From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id 4DwZM9dSn183IgAA0tVLHw (envelope-from ) for ; Mon, 02 Nov 2020 00:29:11 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id 8Nf0LtdSn1+AFQAAbx9fmQ (envelope-from ) for ; Mon, 02 Nov 2020 00:29:11 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 1B3F094065D for ; Mon, 2 Nov 2020 00:29:11 +0000 (UTC) Received: from localhost ([::1]:34642 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kZNig-00011D-2G for larch@yhetil.org; Sun, 01 Nov 2020 19:29:10 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:36778) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kZNiZ-00010e-1U for guix-patches@gnu.org; Sun, 01 Nov 2020 19:29:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:55740) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kZNiY-0003XS-Oo for guix-patches@gnu.org; Sun, 01 Nov 2020 19:29:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kZNiY-0004we-Kx for guix-patches@gnu.org; Sun, 01 Nov 2020 19:29:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#44335] [PATCH v2 2/3] Add (gnu build chromium-extension). Resent-From: Marius Bakke Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 02 Nov 2020 00:29:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44335 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 44335@debbugs.gnu.org Received: via spool by 44335-submit@debbugs.gnu.org id=B44335.160427692818981 (code B ref 44335); Mon, 02 Nov 2020 00:29:02 +0000 Received: (at 44335) by debbugs.gnu.org; 2 Nov 2020 00:28:48 +0000 Received: from localhost ([127.0.0.1]:39052 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kZNiH-0004w3-Q5 for submit@debbugs.gnu.org; Sun, 01 Nov 2020 19:28:47 -0500 Received: from eggs.gnu.org ([209.51.188.92]:36656) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kZNiD-0004vo-58 for 44335@debbugs.gnu.org; Sun, 01 Nov 2020 19:28:44 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:35460) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kZNi7-0003VN-Th for 44335@debbugs.gnu.org; Sun, 01 Nov 2020 19:28:35 -0500 Received: from host-37-191-236-253.lynet.no ([37.191.236.253]:46768 helo=localhost) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kZNi6-0002Zf-Ro for 44335@debbugs.gnu.org; Sun, 01 Nov 2020 19:28:35 -0500 From: Marius Bakke In-Reply-To: <20201102002228.5971-3-marius@gnu.org> References: <20201102002228.5971-1-marius@gnu.org> <20201102002228.5971-3-marius@gnu.org> Date: Mon, 02 Nov 2020 01:28:32 +0100 Message-ID: <87blggioun.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -3.3 (---) X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Spam-Score: -3.61 X-TUID: 6pvr5kpSGrKf --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Marius Bakke writes: > * gnu/build/chromium-extension.scm: New file. > * gnu/local.mk (GNU_SYSTEM_MODULES): Adjust accordingly. Errh, I accidentally sent an outdated patch. Here is the new one: --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: inline; filename=0001-Add-gnu-build-chromium-extension.patch Content-Transfer-Encoding: quoted-printable From=207ad719df6860c2cebdcaf73be33d1c4764c4576c Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Sat, 31 Oct 2020 17:25:58 +0100 Subject: [PATCH] Add (gnu build chromium-extension). * gnu/build/chromium-extension.