...
+ '[' -f arch/x86_64/boot/zImage.stub ']'
+ '[' -x /usr/bin/pesign -a x86_64 == x86_64 ']'
+ '[' 0 -ge 7 ']'
+ '[' -S /var/run/pesign/socket ']'
+ /usr/bin/pesign -c 'Red Hat Test Certificate' -i arch/x86/boot/bzImage -o vmlinuz.signed -s
+ '[' '!' -s -o vmlinuz.signed ']'
+ '[' '!' -s vmlinuz.signed ']'
+ mv vmlinuz.signed arch/x86/boot/bzImage
...
+ exit 0


rpms:
pesign-0.108-4.fc24.x86_64 (fc22 rebuild)
nss-tools-3.21.0-3.fc24.x86_64 (certutil)

Comment 4 poma 2015-11-19 05:00:01 UTC
%global signmodules 0 - is not an option.

Comment 5 poma 2015-11-19 05:02:56 UTC
Interesting, pesign-0.111 works for Koji-Build but not for Local-Build.

Comment 6 poma 2015-11-19 05:06:23 UTC
Mister Jones, comment?

Comment 7 Clive Messer 2015-11-19 11:02:25 UTC
Yep, I've just run into this as well, having updated pesign. 

/usr/bin/pesign -c 'Red Hat Test Certificate' -i arch/x86/boot/bzImage -o vmlinuz.signed -s
Could not initialize nss: The certificate/key database is in an old, unsupported format.
error: Bad exit status from /var/tmp/rpm-tmp.Yl84lN (%build)

Comment 8 Fedora Update System 2015-11-19 18:43:10 UTC
pesign-0.111-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55

Comment 9 Fedora Update System 2015-11-19 18:45:11 UTC
pesign-0.111-2.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402

Comment 10 Peter Jones 2015-11-19 19:34:44 UTC
This update should fix mock builds with no additional action.  To fix local builds, add your username to /etc/pesign/users and run /usr/libexec/pesign/pesign-authorize-users as root.

Comment 11 Clive Messer 2015-11-19 23:55:51 UTC
Peter, to obtain the previous behaviour, ie. pesign works for any local user without additional configuration, what should I do? Will wildcards work? Can I put '*' in /etc/pesign/users?

Comment 12 Clive Messer 2015-11-20 00:58:37 UTC
Am I doing something wrong? I've started the pesign service, added my local user name, (the user running the kernel rpmbuild), to /etc/pesign/users, run /usr/libexec/pesign/pesign-authorize-users....

Now when building, I get....

/usr/bin/pesign -c 'Red Hat Test Certificate' -i arch/x86/boot/bzImage -o vmlinuz.signed -s
cms_common.c:find_certificate:469: could not find certificate in list: security library: bad database.
pesign: Could not find certificate Red Hat Test Certificate
error: Bad exit status from /var/tmp/rpm-tmp.MkAwDm (%build)

Comment 13 H.J. Lu 2015-11-20 02:40:30 UTC
(In reply to Fedora Update System from comment #8)
> pesign-0.111-2.fc23 has been submitted as an update to Fedora 23.
> https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55

Mock still failed to build Fedora 23 kernel on Fedora 22:

+ '[' -f arch/x86_64/boot/zImage.stub ']'
+ '[' -x /usr/bin/pesign ']'
+ '[' x86_64 == x86_64 -o x86_64 == aarch64 ']'
+ '[' 0 -ge 7 -a -f /usr/bin/rpm-sign ']'
+ '[' -S /var/run/pesign/socket ']'
+ /usr/bin/pesign -c 'Red Hat Test Certificate' -i arch/x86/boot/bzImage -o vmlinuz.signed -s
Could not initialize nss: The certificate/key database is in an old, unsupported format.
RPM build errors:
error: Bad exit status from /var/tmp/rpm-tmp.hp1NTW (%build)
    Bad exit status from /var/tmp/rpm-tmp.hp1NTW (%build)
Child return code was: 1

Comment 14 poma 2015-11-20 06:37:16 UTC
(In reply to Peter Jones from comment #10)
> This update should fix mock builds with no additional action.

mockbuild didn't fall into:
...
  Installing : pesign-0.111-2.fc24.x86_64
Module "opensc" added to database.
  Installing : pesign-rh-test-certs-0.111-2.fc24.x86_64
warning: %post(pesign-rh-test-certs-0.111-2.fc24.x86_64) scriptlet failed, exit status 2
Non-fatal POSTIN scriptlet failure in rpm package pesign-rh-test-certs-0.111-2.fc24.x86_64
  Verifying  : pesign-rh-test-certs-0.111-2.fc24.x86_64
  Verifying  : pesign-0.111-2.fc24.x86_64
...

