Pesign upgrades/reboots

Fedora has (currently) 2 special builders. These builders are used to build a small set of packages that need to be signed for secure boot. These packages include: grub2, shim, kernel, pesign-test-app

When rebooting or upgrading pesign on these machines, you have to follow a special process to unlock the signing keys.

Contact Information


Fedora Release Engineering, Kernel/grub2/shim/pesign maintainers


#fedora-admin, #fedora-kernel


bkernel01, bkernel02


Upgrade or restart singning keys on kernel/grub2/shim builders


  1. Coordinate with pesign maintainers or pesign-test-app commiters as well as releng folks that have the pin to unlock the signing key.

  2. Remove builder from koji:

    koji disable-host
  3. Make sure all builds have completed.

  4. Stop existing processes:

    service pcscd stop
    service pesign stop
  5. Perform updates or reboots.

  6. Restart services (if you didn’t reboot):

    service pcscd start
    service pesign start
  7. Unlock signing key:

    pesign-client -t "OpenSC Card (Fedora Signer)" -u
    (enter pin when prompted)
  8. Make sure no builds are in progress, then Re-add builder to koji, remove other builder:

    koji enable-host
    koji disable-host
  9. Have a commiter send a build of pesign-test-app and make sure it’s signed correctly.

  10. If so, repeat process with second builder.