[SOLVED] Linux-git and linux-mainline don't compile because cert issue

proledatarian · 2023-06-23 23:56:31

Neither linux-git nor linux-mainline successfully compile but fail during build process.

This post might also suit the AUR subforum, so feel free to move my post. But the errors appear when I install using the AUR-helper yay and when I install manually using makepkg -si.

The one error during compilation is the following:

At main.c:164:
- SSL error:0480006C:PEM routines::no start line: crypto/pem/pem_lib.c:763
extract-cert: certs/signing_key.pem: Success
make[2]: *** [certs/Makefile:74: certs/signing_key.x509] Error 1
make[2]: *** Deleting file 'certs/signing_key.x509'
make[1]: *** [scripts/Makefile.build:494: certs] Error 2
make[1]: *** Waiting for unfinished jobs....

The build process actually halts with the following error:

  CC [M]  fs/xfs/scrub/agheader_repair.o
  CC [M]  fs/xfs/scrub/repair.o
  LD [M]  fs/xfs/xfs.o
make: *** [Makefile:2026: .] Error 2
==> ERROR: A failure occurred in build().
    Aborting...
 -> error making: linux-git-exit status 4

The mentioned line from the Makefile is this:

2024 | PHONY += $(build-dir)
2025 | $(build-dir): prepare
2026 |   $(Q)$(MAKE) $(build)=$@ need-builtin=1 need-modorder=1 $(single-goals)

Building both kernels produce the same errors as mentioned here and here.

Building in a clean chroot is successful though.

My system is up-to-date, I have disabled and downgraded from the ALHP-mirrors I usually use and I have tried with a new user.

I looked around and found this patch, but can't make sense of it. But I suspect it has something to do with my global OpenSSL certificates and the kernel's config. But not sure whether it's even helpful.

I'd just like to find out what the error is, mostly out of curiosity.

Last edited by proledatarian (2023-07-01 12:17:09)

loqs · 2023-06-24 10:53:33

proledatarian wrote:

Building in a clean chroot is successful though.
My system is up-to-date, I have disabled and downgraded from the ALHP-mirrors I usually use and I have tried with a new user.
I looked around and found this patch, but can't make sense of it. But I suspect it has something to do with my global OpenSSL certificates and the kernel's config. But not sure whether it's even helpful.

Have you changed anything in /etc/ssl/openssl.cnf? In which case prepending OPENSSL_CONF= to makepkg so any empty openssl.cnf is used may work. If not it would appear the changes you made to the certificates themselves would be the cause.

Last edited by loqs (2023-06-24 10:53:47)

proledatarian · 2023-06-24 14:03:26

No, I haven't changed anything in the config file.

loqs · 2023-06-24 14:23:21

Please post the full output from a failed build invoked using `makepkg -sC`. Would you be able to temporarily revert you changes to the certificate while building linux?
Edit:
Also the output of the following please

$ pacman -Qikk
$ type -a openssl
$ openssl version -d

The following would temporarily bind the ssl directory from a clean chroot over the system's ssl directory (source path may need to be adjusted):

# mount -o bind /var/lib/archbuild/extra-x86_64/root/etc/ssl/ /etc/ssl

Last edited by loqs (2023-06-24 14:55:44)

proledatarian · 2023-06-24 15:24:23

Thanks, here's the output of pacman -Qikk.

$ type -a openssl
openssl is /usr/local/bin/openssl
openssl is /usr/bin/openssl

$ openssl version -d
OPENSSLDIR: "/etc/ssl"

And here are the log of prepare and build.

loqs · 2023-06-24 15:42:02

openssl is /usr/local/bin/openssl

What if you remove this openssl install under the /usr/local prefix?

proledatarian · 2023-06-25 18:10:02

Nope, unfortunately still failing with the same error.

loqs · 2023-06-25 18:18:16

If bind mounting over /etc/ssl produces the same error, in build() please change:

  _make htmldocs all

to:

  _make all V=1

To produce more verbose output and stop htmldocs from being built.

Have you changed anything in the kernel config for either packages?

proledatarian · 2023-06-25 19:47:21

Binding /etc/ssl does produce the same error.

And there is no _make htmldocs all in build(), only _make all.

But here's the log from building using V=1.

loqs · 2023-06-25 20:20:39

As multiple commands using certs/extract-cert succeed before the failing

# CERT    certs/signing_key.x509
  certs/extract-cert "certs/signing_key.pem" certs/signing_key.x509
Extracted cert: /CN=Build time autogenerated kernel key
At main.c:164:
- SSL error:0480006C:PEM routines::no start line: crypto/pem/pem_lib.c:763
extract-cert: certs/signing_key.pem: Success
make[2]: *** [certs/Makefile:74: certs/signing_key.x509] Error 1
make[2]: *** Deleting file 'certs/signing_key.x509'

Perhaps certs/signing_key.pem is bad, it was generated by

# GENKEY  certs/signing_key.pem
  openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config certs/x509.genkey -outform PEM -out certs/signing_key.pem -keyout certs/signing_key.pem -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 2>&1

So as a test

$ mkdir test
$ cd test
$ cp path/to/linux/src/certs/default_x509.genkey x509.genkey
$ openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform PEM -out signing_key.pem -keyout signing_key.pem -newkey ec -pkeyopt ec_paramgen_curve:secp384r1

Does that generate signing_key.pem containing a private key and a certificate? I am assuming openssl now is resolving to /usr/bin/openssl and that is from openssl 3.1.1-1.