POSTIN:
certutil --merge -d /etc/pki/pesign/ --source-dir /etc/pki/pesign/rh-test-certs/
getent passwd mockbuild >/dev/null && \
	echo mockbuild >> /etc/pesign/users &&
	/usr/libexec/pesign/pesign-authorize-users


# file /etc/pesign/users
/etc/pesign/users: empty

> To fix local builds,
> add your username to /etc/pesign/users and run
> /usr/libexec/pesign/pesign-authorize-users as root.

I set it as pesign-0.108:

/usr/libexec/pesign/pesign-authorize-others:
#!/bin/bash
#
# Set file permissions to other
# man 1 setfacl
#
# License: GPLv2

if [[ -r /etc/pki/pesign ]]; then
        setfacl -m o::rx /var/run/pesign
        setfacl -m o::rw /var/run/pesign/socket
        setfacl -m o::rx /etc/pki/pesign
        setfacl -m o::r /etc/pki/pesign/{cert8,key3,secmod}.db
        setfacl -m o::rx /etc/pki/pesign/rh-test-certs
        setfacl -m o::r /etc/pki/pesign/rh-test-certs/{cert8,key3,secmod}.db
fi

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# getfacl -R /etc/pki/pesign | egrep file\|other
...
# file: etc/pki/pesign
other::r-x
# file: etc/pki/pesign/cert8.db
other::r--
# file: etc/pki/pesign/secmod.db
other::r--
# file: etc/pki/pesign/rh-test-certs
other::r-x
# file: etc/pki/pesign/rh-test-certs/cert8.db
other::r--
# file: etc/pki/pesign/rh-test-certs/secmod.db
other::r--
# file: etc/pki/pesign/rh-test-certs/key3.db
other::r--
# file: etc/pki/pesign/key3.db
other::r--

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
...
+ '[' -f arch/x86_64/boot/zImage.stub ']'
+ '[' -x /usr/bin/pesign ']'
+ '[' x86_64 == x86_64 -o x86_64 == aarch64 ']'
+ '[' 0 -ge 7 -a -f /usr/bin/rpm-sign ']'
+ '[' -S /var/run/pesign/socket ']'
+ /usr/bin/pesign -c 'Red Hat Test Certificate' -i arch/x86/boot/bzImage -o vmlinuz.signed -s
+ '[' '!' -s -o vmlinuz.signed ']'
+ '[' '!' -s vmlinuz.signed ']'
+ mv vmlinuz.signed arch/x86/boot/bzImage
...
+ exit 0

Comment 15 Bastien Nocera 2015-11-20 09:58:47 UTC
(In reply to Fedora Update System from comment #8)
> pesign-0.111-2.fc23 has been submitted as an update to Fedora 23.
> https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55

That worked for me.

Comment 16 Fedora Update System 2015-11-20 10:21:45 UTC
pesign-0.111-2.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update pesign'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402

Comment 17 Fedora Update System 2015-11-20 11:24:12 UTC
pesign-0.111-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update pesign'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55

Comment 18 Fedora Update System 2015-11-21 00:37:07 UTC
pesign-0.111-3.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402

Comment 19 Fedora Update System 2015-11-21 00:37:36 UTC
pesign-0.111-3.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55

Comment 20 Fedora Update System 2015-11-21 17:53:02 UTC
pesign-0.111-3.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update pesign'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402

Comment 21 Fedora Update System 2015-11-22 14:26:42 UTC
pesign-0.111-3.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update pesign'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55

Comment 22 poma 2015-11-23 13:49:09 UTC
Created attachment 1097647 [details]
Actual ACL fix for the local kernel build


