Learn more about these different git repos.
Other Git URLs
A grub2 build for Fedora 40 worked, but on x86_64, signing of it failed. We think that was likely caused by bad permissions for the pesign socket on bkernel02; @kevin fixed that. Meanwhile, @pjones did a Rawhide grub2 build, which hit bkernel01, and seems to have worked OK. But after we fixed the socket thing, Peter tried another Fedora 40 grub2 build and this one outright failed. In the build logs we see:
+ /usr/bin/pesign-client -t 'OpenSC Card (Fedora Signer)' -c '/CN=Fedora Secure Boot Signer' -s -i grubx64.efi.orig -o grubx64.efi.onesig pesign-client: signing failed: "pesignd starting (pid 852265)"
On the builder host - which was bkernel01, the same host that built the Rawhide grub2 successfully - I see this:
Nov 21 23:31:12 bkernel01.iad2.fedoraproject.org pesign[852265]: attempting to sign with key "OpenSC Card (Fedora Signer):/CN=Fedora Secure Boot Signer" Nov 21 23:31:12 bkernel01.iad2.fedoraproject.org pesign[852265]: cms_common.c:find_certificate:624: Could not find token "OpenSC Card (Fedora Signer)": Certificate extension not found.
Note the PIDs match (852265). So...same build host, different result building grub2 for F40 vs. Rawhide. Looking at the logs for the Rawhide build, in the buildroot we see:
+ /usr/bin/pesign-client -t 'OpenSC Card' -c grub2-signer -s -i gcdia32.efi.onesig -o gcdia32.efi
and on the host around the time that build ran, I see:
Nov 21 23:15:02 bkernel01.iad2.fedoraproject.org pesign[852265]: searching for command 7 Nov 21 23:15:02 bkernel01.iad2.fedoraproject.org pesign[852265]: cmd-version: found command "sign-attached-with-file-type" version 0 Nov 21 23:15:02 bkernel01.iad2.fedoraproject.org pesign[852265]: attempting to sign with key "OpenSC Card:/CN=Fedora Secure Boot Signer" Nov 21 23:15:04 bkernel01.iad2.fedoraproject.org pesign[852265]: searching for command 7 Nov 21 23:15:04 bkernel01.iad2.fedoraproject.org pesign[852265]: cmd-version: found command "sign-attached-with-file-type" version 0 Nov 21 23:15:04 bkernel01.iad2.fedoraproject.org pesign[852265]: attempting to sign with key "OpenSC Card:grub2-signer" Nov 21 23:15:05 bkernel01.iad2.fedoraproject.org pesign[852265]: searching for command 7 Nov 21 23:15:05 bkernel01.iad2.fedoraproject.org pesign[852265]: cmd-version: found command "sign-attached-with-file-type" version 0 Nov 21 23:15:05 bkernel01.iad2.fedoraproject.org pesign[852265]: attempting to sign with key "OpenSC Card:grub2-signer" Nov 21 23:15:29 bkernel01.iad2.fedoraproject.org pesign[852265]: searching for command 7 Nov 21 23:15:29 bkernel01.iad2.fedoraproject.org pesign[852265]: cmd-version: found command "sign-attached-with-file-type" version 0 Nov 21 23:15:29 bkernel01.iad2.fedoraproject.org pesign[852265]: attempting to sign with key "OpenSC Card:/CN=Fedora Secure Boot Signer" Nov 21 23:15:31 bkernel01.iad2.fedoraproject.org pesign[852265]: searching for command 7 Nov 21 23:15:31 bkernel01.iad2.fedoraproject.org pesign[852265]: cmd-version: found command "sign-attached-with-file-type" version 0 Nov 21 23:15:31 bkernel01.iad2.fedoraproject.org pesign[852265]: attempting to sign with key "OpenSC Card:/CN=Fedora Secure Boot Signer" Nov 21 23:15:32 bkernel01.iad2.fedoraproject.org pesign[852265]: searching for command 7 Nov 21 23:15:32 bkernel01.iad2.fedoraproject.org pesign[852265]: cmd-version: found command "sign-attached-with-file-type" version 0 Nov 21 23:15:32 bkernel01.iad2.fedoraproject.org pesign[852265]: attempting to sign with key "OpenSC Card:grub2-signer" Nov 21 23:15:34 bkernel01.iad2.fedoraproject.org pesign[852265]: searching for command 7 Nov 21 23:15:34 bkernel01.iad2.fedoraproject.org pesign[852265]: cmd-version: found command "sign-attached-with-file-type" version 0 Nov 21 23:15:34 bkernel01.iad2.fedoraproject.org pesign[852265]: attempting to sign with key "OpenSC Card:grub2-signer"
