What were you trying to do that didn't work?

Verifying a cert chain using 16K RSA keys.

What is the impact of this issue to you?

None.

Please provide the package NVR for which the bug is seen:

nss-3.101.0-7.el9_2

How reproducible is this bug?:

reliably

Steps to reproduce

mkdir nssdb
certutil -d nssdb -N --empty-password
certutil -d nssdb -A -n ca -t 'cCT,,' -a -i ca.pem
certutil -d nssdb -A -n server -t ',,' -a -i server.pem
certutil -d nssdb -V -n server -l -e -u V
echo $?

Expected results

Complains about the cert chain, errors out

Actual results

nss-3.101.0-7.el9_2: prints server : Peer's certificate has an invalid signature., exit code is 0
nss-3.101.0-7.el10; prints ca : Peer's certificate has an invalid signature., exit code is 255

Comments

rrelyea@redhat.com says it's expected that pkix validates root-to-leaf, which is fine by me. The change in the retcode is more suspicious, but it's a change for the better, so filing it as an issue against 9.