# cat /etc/pesign/users
test

# cat /etc/pesign/groups
builders

# getent passwd test
test:x:1002:1002::/home/test:/bin/bash

# getent group builders 
builders:x:1001:poma

~~~~~~~~~~~~~~~~~~~~~~~~~~
...
Transaction test succeeded
Running transaction (shutdown inhibited)
  Updating   : pesign-0.111-4.fc24.x86_64
  Updating   : pesign-rh-test-certs-0.111-4.fc24.x86_64
  Cleanup    : pesign-rh-test-certs-0.111-3.fc24.x86_64
  Cleanup    : pesign-0.111-3.fc24.x86_64
  Verifying  : pesign-rh-test-certs-0.111-4.fc24.x86_64
  Verifying  : pesign-0.111-4.fc24.x86_64
  Verifying  : pesign-0.111-3.fc24.x86_64
  Verifying  : pesign-rh-test-certs-0.111-3.fc24.x86_64

Updated:
  pesign.x86_64 0:0.111-4.fc24
  pesign-rh-test-certs.x86_64 0:0.111-4.fc24             

Complete!


No more "Non-fatal POSTIN scriptlet failure"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# getfacl /etc/pki/pesign
getfacl: Removing leading '/' from absolute path names
# file: etc/pki/pesign
# owner: pesign
# group: pesign
user::rwx
user:test:r-x
group::rwx
group:builders:r-x
mask::rwx
other::---


# getfacl /etc/pki/pesign/{cert8,key3,secmod}.db
getfacl: Removing leading '/' from absolute path names
# file: etc/pki/pesign/cert8.db
# owner: pesign
# group: pesign
user::rw-
user:test:r--
group::rw-
group:builders:r--
mask::rw-
other::---

# file: etc/pki/pesign/key3.db
# owner: pesign
# group: pesign
user::rw-
user:test:r--
group::rw-
group:builders:r--
mask::rw-
other::---

# file: etc/pki/pesign/secmod.db
# owner: pesign
# group: pesign
user::rw-
user:test:r--
group::rw-
group:builders:r--
mask::rw-
other::---


groups to groups, users to users

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[poma@lnx SPECS]$ rpmbuild -ba kernel.spec
...
+ '[' -f arch/x86_64/boot/zImage.stub ']'
+ '[' -x /usr/bin/pesign ']'
+ '[' x86_64 == x86_64 -o x86_64 == aarch64 ']'
+ '[' 0 -ge 7 -a -f /usr/bin/rpm-sign ']'
+ '[' -S /var/run/pesign/socket ']'
+ /usr/bin/pesign -c 'Red Hat Test Certificate' -i arch/x86/boot/bzImage -o vmlinuz.signed -s
+ '[' '!' -s -o vmlinuz.signed ']'
+ '[' '!' -s vmlinuz.signed ']'
+ mv vmlinuz.signed arch/x86/boot/bzImage
...

Comment 23 poma 2015-11-23 13:55:49 UTC
http://pkgs.fedoraproject.org/cgit/pesign.git/tree/pesign.spec#n159
Related: rhbz#1283745

Mister Jones, will it be 745 or 475? ;)

Comment 24 poma 2015-11-23 14:26:00 UTC
Here is a test build:
http://goo.gl/Gm4ffO
signum/
pesign-0.111-4.fc24.src.rpm
pesign-0.111-4.fc24.x86_64.rpm
pesign-rh-test-certs-0.111-4.fc24.x86_64.rpm
pesign.sha256sum.txt

Comment 25 Ian Pilcher 2015-11-23 15:20:51 UTC
(In reply to poma from comment #24)
> Here is a test build:

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1284561

Comment 26 Ian Pilcher 2015-11-23 16:33:46 UTC
(In reply to Clive Messer from comment #12)
> Am I doing something wrong? I've started the pesign service, added my local
> user name, (the user running the kernel rpmbuild), to /etc/pesign/users, run
> /usr/libexec/pesign/pesign-authorize-users....
> 
> Now when building, I get....
> 
> /usr/bin/pesign -c 'Red Hat Test Certificate' -i arch/x86/boot/bzImage -o
> vmlinuz.signed -s
> cms_common.c:find_certificate:469: could not find certificate in list:
> security library: bad database.
> pesign: Could not find certificate Red Hat Test Certificate
> error: Bad exit status from /var/tmp/rpm-tmp.MkAwDm (%build)

I'm now getting this error with pesign-0.111-4.fc24.x86_64.rpm.

Comment 27 poma 2015-11-24 02:23:17 UTC
(In reply to Ian Pilcher from comment #26)
> (In reply to Clive Messer from comment #12)
> > Am I doing something wrong? I've started the pesign service, added my local
> > user name, (the user running the kernel rpmbuild), to /etc/pesign/users, run
> > /usr/libexec/pesign/pesign-authorize-users....
> > 
> > Now when building, I get....
> > 
> > /usr/bin/pesign -c 'Red Hat Test Certificate' -i arch/x86/boot/bzImage -o
> > vmlinuz.signed -s
> > cms_common.c:find_certificate:469: could not find certificate in list:
> > security library: bad database.
