From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ricardo Wurmus <rekado@elephly.net>
Subject: Re: [PATCH 3/3] gnu: icedtea-6: Generate keystore.
Date: Sat, 23 Jul 2016 23:19:24 +0200
Message-ID: <87twfgcasj.fsf@elephly.net>
References: <20160718115941.17707-1-ricardo.wurmus@mdc-berlin.de>
	<20160718115941.17707-4-ricardo.wurmus@mdc-berlin.de>
	<87fur5lrje.fsf@gnu.org> <878twteb7w.fsf@mdc-berlin.de>
	<20160723183255.GA8067@solar>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:51194)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <rekado@elephly.net>) id 1bR4Ki-0007Im-O4
	for guix-devel@gnu.org; Sat, 23 Jul 2016 17:19:41 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <rekado@elephly.net>) id 1bR4Ke-0004BU-Ee
	for guix-devel@gnu.org; Sat, 23 Jul 2016 17:19:39 -0400
Received: from sender163-mail.zoho.com ([74.201.84.163]:24486)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <rekado@elephly.net>) id 1bR4Ke-0004B7-6f
	for guix-devel@gnu.org; Sat, 23 Jul 2016 17:19:36 -0400
In-reply-to: <20160723183255.GA8067@solar>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Andreas Enge <andreas@enge.fr>
Cc: guix-devel@gnu.org


Andreas Enge <andreas@enge.fr> writes:

> Hello, Ricardo!
>
> Icedtea@1 in master now fails to build in the install-keystore phase.
>    http://hydra.gnu.org:3000/build/1309224
>    http://hydra.gnu.org:3000/build/1308950
> Could you have a look, please?

Hmm, that’s strange.  I ran “guix build icedtea” after removing the
validation filter and built out all three versions of icedtea before
pushing this.

I don’t have the very same version of the “keytool” binary on my machine
right now (with the very same version of nss-certs as on hydra), but in
principle this works without errors:

~~~~~~~~~~~~
/gnu/store/r63vag0814nz79xr9g2ph6fvhq5xp2f3-icedtea-2.6.6/bin/keytool \
  -import \
  -alias ACCVRAIZ1:2.8.94.195.183.166.67.127.164.224.pem \
  -keystore /tmp/keystore \
  -storepass changeit \
  -file /gnu/store/lp7s9x1llgw1rc675yvslxsnpcyy05ld-nss-certs-3.23/etc/ssl/certs/ACCVRAIZ1:2.8.94.195.183.166.67.127.164.224.pem

…
Trust this certificate? [no]:  yes
Certificate was added to keystore
~~~~~~~~~~~~

The pem file looks like a valid X.509 certificate to me.

I cannot build icedtea@1 on my machine right now as I’m traveling, but I
just started a build remotely on my workstation in the office and it
failed.  I used to have an additional stripping phase that I removed at
some point.  As I continued to refine the new phase I must have used the
cached build of icedtea@1 without ever rebuilding it.  Sorry!

The keytool from icedtea@1 doesn’t like this certificate.  My hunch is
that we may need to remove comments from the certificate files, only
leaving the certificate block.

I’ll fix this as soon as I can.

~~ Ricardo