-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Regression: pesign fails rather than asking for token's password #105
Comments
I think I'm hitting this too... |
I also encountered a similar problem ,maybe you can solve like this |
@wynnfeng, This works fine for a usage, e.g., directly from an interactive shell, but I'm more concerned about the process, where I tried my best, and if this was that simple, I could well have used a Process Substitution Bashism or export the In regard to the aforementioned variable, AFAIK it's undocumented in the official manuals, so I created a PR for this, but I wish this was already written officially. I guess we'll have to wait and rely on less-than-official community guides. Not that I'm blaming the pesign developers for this, because most likely their managers consider this to not be a priority during working hours. Or I could use the client-server mode, that is, the |
Fixes: github issue rhboot#105 Fixes: 12f1671 (Rework the wildly undocumented NSS password file goo.) Complements: 1a4481e (Add more ways to use a password with the token) Signed-off-by: Egor Ignatov <egori@altlinux.org>
Fixes: github issue rhboot#105 Fixes: 12f1671 (Rework the wildly undocumented NSS password file goo.) Complements: 1a4481e (Add more ways to use a password with the token) Signed-off-by: Egor Ignatov <egori@altlinux.org>
The commit 12f16710ee44ef64ddb044a3523c3c4c4d90039a introduced a regression that makes
pesign
fail instantly instead of asking for a token's password.Please perform the following steps to verify the behavior on Red Hat Enterprise Linux 9.1:
Install the prerequisites:
Initialize a SoftHSM token:
Create a .p12 file and import it to the token:
Get a binary that will be used for testing with
pesign
- I chose shim in this example:Install the packages required to build the good and bad
pesign
s:Witness the good and bad behavior yourself:
This report mentions Red Hat Enterprise Linux 9.1 and shim for a good reason.
To sum it up: the entities that sign their shims with hardware tokens on RHEL and its replicas need to either:
pesign
release 113-21 which comes with e.g. CVE-2022-3560 so they need to secure their environments on another layerThe latter can be realized fairly easy in some cases like mine, e.g. having only a limited number of trusted individuals being able to access the machine that performs the signing so no one would utilize this CVE.
The text was updated successfully, but these errors were encountered: