From 6796e5f7b0ab1eb08f92887ae0427cf5a4120e0b Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Sun, 8 Nov 2015 14:42:29 -0500
Subject: [PATCH 1/5] pesign: when nss fails to tell us -EPERM or -ENOENT,
 figure it out.

This should make -EPERM problems much easier for the user to diagnose.

Signed-off-by: Peter Jones <pjones@redhat.com>
---
 src/pesign.c | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/src/pesign.c b/src/pesign.c
index 1d72657..09b6a2b 100644
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -17,7 +17,9 @@
  * Author(s): Peter Jones <pjones@redhat.com>
  */
 
+#include <err.h>
 #include <fcntl.h>
+#include <glob.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -576,14 +578,28 @@ main(int argc, char *argv[])
 
 	if (!daemon) {
 		SECStatus status;
-		if (need_db)
+		if (need_db) {
 			status = NSS_Init(certdir);
-		else
+			if (status != SECSuccess) {
+				char *globpattern = NULL;
+				rc = asprintf(&globpattern, "%s/cert*.db",
+					      certdir);
+				if (rc > 0) {
+					glob_t globbuf;
+					memset(&globbuf, 0, sizeof(globbuf));
+					rc = glob(globpattern, GLOB_ERR, NULL,
+						  &globbuf);
+					if (rc != 0) {
+						err(1, "Could not open NSS database (\"%s\")",
+						     PORT_ErrorToString(PORT_GetError()));
+					}
+				}
+			}
+		} else
 			status = NSS_NoDB_Init(NULL);
 		if (status != SECSuccess) {
-			fprintf(stderr, "Could not initialize nss: %s\n",
+			errx(1, "Could not initialize nss. NSS says \"%s\" errno says \"%m\"\n",
 				PORT_ErrorToString(PORT_GetError()));
-			exit(1);
 		}
 
 		status = register_oids(ctxp->cms_ctx);
-- 
2.5.0