Bug 1295750 - pesign attempts to sign custom kernel even though EFI is not available
pesign attempts to sign custom kernel even though EFI is not available
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: pesign (Show other bugs)
23
x86_64 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Peter Jones
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-05 06:51 EST by Alessandro Selli
Modified: 2016-12-20 12:37 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-12-20 12:37:45 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Last 954 lines of output of command rpmbuild -bb --with baseonly --without debuginfo --target="$(uname -m)" kernel.spec (31.62 KB, text/plain)
2016-01-05 06:51 EST, Alessandro Selli
no flags Details
File /var/tmp/rpm-tmp.s3F6fw (15.92 KB, text/plain)
2016-01-05 06:57 EST, Alessandro Selli
no flags Details

  None (edit)
Description Alessandro Selli 2016-01-05 06:51:51 EST
Created attachment 1111807 [details]
Last 954 lines of output of command rpmbuild -bb --with baseonly --without debuginfo --target="$(uname -m)" kernel.spec

Description of problem:
Compilation of custom kernel from kernel-4.2.8-300.fc23.src.rpm following procedure detailed in https://fedoraproject.org/wiki/Building_a_custom_kernel fails with messages:

+ /usr/bin/pesign -c 'Red Hat Test Certificate' --certdir /etc/pki/pesign-rh-test -i arch/x86/boot/bzImage -o vmlinuz.signed -s
pesign: could not parse signature list in EFI binary
error: Bad exit status from /var/tmp/rpm-tmp.s3F6fw (%build)


RPM build errors:
    Bad exit status from /var/tmp/rpm-tmp.s3F6fw (%build)

File ~/rpmbuild/SPECS/kernel.spec installed by package file kernel-4.2.8-300.fc23.src.rpm contains lines:

%if %{signmodules}
BuildRequires: openssl
BuildRequires: pesign >= 0.10-4
%endif

...

    %if %{signmodules}
    # Sign the image if we're using EFI
    %pesign -s -i $KernelImage -o vmlinuz.signed
    if [ ! -s vmlinuz.signed ]; then
        echo "pesigning failed"
        exit 1
    fi

Package pesign-0.111-7.fc23.x86_64 is installed.

Sistem in use does not use EFI, but pesign is used nevertheless to sign the new kernel:
[alessandro@localhost ~]$ ls /sys/firmware/
acpi  dmi  memmap
[alessandro@localhost ~]$ dmesg | grep -i EFI
[    0.000000] clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 1910969940391419 ns
[alessandro@localhost ~]$ 

/boot filesystem was mounted and service pesign.service was started, but error still occures.

Version-Release number of selected component (if applicable):
kernel-4.2.8-300.fc23.src.rpm

How reproducible:
Always

Steps to Reproduce:
1. Compile custom kernel following procedure detailed in https://fedoraproject.org/wiki/Building_a_custom_kernel on an x86_64 machine without EFI.
2. Error is produced at the end of the run of the command:
rpmbuild -bb --with baseonly --without debuginfo --target="$(uname -m)" kernel.spec
3.

Actual results:
pesign: could not parse signature list in EFI binary
error: Bad exit status from /var/tmp/rpm-tmp.s3F6fw (%build)

Expected results:
No error, kernel RPM package should be produced.

Additional info:
Comment 1 Alessandro Selli 2016-01-05 06:57 EST
Created attachment 1111809 [details]
File /var/tmp/rpm-tmp.s3F6fw

File /var/tmp/rpm-tmp.s3F6fw, created by rpmbuild procedure, that caused error:
pesign: could not parse signature list in EFI binary
error: Bad exit status from /var/tmp/rpm-tmp.s3F6fw (%build)


RPM build errors:
    Bad exit status from /var/tmp/rpm-tmp.s3F6fw (%build)
Comment 2 Josh Boyer 2016-01-05 07:43:14 EST
The kernel is always signed by pesign.  We only build one kernel and it works for both EFI and non-EFI setups.  That isn't an error.  The error you are seeing from pesign needs to be reported against pesign.
Comment 3 Alessandro Selli 2016-01-05 08:46:30 EST
Updated summary line to reflect comment #2
Comment 4 Fedora End Of Life 2016-11-24 09:43:11 EST
This message is a reminder that Fedora 23 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 23. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '23'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 23 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 5 Fedora End Of Life 2016-12-20 12:37:45 EST
Fedora 23 changed to end-of-life (EOL) status on 2016-12-20. Fedora 23 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.