From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: [PATCH 3/3] gnu: icedtea-6: Generate keystore. Date: Tue, 19 Jul 2016 14:51:33 +0200 Message-ID: <87fur5lrje.fsf@gnu.org> References: <20160718115941.17707-1-ricardo.wurmus@mdc-berlin.de> <20160718115941.17707-4-ricardo.wurmus@mdc-berlin.de> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:42136) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bPUUv-00032i-12 for guix-devel@gnu.org; Tue, 19 Jul 2016 08:51:42 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bPUUq-0002nW-Uo for guix-devel@gnu.org; Tue, 19 Jul 2016 08:51:40 -0400 In-Reply-To: <20160718115941.17707-4-ricardo.wurmus@mdc-berlin.de> (Ricardo Wurmus's message of "Mon, 18 Jul 2016 13:59:41 +0200") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ricardo Wurmus Cc: guix-devel@gnu.org Ricardo Wurmus skribis: > From: Ricardo Wurmus > > * gnu/packages/java.scm (icedtea-6)[arguments]: Add phase > "install-keystore". > [native-inputs]: Add nss-certs and openssl. [...] > + (add-after 'install 'install-keystore > + (lambda* (#:key inputs outputs #:allow-other-keys) Could you add a comment to explain what=E2=80=99s going on here? Too bad IceTea=E2=80=99s build system doesn=E2=80=99t take care of that. > + (let* ((keystore "cacerts") > + (certs-dir (string-append (assoc-ref inputs "nss-cer= ts") > + "/etc/ssl/certs")) > + (keytool (string-append (assoc-ref outputs "jdk") > + "/bin/keytool")) > + (openssl (which "openssl")) > + (recent (date->time-utc (string->date "2016-1-1" > + "~Y-~m-~d")= ))) > + (define (valid? cert) > + (let* ((port (open-pipe* OPEN_READ openssl > + "x509" "-enddate" "-in" cert "= -noout")) > + (str (read-line port)) > + (end (begin (close-pipe port) > + ;; TODO: use match? > + (cadr (string-split str #\=3D))))) Why not use =E2=80=98match=E2=80=99, indeed. :-) No big deal though. > + (time>? (date->time-utc > + (string->date end "~b ~d ~H:~M:~S ~Y")) rece= nt))) > + > + (define (import-cert cert) > + (format #t "Importing certificate ~a\n" (basename cert)) > + (let* ((port (open-pipe* OPEN_WRITE keytool > + "-import" > + "-alias" (basename cert) > + "-keystore" keystore > + "-storepass" "changeit" > + "-file" cert))) > + (display "yes\n" port) > + (when (not (eqv? 0 (status:exit-val (close-pipe port)= ))) Maybe (zero? (status:exit-val =E2=80=A6)). > + (format (current-error-port) > + "Failed to import certificate.\n")))) Rather (error "failed to import" cert) so the process stops here. > + ;; This is necessary because the certificate directory co= ntains > + ;; files with non-ASCII characters in their names. > + (setlocale LC_ALL "en_US.utf8") > + (setenv "LC_ALL" "en_US.utf8") > + > + (for-each import-cert > + (filter valid? (find-files certs-dir "\\.pem$")= )) Why do we need to filter out invalid certificates? The problem I see is that the result of =E2=80=98valid?=E2=80=99, and thus = the output of the build process, depends on the build time, which isn=E2=80=99t great. I would prefer to unconditionally install all the certificates if that doesn=E2=80=99t cause any problems. WDYT? Thank you for working on it! Ludo=E2=80=99.