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Adjust accordingly. =2D-- gnu/build/chromium-extension.scm | 191 +++++++++++++++++++++++++++++++ gnu/local.mk | 1 + 2 files changed, 192 insertions(+) create mode 100644 gnu/build/chromium-extension.scm diff --git a/gnu/build/chromium-extension.scm b/gnu/build/chromium-extensio= n.scm new file mode 100644 index 0000000000..665a94830c =2D-- /dev/null +++ b/gnu/build/chromium-extension.scm @@ -0,0 +1,191 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright =C2=A9 2020 Marius Bakke +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu build chromium-extension) + #:use-module (gcrypt base16) + #:use-module ((gcrypt hash) #:prefix hash:) + #:use-module (ice-9 iconv) + #:use-module (guix gexp) + #:use-module (guix packages) + #:use-module (gnu packages base) + #:use-module (gnu packages check) + #:use-module (gnu packages chromium) + #:use-module (gnu packages gnupg) + #:use-module (gnu packages tls) + #:use-module (gnu packages xorg) + #:use-module (guix build-system trivial) + #:export (make-chromium-extension)) + +;;; Commentary: +;;; +;;; Tools to deal with Chromium extensions. +;;; +;;; Code: + +(define (make-signing-key seed) + "Return a derivation for a deterministic PKCS #8 private key using SEED." + + (define sha256sum + (bytevector->base16-string (hash:sha256 (string->bytevector seed "UTF-= 8")))) + + ;; certtool.c wants a 56 byte seed for a 2048 bit key. + (define size 2048) + (define normalized-seed (string-take sha256sum 56)) + + (computed-file (string-append seed "-signing-key.pem") + #~(system* #$(file-append gnutls "/bin/certtool") + "--generate-privkey" + "--key-type=3Drsa" + "--pkcs8" + ;; Use the provable FIPS-PUB186-4 algorithm for + ;; deterministic results. + "--provable" + "--password=3D" + "--no-text" + (string-append "--bits=3D" #$(number->string s= ize)) + (string-append "--seed=3D" #$normalized-seed) + "--outfile" #$output) + #:local-build? #t)) + +(define* (make-crx signing-key package #:optional (package-output "out")) + "Create a signed \".crx\" file from the unpacked Chromium extension resi= ding +in PACKAGE-OUTPUT of PACKAGE. The extension will be signed with SIGNING-K= EY." + (define name (package-name package)) + (define version (package-version package)) + + (with-imported-modules '((guix build utils)) + (computed-file + (string-append name "-" version ".crx") + #~(begin + ;; This is not great. We pull Xorg and Chromium just to Zip and + ;; sign an extension. This should be implemented with something + ;; lighter. (TODO: where is the CRXv3 documentation..?) + (use-modules (guix build utils)) + (let ((chromium #$(file-append ungoogled-chromium "/bin/chromium"= )) + (xvfb #$(file-append xorg-server "/bin/Xvfb")) + (packdir "/tmp/extension")) + (mkdir-p (dirname packdir)) + (copy-recursively (ungexp package package-output) packdir) + (system (string-append xvfb " :1 &")) + (setenv "DISPLAY" ":1") + (sleep 2) ;give Xorg some time to initialize= ... + ;; Chromium stores the current time in the .crx Zip archive. + ;; Use a fixed timestamp for deterministic behavior. + ;; FIXME (core-updates): faketime is missing an absolute refere= nce + ;; to 'date', hence the need to set PATH. + (setenv "PATH" #$(file-append coreutils "/bin")) + (invoke #$(file-append libfaketime "/bin/faketime") + "2000-01-01 00:00:00" + chromium + "--user-data-dir=3D/tmp/signing-profile" + (string-append "--pack-extension=3D" packdir) + (string-append "--pack-extension-key=3D" #$signing-key)) + (copy-file (string-append packdir ".crx") #$output))) + #:local-build? #t))) + +(define* (crx->chromium-json crx version) + "Return a derivation that creates a Chromium JSON settings file for the +extension given as CRX. VERSION is used to signify the CRX version, and +must match the version listed in the extension manifest.json." + ;; See chrome/browser/extensions/external_provider_impl.cc and + ;; extensions/common/extension.h for documentation on the JSON format. + (computed-file "extension.json" + #~(call-with-output-file #$output + (lambda (port) + (format port "{ + \"external_crx\": \"~a\", + \"external_version\": \"~a\" +} +" + #$crx #$version))) + #:local-build? #t)) + + +(define (signing-key->public-der key) + "Return a derivation for a file containing the public key of KEY in DER +format." + (computed-file "der" + #~(system* #$(file-append gnutls "/bin/certtool") + "--load-privkey" #$key + "--pubkey-info" + "--outfile" #$output + "--outder") + #:local-build? #t)) + +(define (chromium-json->profile-object json signing-key) + "Return a derivation that installs JSON to the directory searched by +Chromium, using a file name (aka extension ID) derived from SIGNING-KEY." + (define der (signing-key->public-der signing-key)) + + (with-extensions (list guile-gcrypt) + (with-imported-modules '((guix build utils)) + (computed-file + "chromium-extension" + #~(begin + (use-modules (guix build utils) + (gcrypt base16) + (gcrypt hash)) + (define (base16-string->chromium-base16 str) + ;; Translate STR, a hexadecimal string, to a Chromium-style + ;; representation using the letters a-p (where a=3D0, p=3D15). + (define s1 "0123456789abcdef") + (define s2 "abcdefghijklmnop") + (let loop ((chars (string->list str)) + (converted '())) + (if (null? chars) + (list->string (reverse converted)) + (loop (cdr chars) (cons (string-ref + s2 (string-index s1 (car chars= ))) + converted))))) + + (let* ((checksum (bytevector->base16-string (file-sha256 #$der)= )) + (file-name (base16-string->chromium-base16 + (string-take checksum 32))) + (extension-directory (string-append #$output + "/share/chromium/ext= ensions"))) + (mkdir-p extension-directory) + (symlink #$json (string-append extension-directory "/" + file-name ".json")))) + #:local-build? #t)))) + +(define* (make-chromium-extension p #:optional (output "out")) + "Create a Chromium extension from package P and return a package that, +when installed, will make the extension contained in P available as a +Chromium browser extension. OUTPUT specifies which output of P to use." + (let* ((pname (package-name p)) + (version (package-version p)) + (signing-key (make-signing-key pname))) + (package + (inherit p) + (name (string-append pname "-chromium")) + (build-system trivial-build-system) + (native-inputs '()) + (inputs + `(("extension" ,(chromium-json->profile-object + (crx->chromium-json (make-crx signing-key p output) + version) + signing-key)))) + (propagated-inputs '()) + (outputs '("out")) + (arguments + '(#:modules ((guix build utils)) + #:builder + (begin + (use-modules (guix build utils)) + (copy-recursively (assoc-ref %build-inputs "extension") + (assoc-ref %outputs "out")))))))) diff --git a/gnu/local.mk b/gnu/local.mk index 51550e80cb..e847f8c16a 100644 =2D-- a/gnu/local.mk +++ b/gnu/local.mk @@ -657,6 +657,7 @@ GNU_SYSTEM_MODULES =3D \ %D%/build/accounts.scm \ %D%/build/activation.scm \ %D%/build/bootloader.scm \ + %D%/build/chromium-extension.scm \ %D%/build/cross-toolchain.scm \ %D%/build/image.scm \ %D%/build/file-systems.scm \ =2D-=20 2.28.0 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFDBAEBCgAtFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl+fUrEPHG1hcml1c0Bn bnUub3JnAAoJEKKgbfKjOlT6jmsH/iqhAVpCud9R9tl3u877Igd8AEydrD0JaWev jACxP3ycfliWLTU4WHV3lpS29KMctMYKbCwOk1PbOZQtsCj4XI0SBzCK0/VazwOE cHhNZjTOJsYFFoH2ScmA0RXspqmJglgK965jcf8HlQBLSMAM6dfsODT5cF2NBr45 E+x37zM/AVV+C78C46zLPiyb6w9xDAcvGqylbsweG+TO4p164gLmRP4SkWDEl5Z6 LYhFUUfXL6+bEGmZpKa2J96oD2RGLR498awRJs4C1SNYN1P2xW+JN5OW44LmG83e o8xpR+E3yCwbnkk7cJSMj6qlA89bpKYoqSyHILloQN9AuXEQIKw= =uFks -----END PGP SIGNATURE----- --==-=-=--