[Bug 1194943] New: cert related kernel build breakages in 5.17 merge window
https://bugzilla.suse.com/show_bug.cgi?id=1194943 Bug ID: 1194943 Summary: cert related kernel build breakages in 5.17 merge window Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-bugs@opensuse.org Reporter: mkubecek@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- The upcoming 5.17-rc1 breaks build in two different ways: 1. When building locally with "osc build" (i.e. signing key is not provided), the build fails with error like
certs/extract-cert certs/signing_key.x509 Usage: extract-cert <source> <dest> make[2]: *** [/home/mike/work/git/kernel-upstream/certs/Makefile:78: certs/signing_key.x509] Error 2 make[1]: *** [/home/mike/work/git/kernel-upstream/Makefile:1831: certs] Error 2 make[1]: Leaving directory '/srv/ram/kobj' make: *** [Makefile:219: __sub-make] Error 2
After mainline commit b8c96a6b466c ("certs: simplify $(srctree)/ handling and remove config_filename macro"), make executes extract-cert with only one argument due to an unquoted empty string. (Easier way to reproduce this is to run sequence-patch.sh, change CONFIG_MODULE_SIG_KEY to an empty string like our kernel-*.spec do and run "make all" or "make certs"). As the trick with empty CONFIG_MODULE_SIG_KEY (used since bug 1187167) is recommended by (upstream) Documentation/kbuild/reproducible-builds.rst, I also reported this to upstream in https://lore.kernel.org/all/20220120094606.2skuyb26yjlnu66q@lion.mk-sys.cz/ 2. When building in OBS, builds after mainline commit e06a61a89ccd ("certs: use if_changed to re-generate the key when the key type is changed") fail in a different way:
[ 42s] make[1]: *** Deleting file 'certs/signing_key.pem' [ 42s] GENKEY certs/signing_key.pem [ 42s] Generating a RSA private key [ 42s] ..........................................................+++++ [ 42s] ..................+++++ [ 42s] writing new private key to 'certs/signing_key.pem' [ 42s] ----- [ 42s] unable to find 'distinguished_name' in config [ 42s] problems making Certificate Request [ 42s] 140680883695552:error:0E06D06C:configuration file routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:273:group=req name=distinguished_name [ 42s] make[1]: *** [../certs/Makefile:57: certs/signing_key.pem] Error 1 [ 42s] make: *** [../Makefile:1845: certs] Error 2 [ 42s] make: *** Waiting for unfinished jobs....
IIUC the problem here is that after rewriting the rule for signing_key.pem to if_changed based version, the rule is always invoked first time as there is no "previous command line" so that the trick introduced in kernel-source commit 6eb6cd2106c2 for bug 983634 (providing our key/certificate under default name and touching certs/x509.genkey to prevent regenerating it no longer works. (The empty certs/x509.genkey is empty created by touch is not valid for openssl.) This can be observed in home:mkubecek:rc0 OBS project at the moment. It can be also reproduced locally with "osc build" by adding a key/certificate file as _projectcert.crt to the directory generated by tar-up.sh (e.g a randomly generated one from a simple "make all" build of expanded tree). I'm not sure if I understand the reason why we do this correctly. Does it still make sense to enforce using the default key/certificate file path when a key/certificate is supplied if we replace CONFIG_MODULE_SIG_KEY with empty string for builds where a key/certificate is not supplied? -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1194943
https://bugzilla.suse.com/show_bug.cgi?id=1194943#c1
Michal Kube��ek
https://bugzilla.suse.com/show_bug.cgi?id=1194943
https://bugzilla.suse.com/show_bug.cgi?id=1194943#c2
--- Comment #2 from Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1194943
https://bugzilla.suse.com/show_bug.cgi?id=1194943#c3
Michal Kube��ek
Thanks for the analysis.
Commit 68b36f0c70b30a1a88a68a9367acac72accb2861 in packaging changes to using non-default patch for the certificate. The code for adding the certificate is ancient so it may be trying to workaround some problem with Linux before 3.0.
It seems to work for 4.12 and 5.3 - no dots from generating key appear in build log.
It also works with current mainline (mainline commit 2c271fe77d52) in home:mkubecek:rc0 OBS project. As for issue 1, it should be addressed by this patch: http://lore.kernel.org/all/20220120192205.525103-2-masahiroy@kernel.org I'm going to test it later today. -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1194943
https://bugzilla.suse.com/show_bug.cgi?id=1194943#c12
--- Comment #12 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1194943
https://bugzilla.suse.com/show_bug.cgi?id=1194943#c13
--- Comment #13 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1194943
https://bugzilla.suse.com/show_bug.cgi?id=1194943#c14
--- Comment #14 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1194943
https://bugzilla.suse.com/show_bug.cgi?id=1194943#c29
--- Comment #29 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1194943
https://bugzilla.suse.com/show_bug.cgi?id=1194943#c30
--- Comment #30 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1194943
https://bugzilla.suse.com/show_bug.cgi?id=1194943#c31
--- Comment #31 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1194943
https://bugzilla.suse.com/show_bug.cgi?id=1194943#c32
--- Comment #32 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1194943
https://bugzilla.suse.com/show_bug.cgi?id=1194943#c33
--- Comment #33 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1194943
https://bugzilla.suse.com/show_bug.cgi?id=1194943#c34
--- Comment #34 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1194943
https://bugzilla.suse.com/show_bug.cgi?id=1194943#c35
--- Comment #35 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1194943
https://bugzilla.suse.com/show_bug.cgi?id=1194943#c36
--- Comment #36 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1194943
https://bugzilla.suse.com/show_bug.cgi?id=1194943#c37
--- Comment #37 from Swamp Workflow Management
participants (1)
-
bugzilla_noreply@suse.com