GNU bug report logs -
#40316
nss not reproducible
Previous Next
Full log
View this message in rfc822 format
Hi,
I believe I have a fix for this, I'm just waiting on my machine to hurry
up and confirm it, might end up running over night, then I'll send my
patch up.
I'm doing two native builds and two cross-builds.
I've also updated to 3.99.
Kind regards,
Christina
On 25/04/2024 15:06, Christina O'Donnell wrote:
> Hi Steve,
>
>> It would be good to confirm this one:
>>
>> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=40316
>
> Still fails to reproduce with those changes applied.
>
> The culprit is in nss/cmd/shlibsign/shlibsign.c:
>
> shlibSignHMAC generates a new key-pair each time it's run:
>
> /* Generate a DSA key pair */
> logIt("Generate an HMAC key ... \n");
> crv = pFunctionList->C_GenerateKey(hRwSession, &hmacKeyGenMech,
> hmacKeyTemplate,
> PR_ARRAY_SIZE(hmacKeyTemplate),
> &hHMACKey);
>
> Three options:
> 1. Disable library signing entirely.
> 2. Seed the generation to be deterministic.
> 3. Drop in a HMAC key-pair and patch the code to use that instead of
> generating.
>
> 2 and 3 defeat the point of the cryptographically secure supply chain
> as the private key can be obtained deterministically, so my vote would
> be simply to not sign the libraries (1), which would be easier to
> maintain. We're not the primary distributor and users can verify our
> distribution of nss by running `guix challenge` anyway.
>
>> It looks like Zhen Junjie applied two patches to fix NSS
>> cross-compilation on Master [0]
>
> Building everything cross-compiled to ARM now.
>
> Kind regards,
>
> Christina
>
>
This bug report was last modified 1 year and 29 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.