GeneArch · 2023-06-25 20:28:02

The error seems to stem from some issue creating a good cert in certs/signing_key.x509 as suggested by @loqs

Do these show anything useful by chance - in source dir

ls -l certs/signing_key.x509
./certs/extract-cert "certs/signing_key.pem" certs/signing_key.x509
file certs/signing_key.x509
openssl x509 -noout -text -in certs/signing_key.x509

Last edited by GeneArch (2023-06-25 20:29:30)

proledatarian · 2023-06-25 20:45:54

I am able to create a signing_key.pem file in a test directory.

And there is also a signing_key.pem file in the certs directory.

Also:

./certs/extract-cert "certs/signing_key.pem" certs/signing_key.x509
At main.c:164:
- SSL error:0480006C:PEM routines::no start line: crypto/pem/pem_lib.c:763
extract-cert: certs/signing_key.pem: Success

file certs/signing_key.x509
certs/signing_key.x509: Certificate, Version=3

openssl x509  -noout -text -in certs/signing_key.x509
unable to load certificate
140470092031808:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

loqs · 2023-06-25 21:01:19

In the test directory does the following fail

openssl x509 -noout -text -in signing_key.pem

What is openssl resolving to

$ which openssl

proledatarian · 2023-06-25 21:03:45

Thanks so much for sticking with this issue by the way!

openssl $ x509 -noout -text -in signing_key.pem

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            f2:c0:c3:25:82:e5:11:69:c0:d7:48:36:ca:1c:e1:2f:90:52:d6
        Signature Algorithm: ecdsa-with-SHA512
        Issuer: CN = Build time autogenerated kernel key
        Validity
            Not Before: Jun 25 20:40:10 2023 GMT
            Not After : Jun  1 20:40:10 2123 GMT
        Subject: CN = Build time autogenerated kernel key
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:22:ac:eb:2e:4c:5c:8c:38:34:39:9a:f8:28:ee:
                    77:95:e9:ed:22:d1:69:88:4e:3c:16:99:fa:41:a6:
                    19:11:87:91:b9:63:31:3a:38:ed:af:0a:45:c8:69:
                    55:f3:62:fe:70:55:d0:4e:17:84:78:ac:94:97:0a:
                    9d:de:1f:4a:fb:f5:54:cd:15:9f:dc:26:ed:b2:71:
                    55:b3:17:af:19:e3:f0:f2:fc:08:87:20:69:f0:fc:
                    2e:ff:3e:a9:36:8c:3a
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature
            X509v3 Subject Key Identifier: 
                B2:02:F2:D6:40:EB:08:68:A6:21:A4:D6:F5:AC:6F:F9:2E:85:F5:FA
            X509v3 Authority Key Identifier: 
                keyid:B2:02:F2:D6:40:EB:08:68:A6:21:A4:D6:F5:AC:6F:F9:2E:85:F5:FA

    Signature Algorithm: ecdsa-with-SHA512
         30:64:02:30:53:fb:a6:0e:a8:e0:c5:50:36:c2:03:84:15:8a:
         78:5f:7b:20:c3:73:1d:c3:82:1f:e2:a4:97:93:55:67:3b:89:
         b6:99:e9:8a:23:76:f9:64:34:83:32:1c:f1:af:c8:04:02:30:
         69:57:95:32:fa:81:0e:65:cb:31:d3:bd:b2:2f:88:a2:cd:98:
         e6:c0:81:9e:9a:60:4e:69:4b:18:0c:32:45:70:94:6d:66:bc:
         07:b3:21:8d:25:87:c8:53:c0:30:1f:76

$ which openssl
/usr/local/bin/openssl

loqs · 2023-06-25 21:09:14

I thought you removed the openssl installation in the /usr/local prefix ?
If you use certs/extract-cert from the clean chroot build does that produce an error when used with certs/signing_key.pem and certs/signing_key.x509 from post #12?

GeneArch · 2023-06-25 21:44:39

Try building kernel without /usr/local/bin in your path - or as @loqs suggested, remove that one. It looks to be the source of your problems.

proledatarian · 2023-06-26 23:11:11

loqs wrote:

I thought you removed the openssl installation in the /usr/local prefix ?

I just renamed it for your suggestion in #6 and named it back afterwards.

