Package: guix-patches;
Reported by: Brice Waegeneire <brice <at> waegenei.re>
Date: Mon, 19 Jul 2021 21:16:02 UTC
Severity: normal
Tags: patch
View this message in rfc822 format
From: Brice Waegeneire <brice <at> waegenei.re> To: 49649 <at> debbugs.gnu.org Cc: ludo <at> gnu.org, me <at> tobias.gr Subject: [bug#49649] [PATCH v2 2/4] gnu: wireless-regdb: Reuse 'regulatory.db' signature. Date: Sat, 25 Dec 2021 19:44:37 +0100
Unlike 'regulatory.bin' (used by CRDA), we can't have a valid unsigned
'regulatory.db' (used by subsystem cfg80211). So, we reuse upstream's
signature for that file and rebuild it ourself to be sure it's
reproducible
* gnu/packages/linux.scm (wireless-regdb)[source]: Delete file
'regulatory.db'.
[arguments]: Remove 'omit-signature' phase, replace 'build' phase with
make target 'regulatory.db', add phase 'build-regulatory.bin-unsigned'
and add 'check' phase. Enable tests and parallel builds. Remove
make-flags specific to 'build-regulatory.bin-unsigned'.
[native-inputs]: Use new format and add 'openssl'.
[description]: Add reference to the cfg80211 linux subsystem.
---
gnu/packages/linux.scm | 72 +++++++++++++++++++++---------------------
1 file changed, 36 insertions(+), 36 deletions(-)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index e2be00679f..54f2682965 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -4296,10 +4296,11 @@ (define-public wireless-regdb
(sha256
(base32
"0liagyi6ppf5w474qk9j4jz5gbvvn8mc8al1dq4b1xrgv28485ml"))
-
- ;; We're building 'regulatory.bin' by ourselves.
+ ;; We're building 'regulatory.bin' and 'regulatory.db' by
+ ;; ourselves.
(snippet '(begin
- (delete-file "regulatory.bin")
+ (map delete-file '("regulatory.bin"
+ "regulatory.db"))
#t))))
(build-system gnu-build-system)
(arguments
@@ -4310,48 +4311,47 @@ (define-public wireless-regdb
(substitute* "Makefile"
(("gzip") "gzip --no-name"))
#t))
- (add-after 'unpack 'omit-signature
+ (replace 'build
+ (lambda* (#:key (make-flags '()) #:allow-other-keys)
+ (apply invoke "make" "regulatory.db" make-flags)))
+ (add-after 'build 'build-regulatory.bin-unsigned
+ (lambda* (#:key (make-flags '()) #:allow-other-keys)
+ (apply invoke "make" "regulatory.bin"
+ (cons*
+ ;; Leave this empty so that db2bin.py doesn't try to sign
+ ;; ‘regulatory.bin’. This allows us to avoid managing a key
+ ;; pair for the whole distribution.
+ "REGDB_PRIVKEY="
+ ;; Don't generate a public key for the same reason. These are
+ ;; used as Makefile targets and can't be the empty string.
+ "REGDB_PUBCERT=/dev/null"
+ "REGDB_PUBKEY=/dev/null"
+ make-flags))))
+ ;; We check if the 'regulatory.db' we just built is the same as the
+ ;; one that got signed by upstream.
+ (replace 'check
(lambda _
- (substitute* "Makefile"
- ;; Signing requires a REGDB_PUBCERT and REGDB_PRIVKEY which we
- ;; don't provide (see below). Disable it.
- ((" regulatory\\.db\\.p7s") "")
- ;; regulatory.db is built as a dependency of regulatory.db.p7s,
- ;; but ‘make install’ depends only on the latter while installing
- ;; both (and failing). Depend on it explicitly.
- (("^install: " all) (string-append all "regulatory.db ")))
- #t))
+ (invoke "openssl" "smime"
+ "-verify" "-inform" "DER"
+ "-signer" "sforshee.x509.pem"
+ "-in" "regulatory.db.p7s" "-content" "regulatory.db"
+ "-out" "/dev/null"
+ "-CAfile" "sforshee.x509.pem")))
(delete 'configure)) ; no configure script
-
- ;; The 'all' target of the makefile depends on $(REGDB_CHANGED), which
- ;; is computed and can be equal to 'maintainer-clean'; when that
- ;; happens, we can end up deleting the 'regulatory.bin' file that we
- ;; just built. Thus, build things sequentially.
- #:parallel-build? #f
-
- #:tests? #f ; no tests
#:make-flags
(let ((out (assoc-ref %outputs "out")))
(list (string-append "PREFIX=" out)
- (string-append "FIRMWARE_PATH=$(PREFIX)/lib/firmware")
-
- ;; Leave this empty so that db2bin.py doesn't try to sign
- ;; ‘regulatory.bin’. This allows us to avoid managing a key
- ;; pair for the whole distribution.
- (string-append "REGDB_PRIVKEY=")
- ;; Don't generate a public key for the same reason. These are
- ;; used as Makefile targets and can't be the empty string.
- (string-append "REGDB_PUBCERT=/dev/null")
- (string-append "REGDB_PUBKEY=/dev/null")))))
- (native-inputs
- `(("python" ,python-wrapper)))
+ (string-append "FIRMWARE_PATH=$(PREFIX)/lib/firmware")))))
+ (native-inputs (list openssl ; to verify signature
+ python-wrapper))
(home-page
"https://wireless.wiki.kernel.org/en/developers/regulatory/wireless-regdb")
(synopsis "Wireless regulatory database")
(description
- "This package contains the wireless regulatory database for the Central
-Regulatory Database Agent (CRDA). The database contains information on
-country-specific regulations for the wireless spectrum.")
+ "This package contains the wireless regulatory database used by the Linux
+cfg80211 subsystem and the legacy Central Regulatory Database Agent (CRDA).
+The database contains information on country-specific regulations for the
+wireless spectrum.")
(license license:isc)))
(define-public lm-sensors
--
2.34.0
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.