> > pesign: Could not find certificate Red Hat Test Certificate
> > error: Bad exit status from /var/tmp/rpm-tmp.MkAwDm (%build)
> 
> I'm now getting this error with pesign-0.111-4.fc24.x86_64.rpm.


Can you paste here output of:

$ rpm -q pesign pesign-rh-test-certs
$ getent passwd $(whoami)
$ getent group | grep $(whoami)
# cat /etc/pesign/groups
# cat /etc/pesign/users
# getfacl /etc/pki/pesign
# getfacl /etc/pki/pesign/{cert8,key3,secmod}.db

PRIOR TO starting building kernel locally:
$ rpmbuild -ba kernel.spec

Comment 28 Ian Pilcher 2015-11-24 16:12:16 UTC
(In reply to poma from comment #27)
> 
> Can you paste here output of:
> 
> $ rpm -q pesign pesign-rh-test-certs

$ rpm -q pesign pesign-rh-test-certs
pesign-0.111-4.fc24.x86_64
package pesign-rh-test-certs is not installed

So there's the problem.  Shouldn't that be a buildreq?

Comment 29 H.J. Lu 2015-11-24 16:30:20 UTC
(In reply to Ian Pilcher from comment #28)
> 
> So there's the problem.  Shouldn't that be a buildreq?

See PR 1284063.

Comment 30 Josh Boyer 2015-11-24 17:56:15 UTC
No, it cannot be.  At least not until Peter and I figure it out.  It's being tracked in the bug H.J. points to.

Comment 31 Alexandre Oliva 2015-11-28 04:47:28 UTC
I've got pesign-0.111-3.fc[23] installed onto f2[23] mock roots before trying x86_64 kernel builds, but the mock build still fails with the error from the initial report.  Do I have to install pesign in the build root, too?  Would it matter that it's a chroot itself?

Comment 32 Pavel Alexeev 2015-11-28 17:27:33 UTC
It still fails even in koji:
https://kojipkgs.fedoraproject.org//work/tasks/3949/12003949/build.log:
+ /usr/bin/pesign -c 'Red Hat Test Certificate' -i arch/x86/boot/bzImage -o vmlinuz.signed -s
Could not initialize nss: The certificate/key database is in an old, unsupported format.

Comment 33 Fedora Update System 2015-12-01 20:51:24 UTC
pesign-0.111-5.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55

Comment 34 Fedora Update System 2015-12-01 20:53:04 UTC
pesign-0.111-5.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402

Comment 35 poma 2015-12-02 08:17:39 UTC
http://pkgs.fedoraproject.org/cgit/pesign.git/commit/?id=d983376
-  Related: rhbz#1283745
+  Related: rhbz#1283475

Comment 36 Edward O'Callaghan 2015-12-02 16:15:57 UTC
(In reply to Fedora Update System from comment #33)
> pesign-0.111-5.fc23 has been submitted as an update to Fedora 23.
> https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55

This update fixed the issue for me. Thanks!

Comment 37 Fedora Update System 2015-12-02 19:00:41 UTC
pesign-0.111-6.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402

Comment 38 Fedora Update System 2015-12-02 19:04:35 UTC
pesign-0.111-5.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55

Comment 39 Fedora Update System 2015-12-02 22:52:26 UTC
pesign-0.111-6.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update pesign'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402

Comment 40 Fedora Update System 2015-12-04 01:38:36 UTC
pesign-0.111-6.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update pesign'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55

Comment 41 poma 2015-12-07 13:39:32 UTC
# yum -q --disablerepo \* --enablerepo updates-testing update pesign
Error: Package: pesign-rh-test-certs-0.111-1.fc22.x86_64 (@updates)
           Requires: pesign = 0.111-1.fc22
           Removing: pesign-0.111-1.fc22.x86_64 (@updates)
               pesign = 0.111-1.fc22
           Updated By: pesign-0.111-6.fc22.x86_64 (updates-testing)
               pesign = 0.111-6.fc22
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest


# dnf --disablerepo \* --enablerepo updates-testing update pesign
Last metadata expiration check performed 0:04:15 ago on Mon Dec  7 14:17:35 2015.
Dependencies resolved.
==================================================================================
 Package        Arch           Version              Repository               Size
==================================================================================