When renaming it '$ which openssl' returns '/usr/bin/openssl', but for example the command from #10 fails as it can't find '/usr/local/bin/openssl'. But I can in a chroot regardless.

loqs wrote:

If you use certs/extract-cert from the clean chroot build does that produce an error when used with certs/signing_key.pem and certs/signing_key.x509 from post #12?

'./certs/extract-cert "certs/signing_key.pem" certs/signing_key.x509' in the chroot returns nothing.

GeneArch wrote:

Try building kernel without /usr/local/bin in your path - or as @loqs suggested, remove that one. It looks to be the source of your problems.

It also fails when building normally and succeeds when building in a chroot.

Scimmia · 2023-06-26 23:20:08

It's not just about the binary, you have a bunch of things under /usr/local/ related to openssl that are masking the system versions. loqs said to *remove the installation*, not rename a single binary.

loqs · 2023-06-26 23:30:50

If you do not want to remove it, hide it for the duration of the build

# mount -t tmpfs - /usr/local/
$ hash -r

proledatarian · 2023-06-27 09:08:13

loqs wrote:

If you do not want to remove it, hide it for the duration of the build
# mount -t tmpfs - /usr/local/
$ hash -r

Thanks, that's really helpful. And turns out, it did compile just fine when temporary mounting /usr/local to the tmpfs. So that seems to be the problem!

EDIT: So how do I fix this?

Last edited by proledatarian (2023-06-27 15:56:44)

proledatarian · 2023-06-30 12:47:08

Bump.

Thanks for isolating the issue, but I'm kind of unsure about how I can fix it now.

V1del · 2023-06-30 13:01:47

Do you know why you have a usr/local installation of the openssl stack? If you don't and this was done by accident you can remove all libs in relation to that from /usr/local (under "normal" circumstances assuming you are using packages for maintaining the installation/libs, /usr/local would be empty).

Scimmia · 2023-06-30 13:02:34

It's already been said many times, completely get rid of the openssl installation in /usr/local/.

proledatarian · 2023-06-30 13:16:28

Alright, thanks. I wasn't aware that there shouldn't be an OpenSSL installation in /usr/local.

Arch Linux

#1 2023-06-23 23:56:31

[SOLVED] Linux-git and linux-mainline don't compile because cert issue

#2 2023-06-24 10:53:33

Re: [SOLVED] Linux-git and linux-mainline don't compile because cert issue

#3 2023-06-24 14:03:26

Re: [SOLVED] Linux-git and linux-mainline don't compile because cert issue

#4 2023-06-24 14:23:21

Re: [SOLVED] Linux-git and linux-mainline don't compile because cert issue

#5 2023-06-24 15:24:23

Re: [SOLVED] Linux-git and linux-mainline don't compile because cert issue

#6 2023-06-24 15:42:02

Re: [SOLVED] Linux-git and linux-mainline don't compile because cert issue

#7 2023-06-25 18:10:02

Re: [SOLVED] Linux-git and linux-mainline don't compile because cert issue

#8 2023-06-25 18:18:16

Re: [SOLVED] Linux-git and linux-mainline don't compile because cert issue

#9 2023-06-25 19:47:21

Re: [SOLVED] Linux-git and linux-mainline don't compile because cert issue

#10 2023-06-25 20:20:39

Re: [SOLVED] Linux-git and linux-mainline don't compile because cert issue

#11 2023-06-25 20:28:02

Re: [SOLVED] Linux-git and linux-mainline don't compile because cert issue

#12 2023-06-25 20:45:54

Re: [SOLVED] Linux-git and linux-mainline don't compile because cert issue

#13 2023-06-25 21:01:19

Re: [SOLVED] Linux-git and linux-mainline don't compile because cert issue

#14 2023-06-25 21:03:45

Re: [SOLVED] Linux-git and linux-mainline don't compile because cert issue

#15 2023-06-25 21:09:14

Re: [SOLVED] Linux-git and linux-mainline don't compile because cert issue

#16 2023-06-25 21:44:39

Re: [SOLVED] Linux-git and linux-mainline don't compile because cert issue

#17 2023-06-26 23:11:11

Re: [SOLVED] Linux-git and linux-mainline don't compile because cert issue

#18 2023-06-26 23:20:08

Re: [SOLVED] Linux-git and linux-mainline don't compile because cert issue

#19 2023-06-26 23:30:50

Re: [SOLVED] Linux-git and linux-mainline don't compile because cert issue

#20 2023-06-27 09:08:13

Re: [SOLVED] Linux-git and linux-mainline don't compile because cert issue

#21 2023-06-30 12:47:08

Re: [SOLVED] Linux-git and linux-mainline don't compile because cert issue

#22 2023-06-30 13:01:47

Re: [SOLVED] Linux-git and linux-mainline don't compile because cert issue

#23 2023-06-30 13:02:34

Re: [SOLVED] Linux-git and linux-mainline don't compile because cert issue

#24 2023-06-30 13:16:28

Re: [SOLVED] Linux-git and linux-mainline don't compile because cert issue

Board footer