2223712 – pesign fails rather than asking for token's password

Bug 2223712 - pesign fails rather than asking for token's password

Summary: pesign fails rather than asking for token's password

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	pesign
Sub Component:
Version:	9.3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Bootloader engineering team
QA Contact:	Oliver Gutiérrez
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-07-18 15:29 UTC by sgardner
Modified:	2023-07-20 12:48 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	rhboot pesign issues 105	0	None	open	Regression: pesign fails rather than asking for token's password	2023-07-18 15:33:11 UTC
Red Hat Issue Tracker	RHELPLAN-162621	0	None	None	None	2023-07-18 15:29:55 UTC

Description sgardner 2023-07-18 15:29:13 UTC

Description of problem:
The commit 12f16710ee44ef64ddb044a3523c3c4c4d90039a introduced a regression that makes pesign fail instantly instead of asking for a token's password.

This has been noted in upstream issue https://github.com/rhboot/pesign/issues/105.





Version-Release number of selected component (if applicable):
WORKS - pesign-113-21.el9
FAILS - pesign-114-2.el9





How reproducible:
Easily





Steps to Reproduce:
Additional information can be found at https://github.com/rhboot/pesign/issues/105

1. dnf install -y git rpmdevtools softhsm nss-tools pesign
2. mkdir -p $HOME/.config/softhsm2/tokens
3. echo "directories.tokendir = $HOME/.config/softhsm2/tokens" > $HOME/.config/softhsm2/softhsm2.conf
4. softhsm2-util --init-token --label HSM --so-pin Secret.123 --pin Secret.123 --free
5. git clone https://github.com/rhboot/shim.git
6. cd shim/
7. ./make-certs example
8. mkdir ~/.nssdb
9. pk12util -i example.p12 -d ~/.nssdb/ -h HSM
Enter Password or Pin for "HSM": Secret.123
Enter password for PKCS12 file:  (BLANK)
pk12util: PKCS12 IMPORT SUCCESSFUL
10. cd ~
11. dnf download shim
12. rpmdev-extract shim-x64-*.x86_64.rpm
13. cd shim-x64-*.x86_64/boot/efi/EFI/redhat/
14. pesign --remove-signature --signature-number=0 --in=shimx64.efi --out=shimx64.efi.unsigned
15. pesign -t HSM -n ~/.nssdb -c example -i ~/shim-x64-*.x86_64/boot/efi/EFI/redhat/shimx64.efi.unsigned -o ~/shimx64.efi.example -s





Actual results:
# pesign -t HSM -n ~/.nssdb -c example -i ~/shim-x64-*.x86_64/boot/efi/EFI/redhat/shimx64.efi.unsigned -o ~/shimx64.efi.example -s
authentication failed for token "HSM": The security password entered is incorrect.
pesign: Could not find certificate example



Expected results:
# pesign -t HSM -n ~/.nssdb -c example -i ~/shim-x64-*.x86_64/boot/efi/EFI/redhat/shimx64.efi.unsigned -o ~/shimx64.efi.example -s
Enter Password or Pin for "HSM":




Additional info: I Checked upstream package pesign-116-2, and this does NOT have a fix available.

Note You need to log in before you can comment on or make changes to this bug.