From a5c66c76b3d5580c06be741439d6f9eaa6cfcc66 Mon Sep 17 00:00:00 2001
From: "Sean P. Kelly" <seankell@amazon.com>
Date: Thu, 25 Jul 2024 15:46:15 +0000
Subject: [PATCH] imghelper: disable pkix in nss

In NSS 3.101, lib::pkix was enabled as the default X.509 validator. This
causes pesigcheck to fail with "Peer's Certificate issuer is not
recognized," despite the CA issuer being provided to pesigcheck.

We will revert to the previous validator while working to become
compatible with pkix.
---
 twoliter/embedded/imghelper | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/twoliter/embedded/imghelper b/twoliter/embedded/imghelper
index 615911fff..727992cff 100755
--- a/twoliter/embedded/imghelper
+++ b/twoliter/embedded/imghelper
@@ -495,7 +495,7 @@ do_sign() {
   pesign -i "${what}" -o "${what}.signed" -s "${sign_key[@]}"
   mv "${what}.signed" "${what}"
   pesign -i "${what}" -l
-  pesigcheck -i "${what}" -n 0 -c "${cert}"
+  NSS_DISABLE_PKIX_VERIFY=1 pesigcheck -i "${what}" -n 0 -c "${cert}"
 }
 
 sign_shim() {