Bug 1284063 - Need pesign-rh-test-certs to build kernel
Need pesign-rh-test-certs to build kernel
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
23
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Kernel Maintainer List
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-20 11:58 EST by H.J. Lu
Modified: 2016-02-04 19:22 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-28 18:00:19 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description H.J. Lu 2015-11-20 11:58:43 EST
pesign-rh-test-certs is required to build Fedora 23 kernel.
Comment 1 Josh Boyer 2015-11-20 12:08:06 EST
This isn't accurate.  The kernel builds just fine in koji because pesign-rh-test-certs is not used and we use the real HSM.  A more accurate assessment would be that it is needed to build locally or scratch kernels.  However, I'm not sure we can blindly BuildRequire this in kernel.spec, as it might cause issues with the real koji builds.
Comment 2 Ian Pilcher 2015-11-24 12:32:14 EST
(In reply to Josh Boyer from comment #1)
> This isn't accurate.  The kernel builds just fine in koji because
> pesign-rh-test-certs is not used and we use the real HSM.  A more accurate
> assessment would be that it is needed to build locally or scratch kernels. 
> However, I'm not sure we can blindly BuildRequire this in kernel.spec, as it
> might cause issues with the real koji builds.

It seems like the answer is some sort of virtual requires/provides that will normally pull in pesign-rh-test-certs.  For example:

  kernel:
    BuildRequires:  kernel-signing-certs

  pesign-rh-test-certs:
    Provides:       kernel-signing-certs

  kernel-signing-certs-empty:
    Provides:       kernel-signing-certs

Ideally, a weak dependency could be used to make DNF choose pesign-rh-test-certs by default:

  pesign:
    Suggests:       pesign-rh-test-certs

(AFAIK, there's no such thing as BuildSuggests, so it can really go in the kernel.)
Comment 3 Fedora Update System 2015-12-01 15:51:28 EST
pesign-0.111-5.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55
Comment 4 Fedora Update System 2015-12-01 15:51:40 EST
pesign-0.111-5.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55
Comment 5 Fedora Update System 2015-12-01 15:53:06 EST
pesign-0.111-5.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402
Comment 6 Fedora Update System 2015-12-01 15:53:14 EST
pesign-0.111-5.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402
Comment 7 Fedora Update System 2015-12-02 14:00:51 EST
pesign-0.111-6.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402
Comment 8 Fedora Update System 2015-12-02 14:04:45 EST
pesign-0.111-5.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55
Comment 9 Fedora Update System 2015-12-02 17:52:35 EST
pesign-0.111-6.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update pesign'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402
Comment 10 Fedora Update System 2015-12-03 20:38:44 EST
pesign-0.111-6.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update pesign'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55
Comment 11 Fedora Update System 2015-12-08 10:29:03 EST
pesign-0.111-6.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55
Comment 12 Fedora Update System 2015-12-08 17:59:02 EST
pesign-0.111-6.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update pesign'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55
Comment 13 Fedora Update System 2015-12-10 15:39:23 EST
pesign-0.111-7.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402
Comment 14 Fedora Update System 2015-12-10 15:40:27 EST
pesign-0.111-7.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55
Comment 15 Fedora Update System 2015-12-11 01:02:52 EST
pesign-0.111-7.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update pesign'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55
Comment 16 Fedora Update System 2015-12-11 14:58:24 EST
pesign-0.111-7.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update pesign'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402
Comment 17 Fedora Update System 2015-12-28 18:00:04 EST
pesign-0.111-7.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2016-02-04 19:22:17 EST
pesign-0.111-7.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.