Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1483159
There's a point during the ipa-server-install process where it tries to use `/usr/bin/signtool` to sign a Firefox extension. According to rcrit, this extension isn't even used any more. In Fedora 27+, signtool is no longer supported: https://fedoraproject.org/wiki/Changes/NSSSigntoolDeprecation and the binary has been moved to `%{_libdir}/nss/unsupported-tools/` instead of `/usr/bin/`, so the script will blow up as soon as it reaches this point. It sounds like the 'correct' fix here is just to get rid of all the stuff dealing with this extension, if it's really no longer used, rather than find a different way to sign it. Nominating as an F27 Beta blocker, as this breaks FreeIPA server deployment: "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started, stopped, brought to a working configuration, and queried." - https://fedoraproject.org/wiki/Fedora_27 _Alpha_Release_Criteria#Role_definition_requirements . Domain controller is a release-blocking role. Note this change was also mistakenly sent to Fedora 26 in a candidate update, but openQA caught the breakage of FreeIPA and we were able to avoid the update going stable: https://bodhi.fedoraproject.org/updates/FEDORA-2017-3f11b3237a#comment-648102 . The update has now been revised so signtool is not moved (the change will happen only in F27+).
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1483159
last usage of signtool was removed in 6c53765 but there is still some garbage to remove
Metadata Update from @pvoborni: - Issue assigned to pvoborni
Metadata Update from @pvoborni: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1034
Metadata Update from @pvoborni: - Issue priority set to: major
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.6.1 (was: FreeIPA 4.6)
master:
ipa-4-6:
Metadata Update from @tkrizek: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
See also https://pagure.io/freeipa/issue/7226 which removes remaining vestiges of the Firefox plugin, JAR signing profile, etc.
Login to comment on this ticket.