Note the difference between this from the F40 build:
Nov 21 23:31:12 bkernel01.iad2.fedoraproject.org pesign[852265]: attempting to sign with key "OpenSC Card (Fedora Signer):/CN=Fedora Secure Boot Signer"
and this from the Rawhide build:
Nov 21 23:15:02 bkernel01.iad2.fedoraproject.org pesign[852265]: attempting to sign with key "OpenSC Card:/CN=Fedora Secure Boot Signer"
I suspect this is the bug Peter fixed in https://src.fedoraproject.org/rpms/pesign/c/8b1bcf2332ace11c2c4afc264fe44a2ec7b2044d?branch=rawhide , and the problem here is that pesign inside the mock build environment needs to match opensc on the build host. And since the build hosts are now F41 with opensc 0.26.0, that means we need the fixed pesign on every branch we want to build for - so, probably, F40 and F41 as well as Rawhide (we can maybe forget about F39 as it's almost EOL?)
If that's right, we have a build for F41 now, but it needs an update. We also need a build and update for F40. We then need to karma bomb those updates to get them stable ASAP, and/or create buildroot overrides for them.
When do you need this? (YYYY/MM/DD) ASAP
When is this no longer needed or useful? (YYYY/MM/DD) N/A
If we cannot complete your request, what is the impact? Can't build SB-signed things for F39, F40 or F41, probably
CC @nfrayer
Yeah, there's two issues...
BTW. I think this is due to: https://github.com/OpenSC/OpenSC/commit/259decf656a77a6d1bd3e944d6f198ed70832ff5
Which seems like a really bad idea, but oh well.
and
> the problem here is that pesign inside the mock build environment needs to match opensc on the build host.
I think it's somewhat more like the opensc versions all need to match, but at this point because of that workaround, that means the pesign versions also need to match.
I'd be lying if I said I was sure, though.
So, issue 1 (the opensc name change thing). Thats opensc on the builders (the now f41 one) that messes up/changes the name. All the builds need to adjust for that since it's on the host/builder, and then imported into the chroot via a bind mount. So, all pesign versions in the chroot/build need to adjust/match this new opensc
I think I have the permission issue sorted. For some reason I must not have run the playbook after the last set of restarting things, so the socket didn't have the 'kojibuilder' acl. Both of them now correctly have this and I can access it from a mock chroot on them, so I think that part is working now (but of course I could be wrong).
Yeah, I think it's worth a shot at least trying to just get the new pesign with the detection logic in all releases, and see if that makes things work. If not, then we can try and get opensc in sync :\
Metadata Update from @phsmoura: - Issue tagged with: medium-gain, medium-trouble, ops
so, uh, did we circle back and figure out whether this is all working ok now? pesign builds for f40 and f41 will go stable tomorrow, and I actually filed BROs for both of them so they've been in the buildroot since they were built. Did we test any builds?
Yes....
"[07:29:28] <jforbes> builders seem to be working. Augusto built F41 and F40 kernels"
So, I think this is all back to 'normal' now with the pesign changes to work around the opensc sillyness.
Metadata Update from @kevin: - Issue close_status updated to: Fixed with Explanation - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.