On Thu, Jul 06, 2023 at 02:18:04PM -0000, Kamil Aronowski wrote:
Thanks for the reply, Kevin. It means a lot to me, as I no longer
feel alone with this issue. I'll try the mock configuration later on, so I do not
overcomplicate things right now - once a basic config works for me, I'll then try
I did try the strace method you suggested, and, as far as I can see,
the socket can be accessed since 0 is returned. This is part of my listing:
$ strace pesign-client --unlock --token "NSS Certificate DB" |& grep -i
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or
access("/run//pesign/socket", R_OK) = 0
I experimented a bit more, and via trial-and-error, I came to the conclusion that the
pesign suite of tools has most likely had some regressions, as it used to have these
historically. For instance, the one I mentioned earlier that I reported at:
Why this conclusion? Let's take a deeper dive into this.
I can't really help you with upstream or RHEL versions. We run Fedora on
our builders, currently pesign-116-2.fc38.x86_64
So after this research, I'd like to ask the following:
- what is the output of the command `modutil -dbdir /etc/pki/pesign/ -list` ran on the
Koji build servers?
Listing of PKCS #11 Modules
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
library name: p11-kit-proxy.so
slots: 1 slot attached
slot: Alcor Micro AU9520 00 00
token: OpenSC Card (Fedora Signer)
- where is the entry "token: OpenSC Card (Fedora Signer)"
located? Under "NSS Internal PKCS #11 Module" or under
- what is the output of the command `ls /usr/share/p11-kit/modules/`?
- are there any commands in the infrastructural Ansible
playbooks/Salt states/shell scripts used for provisioning Koji builders that manipulate
that directory directly or indirectly? If so, what are they?
All our ansible content is available at
Nothing touches the p11-kit dir that I can see.
- does a command similar to `modutil -dbdir /etc/pki/pesign/ -default
that changes the default provider for security mechanisms run during the provisioning
- is filing issues on the `pesign` project's GitHub the proper
way to keep in touch with the developers, or is another way preferred? For instance, file
them directly at bugzilla.redhat.com
I don't know. I would think github.
- if it's possible to redact secrets (usernames, passwords, etc.)
from the provisioning specification (playbooks/states/scripts) Fedora Project uses for
these bootchain-related Koji servers, could these be shared with me, so I could replicate
the configuration 1:1 (apart from the physical smartcard connected to the servers)?
See above. Do note that our builders are Fedora, not RHEL.
I appreciate your help, Kevin. Thank you for everything!
Good luck! Sorry it's being such a pain...