gnu: libcamera: Disable signature verification.

Signature verification breaks, when libcamera is grafted.  Running built-in
libcamera modules via proxy is not recommended by upstream and not always
work.  We control the build process of all libcamera modules, so to workaround
the issue we disable signature verification.  For more information see:
<https://issues.guix.gnu.org/72828>

* gnu/packages/patches/libcamera-ipa_manager-disable-signature-verification.patch: New file.
* gnu/local.mk (dist_patch_DATA): Adjust accordingly.
* gnu/packages/networking.scm (libcamera): Disable signature verification.
[inputs]: Remove gnutls and openssl.
[arguments]: Remove re-sign-binaries phase.
[source]: Add disable-signature patch.

Change-Id: Icf422553c0f49b28d7997a1e818a4b8d9a6b5732
This commit is contained in:
Andrew Tropin 2024-09-05 10:24:08 +04:00
parent 0b95de9b3b
commit b0e224566f
No known key found for this signature in database
GPG key ID: 2208D20958C1DEB0
3 changed files with 59 additions and 17 deletions

View file

@ -1589,6 +1589,7 @@ dist_patch_DATA = \
%D%/packages/patches/julia-SOURCE_DATE_EPOCH-mtime.patch \ %D%/packages/patches/julia-SOURCE_DATE_EPOCH-mtime.patch \
%D%/packages/patches/julia-Use-MPFR-4.2.patch \ %D%/packages/patches/julia-Use-MPFR-4.2.patch \
%D%/packages/patches/libcall-ui-make-it-installable.patch \ %D%/packages/patches/libcall-ui-make-it-installable.patch \
%D%/packages/patches/libcamera-ipa_manager-disable-signature-verification.patch \
%D%/packages/patches/libcss-check-format.patch \ %D%/packages/patches/libcss-check-format.patch \
%D%/packages/patches/libextractor-tidy-support.patch \ %D%/packages/patches/libextractor-tidy-support.patch \
%D%/packages/patches/libftdi-fix-paths-when-FTDIPP-set.patch \ %D%/packages/patches/libftdi-fix-paths-when-FTDIPP-set.patch \

View file

@ -382,6 +382,8 @@ (define-public libcamera
(git-reference (git-reference
(url "https://git.libcamera.org/libcamera/libcamera.git") (url "https://git.libcamera.org/libcamera/libcamera.git")
(commit (string-append "v" version)))) (commit (string-append "v" version))))
(patches (search-patches
"libcamera-ipa_manager-disable-signature-verification.patch"))
(file-name (file-name
(git-file-name name version)) (git-file-name name version))
(sha256 (sha256
@ -431,21 +433,7 @@ (define-public libcamera
(mkdir-p (string-append gst "/lib")) (mkdir-p (string-append gst "/lib"))
(rename-file (rename-file
(string-append out "/lib/gstreamer-1.0") (string-append out "/lib/gstreamer-1.0")
(string-append gst "/lib/gstreamer-1.0"))))) (string-append gst "/lib/gstreamer-1.0"))))))))
(add-after 'shrink-runpath 're-sign-binaries
(lambda* (#:key outputs #:allow-other-keys)
"Update signatures of all ipa libraries.
After stipping phases signatures are not valid anymore, so it's necessary to
re-sign."
(let* ((out (assoc-ref outputs "out")))
(for-each
(lambda (file)
(invoke
"source/src/ipa/ipa-sign.sh" "src/ipa-priv-key.pem"
file (string-append file ".sign")))
(find-files
(string-append out "/lib/libcamera") "\\.so$"))))))))
(native-inputs (native-inputs
(list googletest (list googletest
graphviz ;for 'dot' graphviz ;for 'dot'
@ -458,11 +446,9 @@ (define-public libcamera
(list eudev (list eudev
glib glib
gst-plugins-base gst-plugins-base
gnutls
libevent libevent
libtiff libtiff
libyaml libyaml
openssl
python-jinja2 python-jinja2
python-ply python-ply
qtbase)) qtbase))

View file

@ -0,0 +1,55 @@
From c99706475cde3d963a17f4f8871149711ce6c467 Mon Sep 17 00:00:00 2001
From: Andrew Tropin <andrew@trop.in>
Date: Wed, 4 Sep 2024 21:36:16 +0400
Subject: [PATCH] libcamera: ipa_manager: Disable signature verification
---
src/libcamera/ipa_manager.cpp | 28 +++++-----------------------
1 file changed, 5 insertions(+), 23 deletions(-)
diff --git a/src/libcamera/ipa_manager.cpp b/src/libcamera/ipa_manager.cpp
index cfc24d38..4fd3cf3e 100644
--- a/src/libcamera/ipa_manager.cpp
+++ b/src/libcamera/ipa_manager.cpp
@@ -284,33 +284,15 @@ IPAModule *IPAManager::module(PipelineHandler *pipe, uint32_t minVersion,
bool IPAManager::isSignatureValid([[maybe_unused]] IPAModule *ipa) const
{
-#if HAVE_IPA_PUBKEY
- char *force = utils::secure_getenv("LIBCAMERA_IPA_FORCE_ISOLATION");
- if (force && force[0] != '\0') {
- LOG(IPAManager, Debug)
- << "Isolation of IPA module " << ipa->path()
- << " forced through environment variable";
- return false;
- }
-
- File file{ ipa->path() };
- if (!file.open(File::OpenModeFlag::ReadOnly))
- return false;
-
- Span<uint8_t> data = file.map();
- if (data.empty())
- return false;
-
- bool valid = pubKey_.verify(data, ipa->signature());
+ LOG(IPAManager, Debug)
+ << "Signature verification is disabled by Guix. "
+ << "See https://issues.guix.gnu.org/72828 for more details.";
LOG(IPAManager, Debug)
<< "IPA module " << ipa->path() << " signature is "
- << (valid ? "valid" : "not valid");
+ << "not verified (verification skipped).";
- return valid;
-#else
- return false;
-#endif
+ return true;
}
} /* namespace libcamera */
--
2.45.2