ryan77627/guix
1
0
Fork 0
mirror of https://git.in.rschanz.org/ryan77627/guix.git synced 2025-01-13 22:50:23 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

chromium-extension: Avoid usage of gcrypt at evaluation time.

Browse source 
* gnu/build/chromium-extension.scm (make-signing-key): Wrap builder in
with-extensions, and compute the seed checksum at build time.
This commit is contained in:
Marius Bakke 2021-12-16 19:05:27 +01:00
parent 173860eb41
commit 40ebf85b86
No known key found for this signature in database
GPG key ID: A2A06DF2A33A54FA
1 changed files with 23 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

47
gnu/build/chromium-extension.scm
View file

@ -17,9 +17,6 @@
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
(define-module (gnu build chromium-extension) (define-module (gnu build chromium-extension)
#:use-module (gcrypt base16)
#:use-module ((gcrypt hash) #:prefix hash:)
#:use-module (ice-9 iconv)
#:use-module (guix gexp) #:use-module (guix gexp)
#:use-module (guix packages) #:use-module (guix packages)
#:use-module (gnu packages base) #:use-module (gnu packages base)
@ -39,28 +36,30 @@ (define-module (gnu build chromium-extension)
(define (make-signing-key seed) (define (make-signing-key seed)
"Return a derivation for a deterministic PKCS #8 private key using SEED." "Return a derivation for a deterministic PKCS #8 private key using SEED."
(computed-file
(string-append seed "-signing-key.pem")
(with-extensions (list guile-gcrypt)
#~(begin
(use-modules (gcrypt base16) (gcrypt hash) (ice-9 iconv))
(let* ((sha256sum (bytevector->base16-string
(sha256 (string->bytevector #$seed "UTF-8"))))
;; certtool.c wants a 56 byte seed for a 2048 bit key.
(key-size 2048)
(normalized-seed (string-take sha256sum 56)))
(define sha256sum (system* #$(file-append gnutls "/bin/certtool")
(bytevector->base16-string (hash:sha256 (string->bytevector seed "UTF-8")))) "--generate-privkey"
"--key-type=rsa"
;; certtool.c wants a 56 byte seed for a 2048 bit key. "--pkcs8"
(define size 2048) ;; Use the provable FIPS-PUB186-4 algorithm for
(define normalized-seed (string-take sha256sum 56)) ;; deterministic results.
"--provable"
(computed-file (string-append seed "-signing-key.pem") "--password="
#~(system* #$(file-append gnutls "/bin/certtool") "--no-text"
"--generate-privkey" (string-append "--bits=" (number->string key-size))
"--key-type=rsa" (string-append "--seed=" normalized-seed)
"--pkcs8" "--outfile" #$output))))
;; Use the provable FIPS-PUB186-4 algorithm for #:local-build? #t))
;; deterministic results.
"--provable"
"--password="
"--no-text"
(string-append "--bits=" #$(number->string size))
(string-append "--seed=" #$normalized-seed)
"--outfile" #$output)
#:local-build? #t))
(define* (make-crx signing-key package #:optional (package-output "out")) (define* (make-crx signing-key package #:optional (package-output "out"))
"Create a signed \".crx\" file from the unpacked Chromium extension residing "Create a signed \".crx\" file from the unpacked Chromium extension residing