From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ricardo Wurmus Subject: Re: WIP Java certificates Date: Thu, 16 Jun 2016 09:12:08 +0200 Message-ID: <874m8ty5dj.fsf@elephly.net> References: <87eg7yy34f.fsf@mdc-berlin.de> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:60035) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bDRTN-0008Nq-Qg for guix-devel@gnu.org; Thu, 16 Jun 2016 03:12:18 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bDRTJ-0007GC-Jm for guix-devel@gnu.org; Thu, 16 Jun 2016 03:12:16 -0400 Received: from sender163-mail.zoho.com ([74.201.84.163]:24920) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bDRTJ-0007G7-AR for guix-devel@gnu.org; Thu, 16 Jun 2016 03:12:13 -0400 In-reply-to: <87eg7yy34f.fsf@mdc-berlin.de> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org Ricardo Wurmus writes: > I noticed that IcedTea/OpenJDK does not actually generate a certificate > store at build time — the store at “$out/lib/security/cacerts” is > empty. As a result, accessing websites via HTTPS fails. With some modifications to the patch (and by moving it from java.scm to certs.scm) I managed to build a keystore from nss-certs. I confirmed that it works by starting a Java application with these additional options: -Djavax.net.debug=ssl -Djavax.net.ssl.trustStore=/gnu/store/62j3i7666wa3hwrlsgzjnx766fs4j06g-java-nss-certs-keystore-3.23/lib/security/cacerts (Unfortunately, it is not deterministic yet.) To make this available without the trustStore option I would need to convert my package into a build phase for the icedtea packages. However, I cannot do this as using the “certs” module in the “java” module breaks Guix. > As soon as I add > > #:use-module (gnu packages certs) > > to the module definition of “(gnu packages java)” Guix complains with > errors that are usually indicative of a module loop. Attached is a > patch to master. > > Here are the errors I get when trying to build the package: > > ~~~~~~~~~~~~~~~~~~~~~~~ > ./pre-inst-env guix build java-nss-certs-keystore > guix build: warning: failed to load '(gnu packages abiword)': > ERROR: In procedure module-lookup: Unbound variable: nss > guix build: warning: failed to load '(gnu packages avr)': > ERROR: In procedure module-lookup: Unbound variable: gnu-make > guix build: warning: failed to load '(gnu packages bioinformatics)': > ERROR: In procedure module-lookup: Unbound variable: perl-libwww > guix build: warning: failed to load '(gnu packages make-bootstrap)': > ERROR: no binding `%final-inputs' in module (gnu packages commencement) > guix build: warning: failed to load '(gnu packages mate)': > ERROR: In procedure module-lookup: Unbound variable: gtk+ > guix build: warning: failed to load '(gnu packages unrtf)': > ERROR: In procedure module-lookup: Unbound variable: coreutils > guix build: error: java-nss-certs-keystore: unknown package > ~~~~~~~~~~~~~~~~~~~~~~~ Any hints as to how I can debug this? ~~ Ricardo