From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id mJ6hE6CMKmbfBQAAe85BDQ:P1 (envelope-from ) for ; Thu, 25 Apr 2024 19:02:24 +0200 Received: from aspmx1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id mJ6hE6CMKmbfBQAAe85BDQ (envelope-from ) for ; Thu, 25 Apr 2024 19:02:24 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1714064544; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=/veWRm8AXHgBMIPLgJVRKbSrP6o20r+ZZwWpwFWyv28=; b=toTBoki8sTZFq7ZAyD84op5pP6mTVVDjJ1Qrv3bYMepu+A+fdXTnY3Z4cFuV0S0tm4qjm7 6YtFk4XImVjP3R0gmCePzfeGpfDujSfYcx4y/ZsrZeV5vzDikW7TPfXd0iwaQHQXNlVQYq tMJTy2cZv8Swf+2GwFnJE2W58RIqVLo4M5imcqZpvO9Ne10KjoyYdsj8D76R3LnT6FXQ2w Bj5iVhu5ZHr2UZs0eVNmYU6BM86U7MjcyKjdBRLCyqi+EjcxX2WQWgx4yRDqwzZ/RzAYuO oy1LkaepuxktGjn7UOqCcQb5r9RBS2wGTE9kv3PspLaCauM02QZYVumzZbTIFw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1714064544; a=rsa-sha256; cv=none; b=tL30OWukBKtRfHtzQ6hZH6c07WI8OTDKskJEoZ6eCV9jVRGjJiO1UKBTSekDRCbPexEFwK UC4qwJv/Dp7AdLVbW7RVXSc5yZO23XRCvJennW8LJ3RtfbJhljufbEq3AWm+tUvkcwG6LH vwCEPhAkXI+dbwZh16fSPKBbO84nnP2a9loKU54krFwibjJz4LJ1aV7u26EWpQcXAfFNKD 1WmxKIz6Fv1MpbMsynrY7CTMe/cdL/r6xbvSrVnTTL9xIIS/dw+TYH+Qx04RxBC/UQnuQq uZyMKq9LsmZscB9m4oXokZ8cnyIIov1i+ZHHZrH2jZ0aqVbJ7Y+Q0QD163I1EQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=none Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 3CD1C158EF for ; Thu, 25 Apr 2024 19:02:24 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1s02To-0000lr-8a; Thu, 25 Apr 2024 13:01:53 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1s02Tk-0000k5-Ig for guix-devel@gnu.org; Thu, 25 Apr 2024 13:01:48 -0400 Received: from vmi993448.contaboserver.net ([194.163.141.236] helo=mutix.org) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1s02Ti-0001QL-Cn for guix-devel@gnu.org; Thu, 25 Apr 2024 13:01:48 -0400 Received: from [192.168.1.172] (host81-152-149-149.range81-152.btcentralplus.com [81.152.149.149]) (Authenticated sender: cdo) by mutix.org (Postfix) with ESMTPSA id 84605A63999; Thu, 25 Apr 2024 19:01:43 +0200 (CEST) Message-ID: <714bd3eb-76ed-2159-9761-f8614a1b164a@mutix.org> Date: Thu, 25 Apr 2024 18:01:42 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.0 Subject: Re: nss not reproducible Content-Language: en-US From: Christina O'Donnell To: 40316@debbugs.gnu.org Cc: guix-devel@gnu.org, Steve George References: <451a97f9-0e16-c1b3-8884-52420e265db3@mutix.org> <2dc99b59-cb76-f822-f2ce-027f523bb682@mutix.org> In-Reply-To: <2dc99b59-cb76-f822-f2ce-027f523bb682@mutix.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=194.163.141.236; envelope-from=cdo@mutix.org; helo=mutix.org X-Spam_score_int: -45 X-Spam_score: -4.6 X-Spam_bar: ---- X-Spam_report: (-4.6 / 5.0 requ) BAYES_00=-1.9, NICE_REPLY_A=-2.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -5.97 X-Spam-Score: -5.97 X-Migadu-Queue-Id: 3CD1C158EF X-Migadu-Scanner: mx12.migadu.com X-TUID: XewUUR09nmk3 Hi, I believe I have a fix for this, I'm just waiting on my machine to hurry up and confirm it, might end up running over night, then I'll send my patch up. I'm doing two native builds and two cross-builds. I've also updated to 3.99. Kind regards, Christina On 25/04/2024 15:06, Christina O'Donnell wrote: > Hi Steve, > >> It would be good to confirm this one: >> >> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=40316 > > Still fails to reproduce with those changes applied. > > The culprit is in nss/cmd/shlibsign/shlibsign.c: > > shlibSignHMAC generates a new key-pair each time it's run: > >     /* Generate a DSA key pair */ >     logIt("Generate an HMAC key ... \n"); >     crv = pFunctionList->C_GenerateKey(hRwSession, &hmacKeyGenMech, >                                        hmacKeyTemplate, > PR_ARRAY_SIZE(hmacKeyTemplate), >                                        &hHMACKey); > > Three options: >  1. Disable library signing entirely. >  2. Seed the generation to be deterministic. >  3. Drop in a HMAC key-pair and patch the code to use that instead of > generating. > > 2 and 3 defeat the point of the cryptographically secure supply chain > as the private key can be obtained deterministically, so my vote would > be simply  to not sign the libraries (1), which would be easier to > maintain. We're not the primary distributor and users can verify our > distribution of nss by running `guix challenge` anyway. > >> It looks like Zhen Junjie applied two patches to fix NSS >> cross-compilation on Master [0] > > Building everything cross-compiled to ARM now. > > Kind regards, > > Christina > >