unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: ludo@gnu.org (Ludovic Courtès)
To: Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de>
Cc: guix-devel@gnu.org
Subject: Re: [PATCH 3/3] gnu: icedtea-6: Generate keystore.
Date: Tue, 19 Jul 2016 14:51:33 +0200	[thread overview]
Message-ID: <87fur5lrje.fsf@gnu.org> (raw)
In-Reply-To: <20160718115941.17707-4-ricardo.wurmus@mdc-berlin.de> (Ricardo Wurmus's message of "Mon, 18 Jul 2016 13:59:41 +0200")

Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de> skribis:

> From: Ricardo Wurmus <rekado@elephly.net>
>
> * gnu/packages/java.scm (icedtea-6)[arguments]: Add phase
> "install-keystore".
> [native-inputs]: Add nss-certs and openssl.

[...]

> +         (add-after 'install 'install-keystore
> +           (lambda* (#:key inputs outputs #:allow-other-keys)

Could you add a comment to explain what’s going on here?

Too bad IceTea’s build system doesn’t take care of that.

> +             (let* ((keystore  "cacerts")
> +                    (certs-dir (string-append (assoc-ref inputs "nss-certs")
> +                                              "/etc/ssl/certs"))
> +                    (keytool   (string-append (assoc-ref outputs "jdk")
> +                                              "/bin/keytool"))
> +                    (openssl   (which "openssl"))
> +                    (recent    (date->time-utc (string->date "2016-1-1"
> +                                                             "~Y-~m-~d"))))
> +               (define (valid? cert)
> +                 (let* ((port (open-pipe* OPEN_READ openssl
> +                                          "x509" "-enddate" "-in" cert "-noout"))
> +                        (str  (read-line port))
> +                        (end  (begin (close-pipe port)
> +                                     ;; TODO: use match?
> +                                     (cadr (string-split str #\=)))))

Why not use ‘match’, indeed.  :-)  No big deal though.

> +                   (time>? (date->time-utc
> +                            (string->date end "~b ~d ~H:~M:~S ~Y")) recent)))
> +
> +               (define (import-cert cert)
> +                 (format #t "Importing certificate ~a\n" (basename cert))
> +                 (let* ((port (open-pipe* OPEN_WRITE keytool
> +                                          "-import"
> +                                          "-alias" (basename cert)
> +                                          "-keystore" keystore
> +                                          "-storepass" "changeit"
> +                                          "-file" cert)))
> +                   (display "yes\n" port)
> +                   (when (not (eqv? 0 (status:exit-val (close-pipe port))))

Maybe (zero? (status:exit-val …)).

> +                     (format (current-error-port)
> +                             "Failed to import certificate.\n"))))

Rather (error "failed to import" cert) so the process stops here.

> +               ;; This is necessary because the certificate directory contains
> +               ;; files with non-ASCII characters in their names.
> +               (setlocale LC_ALL "en_US.utf8")
> +               (setenv "LC_ALL" "en_US.utf8")
> +
> +               (for-each import-cert
> +                         (filter valid? (find-files certs-dir "\\.pem$")))

Why do we need to filter out invalid certificates?

The problem I see is that the result of ‘valid?’, and thus the output of
the build process, depends on the build time, which isn’t great.

I would prefer to unconditionally install all the certificates if that
doesn’t cause any problems.  WDYT?

Thank you for working on it!

Ludo’.

  reply	other threads:[~2016-07-19 12:51 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-07-18 11:59 [PATCH 0/3] icedtea: Generate keystore Ricardo Wurmus
2016-07-18 11:59 ` [PATCH 1/3] gnu: nss-certs: Stop inheriting from nss package Ricardo Wurmus
2016-07-18 16:39   ` Leo Famulari
2016-07-18 19:34     ` Ricardo Wurmus
2016-07-18 19:39       ` Leo Famulari
2016-07-19 12:44   ` Ludovic Courtès
2016-07-18 11:59 ` [PATCH 2/3] gnu: icedtea-6: Use modify-phases syntax Ricardo Wurmus
2016-07-19 12:45   ` Ludovic Courtès
2016-07-18 11:59 ` [PATCH 3/3] gnu: icedtea-6: Generate keystore Ricardo Wurmus
2016-07-19 12:51   ` Ludovic Courtès [this message]
2016-07-19 13:03     ` Ricardo Wurmus
2016-07-22 19:14     ` Ricardo Wurmus
2016-07-23 18:32       ` Andreas Enge
2016-07-23 21:19         ` Ricardo Wurmus
2016-07-23 21:33           ` Ricardo Wurmus
2016-07-23 23:27             ` Andreas Enge
2016-07-24  7:43               ` Ricardo Wurmus
2016-07-24  8:07                 ` Andreas Enge
2016-07-18 17:51 ` [PATCH 0/3] icedtea: " Roel Janssen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87fur5lrje.fsf@gnu.org \
    --to=ludo@gnu.org \
    --cc=guix-devel@gnu.org \
    --cc=ricardo.wurmus@mdc-berlin.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).