Created attachment 1700623 [details] build.log Description of problem: $ fedpkg mockbuild --mock-config fedora-rawhide-x86_64 Downloading linux-20200708gitdcde237b9b0e.tar.xz ######################################################################## 100.0% Downloading kernel-abi-whitelists-5.8.0-0.rc4.20200708gitdcde237b9b0e.1.tar.bz2 ######################################################################## 100.0% Downloading kernel-kabi-dw-5.8.0-0.rc4.20200708gitdcde237b9b0e.1.tar.bz2 ######################################################################## 100.0% setting SOURCE_DATE_EPOCH=1594166400 Wrote: /home/mikhail/packaging-work/kernel/kernel-5.8.0-0.rc4.20200708gitdcde237b9b0e.1.fc33.src.rpm INFO: mock.py version 2.3 starting (python version = 3.9.0)... Start(bootstrap): init plugins *** + echo 'Warning: no pesign socket even though user is mockbuild' Warning: no pesign socket even though user is mockbuild + echo 'Warning: if this is a non-scratch koji build, this is wrong' Warning: if this is a non-scratch koji build, this is wrong + ls -ld /run/pesign ls: cannot access '/run/pesign': No such file or directory + : + ls -l /run/pesign/socket ls: cannot access '/run/pesign/socket': No such file or directory + : + getfacl /run/pesign getfacl: /run/pesign: No such file or directory + : + getfacl /run/pesign/socket getfacl: /run/pesign/socket: No such file or directory + : + ls -ld /var/run/pesign ls: cannot access '/var/run/pesign': No such file or directory + : + ls -l /var/run/pesign/socket ls: cannot access '/var/run/pesign/socket': No such file or directory + : + getfacl /var/run/pesign getfacl: /var/run/pesign: No such file or directory + : + getfacl /var/run/pesign/socket getfacl: /var/run/pesign/socket: No such file or directory + : + '[' 0 -ge 7 ']' + '[' -n '' ']' + /usr/bin/pesign --certdir /etc/pki/pesign -c redhatsecureboot003 -s -i arch/x86/boot/bzImage -o vmlinuz.signed pesign: Could not open NSS database ("security library: bad database."): Permission denied error: Bad exit status from /var/tmp/rpm-tmp.FUZa4t (%build)
This is the official Fedora documentation on how to build a custom kernel, in case you haven't seen it. https://fedoraproject.org/wiki/Building_a_custom_kernel It looks like for your use case you could just install pesign-rh-test-certs to be sure that the rh-test-cert is installed, then pesign will use that.
You probably are aware of this already, but just in case, there is *no* security in using the rh-test-cert. It is only for testing.
- The first question pesign should be installed on the host machine or in the mock build container? [root@localhost ~]# dnf install fedpkg fedora-packager rpmdevtools ncurses-devel pesign grubby Last metadata expiration check: 1:28:32 ago on Wed 15 Jul 2020 10:52:32 PM +05. Package fedpkg-1.38-5.fc33.noarch is already installed. Package fedora-packager-0.6.0.4-1.fc33.noarch is already installed. Package rpmdevtools-8.10-11.fc33.noarch is already installed. Package ncurses-devel-6.2-2.20200222.fc33.x86_64 is already installed. Package pesign-113-8.fc33.x86_64 is already installed. Package grubby-8.40-46.fc33.x86_64 is already installed. Dependencies resolved. Nothing to do. Complete! Ok, anyway I see that it always installed in mock by `BuildRequires` option in spec file. And I also installed pesign on host machine. - Second question should pesing service started manually? Ok, I can start pesign on the host machine `# systemctl start pesign.service`, but what about mock container? This is should do spec file or should be used host pesign service in this case mock config should forward necessary sockets.
I can't answer your questions as I am unfamiliar with mock. But I agree with you, mock is not performing properly. Maybe you should open a ticket against mock rather than the kernel, asking for integration with pesign. It seems that it is not working correctly. At the least you will get someone with some expertise to look at the problem.
When I check the build.log on koji. E.g., https://kojipkgs.fedoraproject.org//packages/kernel/5.8.0/0.rc5.1.fc33/data/logs/x86_64/root.log It contains: DEBUG util.py:215: ensuring that dir exists: /var/run/pesign DEBUG util.py:215: ensuring that dir exists: /var/lib/mock/f33-build-21536075-1720031/root/var/run/pesign DEBUG util.py:218: creating dir: /var/lib/mock/f33-build-21536075-1720031/root/var/run/pesign DEBUG util.py:215: ensuring that dir exists: /var/lib/mock/f33-build-21536075-1720031/root/var/run/pesign Which is not what Mock normally does. fedpkg mock-config does not reveal anything special. Not sure what magic is in place.
Fedora signs officially built x86_64 kernels. It does this by running pesign on the x86_64 kernel builder and bind mounting in the socket used to communicate with it into the mock chroot. Then builds talk to the socket which talks to the pesign on the builder which in turn uses a smart card to sign things for the build. config_opts['plugin_conf']['bind_mount_opts']['dirs'].append(('/var/run/pesign', '/var/run/pesign' )) In the past the kernel was setup so if it wasn't able to read/talk to pesign, it would just sign with a dummy test certificate. I suspect this might be related to the https://fedoraproject.org/wiki/Changes/NSSDBMRemoval change which broke pesign for a while...
As I said on list, this was due to pesign issues that were in the process of being debugged. Rawhide pesign as of this afternoon (-10) should be able to build locally now.
Created attachment 1701713 [details] build.log I am was able build kernel 5.8.0-0.rc5.20200717git07a56bb875af.1.fc33.x86_64 with pesign 113-10.fc33
This bug appears to have been reported against 'rawhide' during the Fedora 33 development cycle. Changing version to 33.