1827902 – pesign uses deprecated NSS DB format, leading to kernel build failing on Rawhide

Bug 1827902 - pesign uses deprecated NSS DB format, leading to kernel build failing on Rawhide

Summary: pesign uses deprecated NSS DB format, leading to kernel build failing on Rawhide

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	pesign
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Assignee:	Peter Jones
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-04-25 10:19 UTC by Ondrej Mosnacek
Modified:	2020-07-21 15:07 UTC (History)
CC List:	8 users (show)
Fixed In Version:	pesign-0.112-31.fc33
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-07-21 15:07:44 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
certs.tar.gz with sql database files (10.11 KB, application/x-bzip) 2020-06-02 09:49 UTC, Daiki Ueno	no flags	Details
View All

Description Ondrej Mosnacek 2020-04-25 10:19:54 UTC

Description of problem:
The latest Rawhide build of NSS removed support for the legacy DBM format [1]. Pesign still ships DBs in this old format and thus it becomes unusable with the new NSS and breaks kernel build on Rawhide.

[1] https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/YZ2UCDLZIFXRREYTAS6CPJQY54SCGNK7/


Version-Release number of selected component (if applicable):
pesign-0.112-30.fc33
nss-3.51.1-1.fc33

How reproducible:
100%

Steps to Reproduce:
1. Run a scratch build of kernel on x86_64 rawhide.

Actual results:
The build fails with:

+ /usr/bin/pesign -c 'Red Hat Test Certificate' --certdir /etc/pki/pesign-rh-test -i arch/x86/boot/bzImage -o vmlinuz.signed -s
pesign: Could not initialize nss.
NSS says "The certificate/key database is in an old, unsupported format." errno says "No such file or directory"
error: Bad exit status from /var/tmp/rpm-tmp.FGCBoV (%build)
RPM build errors:
    Bad exit status from /var/tmp/rpm-tmp.FGCBoV (%build)
Child return code was: 1

Example failed scratch build: https://koji.fedoraproject.org/koji/taskinfo?taskID=43737603

Expected results:
Pesign doesn't fail the build.

Additional info:
There is a 2+ years old upstream ticket for this: https://github.com/rhboot/pesign/issues/34

Comment 1 Daiki Ueno 2020-06-02 09:49:38 UTC

Created attachment 1694375 [details]
certs.tar.gz with sql database files

Hello Peter,

Is there any blocker on this? I think only certs.tar.xz needs an update to have both sqlite and dbm database files. I'm attaching one I created with:

 $ fedpkg prep
 $ tar xf certs.tar.xz
 $ cd etc/pki
 $ certutil --merge -d pesign --source-dir pesign
 $ certutil --merge -d pesign-rh-test --source-dir pesign-rh-test
 $ cd -
 $ tar jcf certs.tar.xz etc

Comment 2 Javier Martinez Canillas 2020-06-08 16:34:46 UTC

(In reply to Daiki Ueno from comment #1)
> Created attachment 1694375 [details]
> certs.tar.gz with sql database files
> 
> Hello Peter,
> 
> Is there any blocker on this? I think only certs.tar.xz needs an update to
> have both sqlite and dbm database files. I'm attaching one I created with:
> 
>  $ fedpkg prep
>  $ tar xf certs.tar.xz
>  $ cd etc/pki
>  $ certutil --merge -d pesign --source-dir pesign
>  $ certutil --merge -d pesign-rh-test --source-dir pesign-rh-test
>  $ cd -
>  $ tar jcf certs.tar.xz etc

Thanks, at the end I just updated the certs.tar.xz to the SQLite database file format since there isn't really a reason to keep the old Berkeley DB.

Comment 3 Zbigniew Jędrzejewski-Szmek 2020-07-18 14:07:48 UTC

F33 now has pesign-113-10.fc33, i.e. a later version. Can this be closed?

Note You need to log in before you can comment on or make changes to this bug.