Re: Has anything changed in terms of how to build a signed kernel semi-recently?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Am 29.05.23 um 13:58 schrieb Julian Sikorski:



Am 18.05.23 um 00:41 schrieb Julian Sikorski:

Am 17.05.23 um 23:35 schrieb Julian Sikorski:

Hello,
I tried building a signed 6.3 kernel today after a while (6.1 timeframe). Unfortunately, it appears that I am hitting some issues with pesign:
+ /usr/bin/pesign --certdir /etc/pki/pesign -t 'NSS Certificate DB' -c 'Julians Secure Boot signing key - Julian Sikorski' -s -i arch/x86/boot/bzImage -o vmlinuz.tmp pesign: Could not open NSS database ("security library: bad database."): Permission denied 

I have updated to F38 since but everything is still in place:
- pesign is running unlocked:
   $ sudo pesign-client -q
   token "NSS Certificate DB" is unlocked
- I run mock with hosts's pesign folders exposed:
   $ sudo cat /etc/mock/site-defaults.cfg | grep bind

config_opts['plugin_conf']['bind_mount_opts']['dirs'].append(('/var/run/pesign', '/var/run/pesign'))
- I run mock with --isolation=simple
Summing up, I am still following the same guide as before [1]. Were there any changes in the recent months which could influence this workflow? Thanks! 

Best regards,
Julian
[1] https://gist.github.com/chenxiaolong/520914b191f17194a0acdc0e03122e63 
Hi all,


I figured it out, looks like this commit is to blame:

https://github.com/rhboot/pesign/commit/d8a8c259994d0278c59b30b41758a8dd0abff998

I fixed it by adding myself to pesign group.

Best regards,
Julian
Now with mock-4.0 I am getting permission denied again. I do not want to be that guy, but aren't incompatible upgrades frowned upon during a single release? More importantly, how can I now configure mock so that it can use host's pesign and I can build signed kernel images again? 

Best regards,
Julian


I got it back to working order by downgrading mock and doing
$ mock -r fedora-38-x86_64 --scrub=all clean
Downgrading mock alone was not sufficient

Best regards,
Julian
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux