[bug#49649] [PATCH v2 2/4] gnu: wireless-regdb: Reuse 'regulatory.db' signature.

[Brice Waegeneire <brice@waegenei.re>]

Unlike 'regulatory.bin' (used by CRDA), we can't have a valid unsigned
'regulatory.db' (used by subsystem cfg80211).  So, we reuse upstream's
signature for that file and rebuild it ourself to be sure it's
reproducible

* gnu/packages/linux.scm (wireless-regdb)[source]: Delete file
  'regulatory.db'.
  [arguments]: Remove 'omit-signature' phase, replace 'build' phase with
  make target 'regulatory.db', add phase 'build-regulatory.bin-unsigned'
  and add 'check' phase.  Enable tests and parallel builds.  Remove
  make-flags specific to 'build-regulatory.bin-unsigned'.
  [native-inputs]: Use new format and add 'openssl'.
  [description]: Add reference to the cfg80211 linux subsystem.
---
 gnu/packages/linux.scm | 72 +++++++++++++++++++++---------------------
 1 file changed, 36 insertions(+), 36 deletions(-)

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index e2be00679f..54f2682965 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -4296,10 +4296,11 @@ (define-public wireless-regdb
               (sha256
                (base32
                 "0liagyi6ppf5w474qk9j4jz5gbvvn8mc8al1dq4b1xrgv28485ml"))
-
-              ;; We're building 'regulatory.bin' by ourselves.
+              ;; We're building 'regulatory.bin' and 'regulatory.db' by
+              ;; ourselves.
               (snippet '(begin
-                          (delete-file "regulatory.bin")
+                          (map delete-file '("regulatory.bin"
+                                             "regulatory.db"))
                           #t))))
     (build-system gnu-build-system)
     (arguments
@@ -4310,48 +4311,47 @@ (define-public wireless-regdb
              (substitute* "Makefile"
                (("gzip") "gzip --no-name"))
              #t))
-         (add-after 'unpack 'omit-signature
+         (replace 'build
+           (lambda* (#:key (make-flags '()) #:allow-other-keys)
+             (apply invoke "make" "regulatory.db" make-flags)))
+         (add-after 'build 'build-regulatory.bin-unsigned
+           (lambda* (#:key (make-flags '()) #:allow-other-keys)
+             (apply invoke "make" "regulatory.bin"
+                    (cons*
+                     ;; Leave this empty so that db2bin.py doesn't try to sign
+                     ;; ‘regulatory.bin’.  This allows us to avoid managing a key
+                     ;; pair for the whole distribution.
+                     "REGDB_PRIVKEY="
+                     ;; Don't generate a public key for the same reason.  These are
+                     ;; used as Makefile targets and can't be the empty string.
+                     "REGDB_PUBCERT=/dev/null"
+                     "REGDB_PUBKEY=/dev/null"
+                     make-flags))))
+         ;; We check if the 'regulatory.db' we just built is the same as the
+         ;; one that got signed by upstream.
+         (replace 'check
            (lambda _
-             (substitute* "Makefile"
-               ;; Signing requires a REGDB_PUBCERT and REGDB_PRIVKEY which we
-               ;; don't provide (see below).  Disable it.
-               ((" regulatory\\.db\\.p7s") "")
-               ;; regulatory.db is built as a dependency of regulatory.db.p7s,
-               ;; but ‘make install’ depends only on the latter while installing
-               ;; both (and failing).  Depend on it explicitly.
-               (("^install: " all) (string-append all "regulatory.db ")))
-             #t))
+             (invoke "openssl" "smime"
+                     "-verify" "-inform" "DER"
+                     "-signer" "sforshee.x509.pem"
+                     "-in" "regulatory.db.p7s" "-content" "regulatory.db"
+                     "-out" "/dev/null"
+                     "-CAfile" "sforshee.x509.pem")))
          (delete 'configure))  ; no configure script
-
-       ;; The 'all' target of the makefile depends on $(REGDB_CHANGED), which
-       ;; is computed and can be equal to 'maintainer-clean'; when that
-       ;; happens, we can end up deleting the 'regulatory.bin' file that we
-       ;; just built.  Thus, build things sequentially.
-       #:parallel-build? #f
-
-       #:tests? #f                      ; no tests
        #:make-flags
        (let ((out (assoc-ref %outputs "out")))
          (list (string-append "PREFIX=" out)
-               (string-append "FIRMWARE_PATH=$(PREFIX)/lib/firmware")
-
-               ;; Leave this empty so that db2bin.py doesn't try to sign
-               ;; ‘regulatory.bin’.  This allows us to avoid managing a key
-               ;; pair for the whole distribution.
-               (string-append "REGDB_PRIVKEY=")
-               ;; Don't generate a public key for the same reason.  These are
-               ;; used as Makefile targets and can't be the empty string.
-               (string-append "REGDB_PUBCERT=/dev/null")
-               (string-append "REGDB_PUBKEY=/dev/null")))))
-    (native-inputs
-     `(("python" ,python-wrapper)))
+               (string-append "FIRMWARE_PATH=$(PREFIX)/lib/firmware")))))
+    (native-inputs (list openssl        ; to verify signature
+                         python-wrapper))
     (home-page
      "https://wireless.wiki.kernel.org/en/developers/regulatory/wireless-regdb")
     (synopsis "Wireless regulatory database")
     (description
-     "This package contains the wireless regulatory database for the Central
-Regulatory Database Agent (CRDA).  The database contains information on
-country-specific regulations for the wireless spectrum.")
+     "This package contains the wireless regulatory database used by the Linux
+cfg80211 subsystem and the legacy Central Regulatory Database Agent (CRDA).
+The database contains information on country-specific regulations for the
+wireless spectrum.")
     (license license:isc)))
 
 (define-public lm-sensors
-- 
2.34.0