Issue
Description of problem:
The commit 12f16710ee44ef64ddb044a3523c3c4c4d90039a introduced a regression that makes pesign fail instantly instead of asking for a token's password.
This has been noted in upstream issue https://github.com/rhboot/pesign/issues/105.
Version-Release number of selected component (if applicable):
WORKS - pesign-113-21.el9
FAILS - pesign-114-2.el9
How reproducible:
Easily
Steps to Reproduce:
Additional information can be found at https://github.com/rhboot/pesign/issues/105
1. dnf install -y git rpmdevtools softhsm nss-tools pesign
2. mkdir -p $HOME/.config/softhsm2/tokens
3. echo "directories.tokendir = $HOME/.config/softhsm2/tokens" > $HOME/.config/softhsm2/softhsm2.conf
4. softhsm2-util --init-token --label HSM --so-pin Secret.123 --pin Secret.123 --free
5. git clone https://github.com/rhboot/shim.git
6. cd shim/
7. ./make-certs example
8. mkdir ~/.nssdb
9. pk12util -i example.p12 -d ~/.nssdb/ -h HSM
Enter Password or Pin for "HSM": Secret.123
Enter password for PKCS12 file: (BLANK)
pk12util: PKCS12 IMPORT SUCCESSFUL
10. cd ~
11. dnf download shim
12. rpmdev-extract shim-x64-*.x86_64.rpm
13. cd shim-x64-*.x86_64/boot/efi/EFI/redhat/
14. pesign --remove-signature --signature-number=0 --in=shimx64.efi --out=shimx64.efi.unsigned
15. pesign t HSM -n ~/.nssdb -c example -i ~/shim-x64*.x86_64/boot/efi/EFI/redhat/shimx64.efi.unsigned -o ~/shimx64.efi.example -s
Actual results:
pesign t HSM -n ~/.nssdb -c example -i ~/shim-x64*.x86_64/boot/efi/EFI/redhat/shimx64.efi.unsigned -o ~/shimx64.efi.example -s
authentication failed for token "HSM": The security password entered is incorrect.
pesign: Could not find certificate example
Expected results:
pesign t HSM -n ~/.nssdb -c example -i ~/shim-x64*.x86_64/boot/efi/EFI/redhat/shimx64.efi.unsigned -o ~/shimx64.efi.example -s
Enter Password or Pin for "HSM":
Additional info: I Checked upstream package pesign-116-2, and this does NOT have a fix available.
