[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
06/13: chromium-extension: Avoid usage of gcrypt at evaluation time.
|
From: |
guix-commits |
|
Subject: |
06/13: chromium-extension: Avoid usage of gcrypt at evaluation time. |
|
Date: |
Thu, 16 Dec 2021 16:23:12 -0500 (EST) |
mbakke pushed a commit to branch master
in repository guix.
commit 40ebf85b865cb942c2551bfdc2ca3065eb3d9186
Author: Marius Bakke <marius@gnu.org>
AuthorDate: Thu Dec 16 19:05:27 2021 +0100
chromium-extension: Avoid usage of gcrypt at evaluation time.
* gnu/build/chromium-extension.scm (make-signing-key): Wrap builder in
with-extensions, and compute the seed checksum at build time.
---
gnu/build/chromium-extension.scm | 47 ++++++++++++++++++++--------------------
1 file changed, 23 insertions(+), 24 deletions(-)
diff --git a/gnu/build/chromium-extension.scm b/gnu/build/chromium-extension.scm
index fb15712..5bda8f8 100644
--- a/gnu/build/chromium-extension.scm
+++ b/gnu/build/chromium-extension.scm
@@ -17,9 +17,6 @@
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
(define-module (gnu build chromium-extension)
- #:use-module (gcrypt base16)
- #:use-module ((gcrypt hash) #:prefix hash:)
- #:use-module (ice-9 iconv)
#:use-module (guix gexp)
#:use-module (guix packages)
#:use-module (gnu packages base)
@@ -39,28 +36,30 @@
(define (make-signing-key seed)
"Return a derivation for a deterministic PKCS #8 private key using SEED."
+ (computed-file
+ (string-append seed "-signing-key.pem")
+ (with-extensions (list guile-gcrypt)
+ #~(begin
+ (use-modules (gcrypt base16) (gcrypt hash) (ice-9 iconv))
+ (let* ((sha256sum (bytevector->base16-string
+ (sha256 (string->bytevector #$seed "UTF-8"))))
+ ;; certtool.c wants a 56 byte seed for a 2048 bit key.
+ (key-size 2048)
+ (normalized-seed (string-take sha256sum 56)))
- (define sha256sum
- (bytevector->base16-string (hash:sha256 (string->bytevector seed
"UTF-8"))))
-
- ;; certtool.c wants a 56 byte seed for a 2048 bit key.
- (define size 2048)
- (define normalized-seed (string-take sha256sum 56))
-
- (computed-file (string-append seed "-signing-key.pem")
- #~(system* #$(file-append gnutls "/bin/certtool")
- "--generate-privkey"
- "--key-type=rsa"
- "--pkcs8"
- ;; Use the provable FIPS-PUB186-4 algorithm for
- ;; deterministic results.
- "--provable"
- "--password="
- "--no-text"
- (string-append "--bits=" #$(number->string size))
- (string-append "--seed=" #$normalized-seed)
- "--outfile" #$output)
- #:local-build? #t))
+ (system* #$(file-append gnutls "/bin/certtool")
+ "--generate-privkey"
+ "--key-type=rsa"
+ "--pkcs8"
+ ;; Use the provable FIPS-PUB186-4 algorithm for
+ ;; deterministic results.
+ "--provable"
+ "--password="
+ "--no-text"
+ (string-append "--bits=" (number->string key-size))
+ (string-append "--seed=" normalized-seed)
+ "--outfile" #$output))))
+ #:local-build? #t))
(define* (make-crx signing-key package #:optional (package-output "out"))
"Create a signed \".crx\" file from the unpacked Chromium extension residing
- 10/13: gnu: file: Add 5.41., (continued)
- 10/13: gnu: file: Add 5.41., guix-commits, 2021/12/16
- 12/13: gnu: python-vcrpy: Fix test failure., guix-commits, 2021/12/16
- 08/13: gnu: python-daemon: Fix test failure., guix-commits, 2021/12/16
- 11/13: gnu: python-magic: Work around crash on .crx files., guix-commits, 2021/12/16
- 09/13: gnu: python-magic: Run more tests., guix-commits, 2021/12/16
- 05/13: chromium-extension: Reduce imported-modules scope., guix-commits, 2021/12/16
- 01/13: gnu: ungoogled-chromium: Enable RUNPATH validation., guix-commits, 2021/12/16
- 07/13: chromium-extension: Build .crx files in a deterministic fashion., guix-commits, 2021/12/16
- 13/13: gnu: rtv: Disable sanity check., guix-commits, 2021/12/16
- 02/13: gnu: ungoogled-chromium: Unexpire accelerated video decoding., guix-commits, 2021/12/16
- 06/13: chromium-extension: Avoid usage of gcrypt at evaluation time.,
guix-commits <=