Skipping packages with conflicts:
(add '--best --allowerasing' to command line to force their upgrade):
 pesign         x86_64         0.111-6.fc22         updates-testing         108 k

Transaction Summary
==================================================================================
Skip  1 Package

Nothing to do.
Complete!

Comment 42 poma 2015-12-07 13:41:35 UTC
Created attachment 1103224 [details]
Obsoletes pesign-rh-test-certs


# yum -q --disablerepo \* update ./pesign-0.111-7.fc22.x86_64.rpm
 
===================================================================================
 Package     Arch        Version            Repository                        Size
===================================================================================
Installing:
 pesign      x86_64      0.111-7.fc22       /pesign-0.111-7.fc22.x86_64      440 k
     replacing  pesign-rh-test-certs.x86_64 0.111-1.fc22

Transaction Summary
===================================================================================
Install  1 Package

Is this ok [y/d/N]: y


# dnf --disablerepo \* update ./pesign-0.111-7.fc22.x86_64.rpmDependencies resolved.
===================================================================================
 Package         Arch            Version               Repository             Size
===================================================================================
Upgrading:
 pesign          x86_64          0.111-7.fc22          @commandline          107 k
     replacing  pesign-rh-test-certs.x86_64 0.111-1.fc22

Transaction Summary
===================================================================================
Upgrade  1 Package

Total size: 107 k
Is this ok [y/N]: y

Comment 43 Peter Jones 2015-12-07 18:38:28 UTC
So - this looks like it means this will work against the actual repos, it just failed because you have things from updates-testing that were never pushed past that installed?

Comment 44 poma 2015-12-08 09:57:22 UTC
(In reply to Peter Jones from comment #43)
> So - this looks like it means this will work against the actual repos, it
> just failed because you have things from updates-testing that were never
> pushed past that installed?

This is stable Fedora 22, with no related updates-testing pkgs,
so at least to me, it is relevant for this particular testing.

Here is an example with the actual local repo,

# yum -q --disablerepo \* --enablerepo signum-testing update
Error: Package: pesign-rh-test-certs-0.111-1.fc22.x86_64 (@updates)
           Requires: pesign = 0.111-1.fc22
           Removing: pesign-0.111-1.fc22.x86_64 (@updates)
               pesign = 0.111-1.fc22
           Updated By: pesign-0.111-6.fc22.x86_64 (signum-testing)
               pesign = 0.111-6.fc22
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest


# dnf --disablerepo \* --enablerepo signum-testing update
Fedora Signum 22 - x86_64 - Updates              76 kB/s | 1.7 kB     00:00    
Last metadata expiration check performed 0:00:01 ago on Tue Dec  8 10:42:32 2015.
Dependencies resolved.
================================================================================
 Package       Arch          Version                Repository             Size
================================================================================
Skipping packages with broken dependencies:
 pesign        x86_64        0.111-6.fc22           signum-testing        107 k

Transaction Summary
================================================================================
Skip  1 Package

Nothing to do.
Complete!

Comment 45 poma 2015-12-08 10:12:32 UTC
w/ Obsoletes: pesign-rh-test-certs,

# yum -q --disablerepo \* --enablerepo signum-testing update

================================================================================
 Package       Arch          Version                Repository             Size
================================================================================
Installing:
 pesign        x86_64        0.111-7.fc22           signum-testing        107 k
