Description of problem:
The latest Rawhide build of NSS removed support for the legacy DBM format . Pesign still ships DBs in this old format and thus it becomes unusable with the new NSS and breaks kernel build on Rawhide.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Run a scratch build of kernel on x86_64 rawhide.
The build fails with:
+ /usr/bin/pesign -c 'Red Hat Test Certificate' --certdir /etc/pki/pesign-rh-test -i arch/x86/boot/bzImage -o vmlinuz.signed -s
pesign: Could not initialize nss.
NSS says "The certificate/key database is in an old, unsupported format." errno says "No such file or directory"
error: Bad exit status from /var/tmp/rpm-tmp.FGCBoV (%build)
RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.FGCBoV (%build)
Child return code was: 1
Example failed scratch build: https://koji.fedoraproject.org/koji/taskinfo?taskID=43737603
Pesign doesn't fail the build.
There is a 2+ years old upstream ticket for this: https://github.com/rhboot/pesign/issues/34
Created attachment 1694375 [details]
certs.tar.gz with sql database files
Is there any blocker on this? I think only certs.tar.xz needs an update to have both sqlite and dbm database files. I'm attaching one I created with:
$ fedpkg prep
$ tar xf certs.tar.xz
$ cd etc/pki
$ certutil --merge -d pesign --source-dir pesign
$ certutil --merge -d pesign-rh-test --source-dir pesign-rh-test
$ cd -
$ tar jcf certs.tar.xz etc
(In reply to Daiki Ueno from comment #1)
> Created attachment 1694375 [details]
> certs.tar.gz with sql database files
> Hello Peter,
> Is there any blocker on this? I think only certs.tar.xz needs an update to
> have both sqlite and dbm database files. I'm attaching one I created with:
> $ fedpkg prep
> $ tar xf certs.tar.xz
> $ cd etc/pki
> $ certutil --merge -d pesign --source-dir pesign
> $ certutil --merge -d pesign-rh-test --source-dir pesign-rh-test
> $ cd -
> $ tar jcf certs.tar.xz etc
Thanks, at the end I just updated the certs.tar.xz to the SQLite database file format since there isn't really a reason to keep the old Berkeley DB.
F33 now has pesign-113-10.fc33, i.e. a later version. Can this be closed?