Description of problem: The latest Rawhide build of NSS removed support for the legacy DBM format [1]. Pesign still ships DBs in this old format and thus it becomes unusable with the new NSS and breaks kernel build on Rawhide. [1] https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/YZ2UCDLZIFXRREYTAS6CPJQY54SCGNK7/ Version-Release number of selected component (if applicable): pesign-0.112-30.fc33 nss-3.51.1-1.fc33 How reproducible: 100% Steps to Reproduce: 1. Run a scratch build of kernel on x86_64 rawhide. Actual results: The build fails with: + /usr/bin/pesign -c 'Red Hat Test Certificate' --certdir /etc/pki/pesign-rh-test -i arch/x86/boot/bzImage -o vmlinuz.signed -s pesign: Could not initialize nss. NSS says "The certificate/key database is in an old, unsupported format." errno says "No such file or directory" error: Bad exit status from /var/tmp/rpm-tmp.FGCBoV (%build) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.FGCBoV (%build) Child return code was: 1 Example failed scratch build: https://koji.fedoraproject.org/koji/taskinfo?taskID=43737603 Expected results: Pesign doesn't fail the build. Additional info: There is a 2+ years old upstream ticket for this: https://github.com/rhboot/pesign/issues/34
Created attachment 1694375 [details] certs.tar.gz with sql database files Hello Peter, Is there any blocker on this? I think only certs.tar.xz needs an update to have both sqlite and dbm database files. I'm attaching one I created with: $ fedpkg prep $ tar xf certs.tar.xz $ cd etc/pki $ certutil --merge -d pesign --source-dir pesign $ certutil --merge -d pesign-rh-test --source-dir pesign-rh-test $ cd - $ tar jcf certs.tar.xz etc
(In reply to Daiki Ueno from comment #1) > Created attachment 1694375 [details] > certs.tar.gz with sql database files > > Hello Peter, > > Is there any blocker on this? I think only certs.tar.xz needs an update to > have both sqlite and dbm database files. I'm attaching one I created with: > > $ fedpkg prep > $ tar xf certs.tar.xz > $ cd etc/pki > $ certutil --merge -d pesign --source-dir pesign > $ certutil --merge -d pesign-rh-test --source-dir pesign-rh-test > $ cd - > $ tar jcf certs.tar.xz etc Thanks, at the end I just updated the certs.tar.xz to the SQLite database file format since there isn't really a reason to keep the old Berkeley DB.
F33 now has pesign-113-10.fc33, i.e. a later version. Can this be closed?