From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id oNyxA3VRn18PDQAA0tVLHw (envelope-from ) for ; Mon, 02 Nov 2020 00:23:17 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id SK0LO3RRn1+iVAAAB5/wlQ (envelope-from ) for ; Mon, 02 Nov 2020 00:23:16 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 57ED29404C9 for ; Mon, 2 Nov 2020 00:23:16 +0000 (UTC) Received: from localhost ([::1]:60946 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kZNcx-0008GZ-3o for larch@yhetil.org; Sun, 01 Nov 2020 19:23:15 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:36192) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kZNcl-0008G2-W4 for guix-patches@gnu.org; Sun, 01 Nov 2020 19:23:04 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:55729) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kZNcl-00030H-Mp for guix-patches@gnu.org; Sun, 01 Nov 2020 19:23:03 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kZNcl-0004nS-Jr for guix-patches@gnu.org; Sun, 01 Nov 2020 19:23:03 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#44335] [PATCH v2 2/3] Add (gnu build chromium-extension). Resent-From: Marius Bakke Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 02 Nov 2020 00:23:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44335 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 44335@debbugs.gnu.org Received: via spool by 44335-submit@debbugs.gnu.org id=B44335.160427657318373 (code B ref 44335); Mon, 02 Nov 2020 00:23:03 +0000 Received: (at 44335) by debbugs.gnu.org; 2 Nov 2020 00:22:53 +0000 Received: from localhost ([127.0.0.1]:39035 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kZNcZ-0004m9-GL for submit@debbugs.gnu.org; Sun, 01 Nov 2020 19:22:53 -0500 Received: from eggs.gnu.org ([209.51.188.92]:36034) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kZNcO-0004lG-61 for 44335@debbugs.gnu.org; Sun, 01 Nov 2020 19:22:45 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:35374) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kZNcI-0002yE-Vt for 44335@debbugs.gnu.org; Sun, 01 Nov 2020 19:22:34 -0500 Received: from host-37-191-236-253.lynet.no ([37.191.236.253]:46728 helo=localhost) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kZNcI-00077X-E5 for 44335@debbugs.gnu.org; Sun, 01 Nov 2020 19:22:34 -0500 From: Marius Bakke Date: Mon, 2 Nov 2020 01:22:27 +0100 Message-Id: <20201102002228.5971-3-marius@gnu.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201102002228.5971-1-marius@gnu.org> References: <20201102002228.5971-1-marius@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -3.3 (---) X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Spam-Score: -0.51 X-TUID: oMP5YuYJmtdY * gnu/build/chromium-extension.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Adjust accordingly. --- gnu/build/chromium-extension.scm | 192 +++++++++++++++++++++++++++++++ gnu/local.mk | 1 + 2 files changed, 193 insertions(+) create mode 100644 gnu/build/chromium-extension.scm diff --git a/gnu/build/chromium-extension.scm b/gnu/build/chromium-extension.scm new file mode 100644 index 0000000000..35f49d788c --- /dev/null +++ b/gnu/build/chromium-extension.scm @@ -0,0 +1,192 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2020 Marius Bakke +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu build chromium-extension) + #:use-module (gcrypt base16) + #:use-module ((gcrypt hash) #:prefix hash:) + #:use-module (ice-9 iconv) + #:use-module (guix gexp) + #:use-module (guix packages) + #:use-module (gnu packages base) + #:use-module (gnu packages check) + #:use-module (gnu packages chromium) + #:use-module (gnu packages gnupg) + #:use-module (gnu packages tls) + #:use-module (gnu packages xorg) + #:use-module (guix build-system trivial) + #:export (make-chromium-extension)) + +;;; Commentary: +;;; +;;; Tools to deal with Chromium extensions. +;;; +;;; Code: + +(define (make-signing-key seed) + "Return a derivation for a deterministic PKCS #8 private key using SEED." + + (define sha256sum + (bytevector->base16-string (hash:sha256 (string->bytevector seed "UTF-8")))) + + ;; certtool.c wants a 56 byte seed for a 2048 bit key. + (define size 2048) + (define normalized-seed (string-take sha256sum 56)) + + (computed-file (string-append seed "-signing-key.pem") + #~(system* #$(file-append gnutls "/bin/certtool") + "--generate-privkey" + "--key-type=rsa" + "--pkcs8" + ;; Use the provable FIPS-PUB186-4 algorithm for + ;; deterministic results. + "--provable" + "--password=" + "--no-text" + (string-append "--bits=" #$(number->string size)) + (string-append "--seed=" #$normalized-seed) + "--outfile" #$output) + #:local-build? #t)) + +(define* (make-crx package+output signing-key) + "Create a signed \".crx\" file from the unpacked Chromium extension residing +in PACKAGE+OUTPUT, a (list package output) pair. The extension will be signed +with SIGNING-KEY." + (with-imported-modules '((guix build utils)) + (computed-file + "chromium-extension.crx" + #~(begin + ;; This is not great. We pull Xorg and Chromium just to Zip and + ;; sign an extension. This should be implemented with something + ;; lighter. (TODO: where is the documentation..?) + (use-modules (guix build utils)) + (let ((chromium #$(file-append ungoogled-chromium "/bin/chromium")) + (xvfb #$(file-append xorg-server "/bin/Xvfb")) + (packdir "/tmp/extension")) + (mkdir-p (dirname packdir)) + (copy-recursively (ungexp (car package+output) (cadr package+output)) + packdir) + (system (string-append xvfb " :1 &")) + (setenv "DISPLAY" ":1") + (sleep 2) ;give Xorg some time to initialize... + ;; Chromium stores the current time in the .crx Zip archive. + ;; Sidestep that by using "faketime" for determinism. + ;; FIXME (core-updates): faketime is missing an absolute reference + ;; to 'date', hence the need to set PATH. + (setenv "PATH" #$(file-append coreutils "/bin")) + (invoke #$(file-append libfaketime "/bin/faketime") + "2000-01-01 00:00:00" + chromium + "--user-data-dir=/tmp/signing-profile" + (string-append "--pack-extension=" packdir) + (string-append "--pack-extension-key=" #$signing-key)) + (copy-file (string-append packdir ".crx") #$output))) + #:local-build? #t))) + +(define* (crx->chromium-json crx version) + "Return a derivation that creates a Chromium JSON settings file for the +unpacked extension residing in output PACKAGE-OUTPUT of PACKAGE." + (computed-file "extension.json" + #~(call-with-output-file #$output + (lambda (port) + ;; Documentation for the JSON format can be found in + ;; extensions/common/extension.h and + ;; chrome/browser/extensions/external_provider_impl.cc. + (format port " +{ + \"external_crx\": \"~a\", + \"external_version\": \"~a\" +} +" + #$crx #$version))) + #:local-build? #t)) + + +(define (signing-key->public-der key) + "Return a derivation for a file containing the public key of KEY in DER +format." + (computed-file "der" + #~(system* #$(file-append gnutls "/bin/certtool") + "--load-privkey" #$key + "--pubkey-info" + "--outfile" #$output + "--outder") + #:local-build? #t)) + +(define (chromium-json->profile-object json signing-key) + "Return a derivation that installs JSON to the directory searched by +Chromium, using a file name (aka extension ID) derived from SIGNING-KEY." + (define der (signing-key->public-der signing-key)) + + (with-extensions (list guile-gcrypt) + (with-imported-modules '((guix build utils)) + (computed-file + "chromium-extension.json" + #~(begin + (use-modules (guix build utils) + (gcrypt base16) + (gcrypt hash)) + (define (base16-string->chromium-base16 str) + ;; Translate STR, a hexadecimal string, to a Chromium-style + ;; representation using the letters a-p (where a=0, p=15). + (define s1 "0123456789abcdef") + (define s2 "abcdefghijklmnop") + (let loop ((chars (string->list str)) + (converted '())) + (if (null? chars) + (list->string (reverse converted)) + (loop (cdr chars) (cons (string-ref + s2 (string-index s1 (car chars))) + converted))))) + + (let* ((checksum (bytevector->base16-string (file-sha256 #$der))) + (file-name (base16-string->chromium-base16 + (string-take checksum 32))) + (extension-directory (string-append #$output + "/share/chromium/extensions"))) + (mkdir-p extension-directory) + (symlink #$json (string-append extension-directory "/" + file-name ".json")))) + #:local-build? #t)))) + +(define* (make-chromium-extension p #:optional (output "out")) + "Create a Chromium extension from package P and return a package that, +when installed, will make the extension contained in P available as a +Chromium browser extension. OUTPUT specifies which output of P to use." + (let* ((pname (package-name p)) + (version (package-version p)) + (signing-key (make-signing-key pname))) + (package + (inherit p) + (name (string-append pname "-chromium")) + (build-system trivial-build-system) + (native-inputs '()) + (inputs + `(("extension" ,(chromium-json->profile-object + (crx->chromium-json (make-crx (list p output) + signing-key) + version) + signing-key)))) + (propagated-inputs '()) + (outputs '("out")) + (arguments + '(#:modules ((guix build utils)) + #:builder + (begin + (use-modules (guix build utils)) + (copy-recursively (assoc-ref %build-inputs "extension") + (assoc-ref %outputs "out")))))))) diff --git a/gnu/local.mk b/gnu/local.mk index 51550e80cb..e847f8c16a 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -657,6 +657,7 @@ GNU_SYSTEM_MODULES = \ %D%/build/accounts.scm \ %D%/build/activation.scm \ %D%/build/bootloader.scm \ + %D%/build/chromium-extension.scm \ %D%/build/cross-toolchain.scm \ %D%/build/image.scm \ %D%/build/file-systems.scm \ -- 2.28.0