GNU bug report logs - #40316
nss not reproducible

Previous Next

Package: guix;

Reported by: Danny Milosavljevic <dannym <at> scratchpost.org>

Date: Mon, 30 Mar 2020 02:36:21 UTC

Severity: normal

Merged with 30108, 33507

Full log

Message #30 received at 40316 <at> debbugs.gnu.org (full text, mbox):

From: Christina O'Donnell <cdo <at> mutix.org>
To: 40316 <at> debbugs.gnu.org
Cc: guix-devel <at> gnu.org, Steve George <steve <at> futurile.net>
Subject: Re: Core updates status
Date: Thu, 25 Apr 2024 15:06:58 +0100

Hi Steve,

> It would be good to confirm this one:
>
> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=40316

Still fails to reproduce with those changes applied.

The culprit is in nss/cmd/shlibsign/shlibsign.c:

shlibSignHMAC generates a new key-pair each time it's run:

    /* Generate a DSA key pair */
    logIt("Generate an HMAC key ... \n");
    crv = pFunctionList->C_GenerateKey(hRwSession, &hmacKeyGenMech,
                                       hmacKeyTemplate,
PR_ARRAY_SIZE(hmacKeyTemplate),
                                       &hHMACKey);

Three options:
 1. Disable library signing entirely.
 2. Seed the generation to be deterministic.
 3. Drop in a HMAC key-pair and patch the code to use that instead of 
generating.

2 and 3 defeat the point of the cryptographically secure supply chain as 
the private key can be obtained deterministically, so my vote would be 
simply  to not sign the libraries (1), which would be easier to 
maintain. We're not the primary distributor and users can verify our 
distribution of nss by running `guix challenge` anyway.

> It looks like Zhen Junjie applied two patches to fix NSS cross-compilation on Master [0]

Building everything cross-compiled to ARM now.

Kind regards,

Christina
This bug report was last modified 1 year and 29 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.