Bug 1284063 - Need pesign-rh-test-certs to build kernel
Summary: Need pesign-rh-test-certs to build kernel
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 23
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-11-20 16:58 UTC by H.J. Lu
Modified: 2016-02-05 00:22 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-12-28 23:00:19 UTC


Attachments (Terms of Use)

Description H.J. Lu 2015-11-20 16:58:43 UTC
pesign-rh-test-certs is required to build Fedora 23 kernel.

Comment 1 Josh Boyer 2015-11-20 17:08:06 UTC
This isn't accurate.  The kernel builds just fine in koji because pesign-rh-test-certs is not used and we use the real HSM.  A more accurate assessment would be that it is needed to build locally or scratch kernels.  However, I'm not sure we can blindly BuildRequire this in kernel.spec, as it might cause issues with the real koji builds.

Comment 2 Ian Pilcher 2015-11-24 17:32:14 UTC
(In reply to Josh Boyer from comment #1)
> This isn't accurate.  The kernel builds just fine in koji because
> pesign-rh-test-certs is not used and we use the real HSM.  A more accurate
> assessment would be that it is needed to build locally or scratch kernels. 
> However, I'm not sure we can blindly BuildRequire this in kernel.spec, as it
> might cause issues with the real koji builds.

It seems like the answer is some sort of virtual requires/provides that will normally pull in pesign-rh-test-certs.  For example:

  kernel:
    BuildRequires:  kernel-signing-certs

  pesign-rh-test-certs:
    Provides:       kernel-signing-certs

  kernel-signing-certs-empty:
    Provides:       kernel-signing-certs

Ideally, a weak dependency could be used to make DNF choose pesign-rh-test-certs by default:

  pesign:
    Suggests:       pesign-rh-test-certs

(AFAIK, there's no such thing as BuildSuggests, so it can really go in the kernel.)

Comment 3 Fedora Update System 2015-12-01 20:51:28 UTC
pesign-0.111-5.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55

Comment 4 Fedora Update System 2015-12-01 20:51:40 UTC
pesign-0.111-5.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55

Comment 5 Fedora Update System 2015-12-01 20:53:06 UTC
pesign-0.111-5.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402

Comment 6 Fedora Update System 2015-12-01 20:53:14 UTC
pesign-0.111-5.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402

Comment 7 Fedora Update System 2015-12-02 19:00:51 UTC
pesign-0.111-6.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402

Comment 8 Fedora Update System 2015-12-02 19:04:45 UTC
pesign-0.111-5.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55

Comment 9 Fedora Update System 2015-12-02 22:52:35 UTC
pesign-0.111-6.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update pesign'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402

Comment 10 Fedora Update System 2015-12-04 01:38:44 UTC
pesign-0.111-6.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update pesign'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55

Comment 11 Fedora Update System 2015-12-08 15:29:03 UTC
pesign-0.111-6.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55

Comment 12 Fedora Update System 2015-12-08 22:59:02 UTC
pesign-0.111-6.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update pesign'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55

Comment 13 Fedora Update System 2015-12-10 20:39:23 UTC
pesign-0.111-7.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402

Comment 14 Fedora Update System 2015-12-10 20:40:27 UTC
pesign-0.111-7.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55

Comment 15 Fedora Update System 2015-12-11 06:02:52 UTC
pesign-0.111-7.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update pesign'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8ea56fd55

Comment 16 Fedora Update System 2015-12-11 19:58:24 UTC
pesign-0.111-7.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update pesign'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-9d7c4ff402

Comment 17 Fedora Update System 2015-12-28 23:00:04 UTC
pesign-0.111-7.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2016-02-05 00:22:17 UTC
pesign-0.111-7.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.