http://bugzilla.opensuse.org/show_bug.cgi?id=1046158 http://bugzilla.opensuse.org/show_bug.cgi?id=1046158#c2 --- Comment #2 from Egbert Eich --- The pesign-obs-integration package is pulled into the OpenHPC build already as can be seen from the line [ 107s] [164/165] installing pesign-obs-integration-10.0-29.1 pulled from the link in the description. I may have misunderstood - I was under the impression that the # needssslcertforbuild should only be used when a signing server is active. I will tell the openHPC folks to branch the package and build it with this line added and see if this helps. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1046158 http://bugzilla.opensuse.org/show_bug.cgi?id=1046158#c5 Egbert Eich changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(mmarek@suse.com) --- Comment #5 from Egbert Eich --- Ok, I've passed the information to copypac/linpac the pesign-obs-integration integration package into the build project to OpenHPC now. Along with it, I passed information how to interconnect build services - so they can connect directly to oS OBS (which may be useful for other thins as well). Wouldn't it be possible that a module built with the pesign-obs-integration containing the 'canned SLE12 certificate' to spit out a big warning together with an explanation of what to do and fail the build? The only explanation it spits out is to add the '# needssslcertforbuild' magic, which obviously isn't enough. This warning also doesn't go away after adding the ine. So this is a bit confusing already. But let's see what comes out of OpenHPC tests. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1046158 http://bugzilla.opensuse.org/show_bug.cgi?id=1046158#c11 --- Comment #11 from Karl Schulz --- (In reply to Michal Marek from comment #10)

As to new SP2 requirement, this has been required since SLE11 SP3 and throughout the whole SLE12 series, but maybe you only started to build kernel modules now?

Actually, we used OBS to build Lustre kernel modules that loaded fine in SLE12 SP1. This seemed to first crop up for us with SP2. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1046158 http://bugzilla.opensuse.org/show_bug.cgi?id=1046158#c15 Egbert Eich changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(eich@suse.com) |needinfo?(adrian@suse.com) --- Comment #15 from Egbert Eich --- Some clarifications: One difference is that older versions of this package (ie spec file) did not use the %kernel_module_package macro for building a KMP. Therefore the 2nd stage of the module package build which adds the signatures never ran. This version of spec file was used to created packages for SLES-12 SP1. Karl and I got a bit further on this - since the discussion was started on emailI never updated it. Michal's comment #8 and the fact that this key never existed on Karl's system made me google a bit and I cane up with: http://opensuse.14.x6.nabble.com/Build-failure-due-to-a-missing-RSA-key-td50... Running an 'osc signkey --create' in this package directory will create a gpg key for this package which will then be used to generate the ssl certificate when needed. This did work for Karl, however, now he has a different gpg key for this package than the system wide one. So the next question was how to make use of the system wide key. Since I was unable to answer this, I've added Adrian to Cc:, however, I've not seen any feedback from him. I do assume he's on vacation. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1046158 http://bugzilla.opensuse.org/show_bug.cgi?id=1046158#c18 --- Comment #18 from Egbert Eich --- (In reply to Adrian Schröter from comment #17)

An OBS admin could of course copy the key from one project to another one, but the question is then if you don't break the idea of secure boot kernels.

If you really want to copy the key, you need to copy on your source server the _pubkey and _signkey file in /srv/obs/projects/$PROJECT.pkg/ . Afterwards you need to generate the _sslcert using

osc signkey --sslcert $project

or regenerate it if an old one is there using

osc signkey --extend $project

However, I think it makes more sense just to disable the secure boot option as this basically breaks the idea.

Thanks Adrian! So the suggestion now is to disable the signing completely. Karl, would this be an option? I guess, the easiest way to achieve this would be to remove: BuildRequires: pesign-obs-integration in the spec file. -- You are receiving this mail because: You are on the CC list for the bug.