     replacing  pesign-rh-test-certs.x86_64 0.111-1.fc22

Transaction Summary
================================================================================
Install  1 Package

Is this ok [y/d/N]: y


# dnf --disablerepo \* --enablerepo signum-testing update
Last metadata expiration check performed 0:00:33 ago on Tue Dec  8 11:08:40 2015.
Dependencies resolved.
================================================================================
 Package       Arch          Version                Repository             Size
================================================================================
Upgrading:
 pesign        x86_64        0.111-7.fc22           signum-testing        107 k
     replacing  pesign-rh-test-certs.x86_64 0.111-1.fc22

Transaction Summary
================================================================================
Upgrade  1 Package

Total download size: 107 k
Is this ok [y/N]: y

Comment 46 Peter Jones 2015-12-08 15:07:23 UTC
But how do you have any dep about pesign-rh-test-certs?  It only ever existed in updates-testing.

Comment 47 Fedora Update System 2015-12-08 15:28:45 UTC
pesign-0.111-6.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55

Comment 48 poma 2015-12-08 16:16:43 UTC
(In reply to Peter Jones from comment #46)
> But how do you have any dep about pesign-rh-test-certs?  It only ever
> existed in updates-testing.

http://dl.fedoraproject.org/pub/fedora/linux/updates/22/x86_64/p/pesign-rh-test-certs-0.111-1.fc22.x86_64.rpm

Comment 50 Fedora Update System 2015-12-08 22:58:52 UTC
pesign-0.111-6.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update pesign'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55

Comment 51 Alexandre Oliva 2015-12-10 03:50:31 UTC
pesign-0.111-6.fc* enabled me to build newer GNU Linux-libre Freed-ora RPMS in mock buildroots, thanks.  I tried to provide positive feedback through bodhi, but I guess it doesn't like my rejecting cookies or not running Javascript or somesuch, because my comments seem to have been dropped on the floor :-(

Comment 52 poma 2015-12-10 18:21:33 UTC
Created attachment 1104471 [details]
Obsoletes pesign-rh-test-certs, (re)sets ACLs via service


"Automatically" - via service, resolves ACLs upon update and reinstall, 
so there is no need to manually run /usr/libexec/pesign/pesign-authorize-{groups,users}.

Comment 53 Fedora Update System 2015-12-10 20:39:05 UTC
pesign-0.111-7.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402

Comment 54 Fedora Update System 2015-12-10 20:40:17 UTC
pesign-0.111-7.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55

Comment 55 poma 2015-12-10 21:12:48 UTC
Just for the record,

http://pkgs.fedoraproject.org/cgit/pesign.git/tree/pesign.spec#n88
%systemd_post pesign.service

probably has no effect,
see for yourself what "%systemd_post" macro actually is,

https://github.com/systemd/systemd/blob/master/src/core/macros.systemd.in#L39
%systemd_post() \
if [ $1 -eq 1 ] ; then \
        # Initial installation \
        systemctl --no-reload preset %{?*} >/dev/null 2>&1 || : \
fi \
%{nil}

"preset" is about

https://github.com/systemd/systemd/blob/master/man/systemctl.xml#L1077
...
... This has the same effect as ... disable ... or ... enable ...


# systemctl enable pesign.service
The unit files have no [Install] section. They are not meant to be enabled
using systemctl.
...


Arrivederci

Comment 56 Fedora Update System 2015-12-11 06:02:41 UTC
pesign-0.111-7.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update pesign'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55

Comment 57 Fedora Update System 2015-12-11 19:58:16 UTC
pesign-0.111-7.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update pesign'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402

Comment 58 Fedora Update System 2015-12-28 22:59:55 UTC
pesign-0.111-7.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 59 Fedora Update System 2016-02-05 00:22:08 UTC
pesign-0.111-7.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.