#49 tests fail after 2026-02-20

[Bernhard M. Wiedemann]

While working on reproducible builds for openSUSE, I found that
our ibmtss (version 2.1.1) package does not pass its tests after 2026-02-20

In openSUSE, I reproduce it with
osc checkout openSUSE:Factory/ibmtss && cd $_
osc build --vm-type=kvm --noservice --clean --build-opt=--vm-custom-opt="-rtc base=2026-02-21T00:00:00"

The build log said
processValidatePrimary: Public key from X509 certificate matches output of createprimary
Public key from X509 certificate matches output of createprimary
verifyCertificate: Error in X509_verify_cert verifying certificate
processRoot: EK certificate did not verify
createek: failed, rc 000b007a
TSS_RC_RSA_SIGNATURE - RSA signature is bad

Background:
As part of my work on reproducible builds for openSUSE, I check that software still gives identical build results in the future.
The usual offset is +16 years, because that is how long I expect some software will be used in some places.
This showed up failing tests in our package build.
See https://reproducible-builds.org/ for why this matters.

[Ken Goldman]

Thank you so much for this!

The issue is that the regression test suite includes a test CA to issue test EK certificates. The CA root certificate was generated in 2016 with a 10 year lifetime, thus invalid in 2026. Note that it's not specific to Suse, and does not affect the operation of the TSS, only the regression test.

I will issue a new certificate for the next release.

What is the priority for this? Is it a blocker?

[Ken Goldman]

I pushed new certificates to master. I'll tag it after complete testing. Can you test it?

[Bernhard M. Wiedemann]

I tested https://github.com/kgoldman/ibmtss/commit/3a17ac01bea73d3568272d61b895a16a0bd85440 and it indeed fixed this issue.
Thanks a lot for the fast update.