From: Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: guix-devel@gnu.org
Subject: Re: [PATCH 3/3] gnu: icedtea-6: Generate keystore.
Date: Tue, 19 Jul 2016 15:03:23 +0200 [thread overview]
Message-ID: <idjvb01vkys.fsf@bimsb-sys02.mdc-berlin.net> (raw)
In-Reply-To: <87fur5lrje.fsf@gnu.org>
Ludovic Courtès <ludo@gnu.org> writes:
> Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de> skribis:
>
>> From: Ricardo Wurmus <rekado@elephly.net>
>>
>> * gnu/packages/java.scm (icedtea-6)[arguments]: Add phase
>> "install-keystore".
>> [native-inputs]: Add nss-certs and openssl.
>
> [...]
>
>> + (add-after 'install 'install-keystore
>> + (lambda* (#:key inputs outputs #:allow-other-keys)
>
> Could you add a comment to explain what’s going on here?
Okay, I’ll add a comment.
> Too bad IceTea’s build system doesn’t take care of that.
Yeah, there is an old bug report about this, but its resolution has been
pushed to later releases repeatedly. All distributions have their own
bash scripts to generate a keystore.
>> + (let* ((keystore "cacerts")
>> + (certs-dir (string-append (assoc-ref inputs "nss-certs")
>> + "/etc/ssl/certs"))
>> + (keytool (string-append (assoc-ref outputs "jdk")
>> + "/bin/keytool"))
>> + (openssl (which "openssl"))
>> + (recent (date->time-utc (string->date "2016-1-1"
>> + "~Y-~m-~d"))))
>> + (define (valid? cert)
>> + (let* ((port (open-pipe* OPEN_READ openssl
>> + "x509" "-enddate" "-in" cert "-noout"))
>> + (str (read-line port))
>> + (end (begin (close-pipe port)
>> + ;; TODO: use match?
>> + (cadr (string-split str #\=)))))
>
> Why not use ‘match’, indeed. :-) No big deal though.
>
>> + (time>? (date->time-utc
>> + (string->date end "~b ~d ~H:~M:~S ~Y")) recent)))
>> +
>> + (define (import-cert cert)
>> + (format #t "Importing certificate ~a\n" (basename cert))
>> + (let* ((port (open-pipe* OPEN_WRITE keytool
>> + "-import"
>> + "-alias" (basename cert)
>> + "-keystore" keystore
>> + "-storepass" "changeit"
>> + "-file" cert)))
>> + (display "yes\n" port)
>> + (when (not (eqv? 0 (status:exit-val (close-pipe port))))
>
> Maybe (zero? (status:exit-val …)).
Okay.
>> + (format (current-error-port)
>> + "Failed to import certificate.\n"))))
>
> Rather (error "failed to import" cert) so the process stops here.
Yes, that’s better. I changed this for testing purposes and forgot to
change it back.
>> + ;; This is necessary because the certificate directory contains
>> + ;; files with non-ASCII characters in their names.
>> + (setlocale LC_ALL "en_US.utf8")
>> + (setenv "LC_ALL" "en_US.utf8")
>> +
>> + (for-each import-cert
>> + (filter valid? (find-files certs-dir "\\.pem$")))
>
> Why do we need to filter out invalid certificates?
>
> The problem I see is that the result of ‘valid?’, and thus the output of
> the build process, depends on the build time, which isn’t great.
It actually depends on the arbitrary value of “recent”, which I set to
2016-1-1, but I must admit that I don’t know if we really must filter
out invalid certs at all. I don’t know if it is a problem if invalid
certs are part of the keystore. Maybe it’s not an issue.
~~ Ricardo
next prev parent reply other threads:[~2016-07-19 13:03 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-18 11:59 [PATCH 0/3] icedtea: Generate keystore Ricardo Wurmus
2016-07-18 11:59 ` [PATCH 1/3] gnu: nss-certs: Stop inheriting from nss package Ricardo Wurmus
2016-07-18 16:39 ` Leo Famulari
2016-07-18 19:34 ` Ricardo Wurmus
2016-07-18 19:39 ` Leo Famulari
2016-07-19 12:44 ` Ludovic Courtès
2016-07-18 11:59 ` [PATCH 2/3] gnu: icedtea-6: Use modify-phases syntax Ricardo Wurmus
2016-07-19 12:45 ` Ludovic Courtès
2016-07-18 11:59 ` [PATCH 3/3] gnu: icedtea-6: Generate keystore Ricardo Wurmus
2016-07-19 12:51 ` Ludovic Courtès
2016-07-19 13:03 ` Ricardo Wurmus [this message]
2016-07-22 19:14 ` Ricardo Wurmus
2016-07-23 18:32 ` Andreas Enge
2016-07-23 21:19 ` Ricardo Wurmus
2016-07-23 21:33 ` Ricardo Wurmus
2016-07-23 23:27 ` Andreas Enge
2016-07-24 7:43 ` Ricardo Wurmus
2016-07-24 8:07 ` Andreas Enge
2016-07-18 17:51 ` [PATCH 0/3] icedtea: " Roel Janssen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=idjvb01vkys.fsf@bimsb-sys02.mdc-berlin.net \
--to=ricardo.wurmus@mdc-berlin.de \
--cc=guix-devel@gnu.org \
--cc=ludo@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).