[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
02/02: gnu: libcamera: Disable signature verification.
|
From: |
guix-commits |
|
Subject: |
02/02: gnu: libcamera: Disable signature verification. |
|
Date: |
Thu, 5 Sep 2024 02:39:35 -0400 (EDT) |
abcdw pushed a commit to branch master
in repository guix.
commit b0e224566f2ca6b8d375c89f8d023e1b836f31e4
Author: Andrew Tropin <andrew@trop.in>
AuthorDate: Thu Sep 5 10:24:08 2024 +0400
gnu: libcamera: Disable signature verification.
Signature verification breaks, when libcamera is grafted. Running built-in
libcamera modules via proxy is not recommended by upstream and not always
work. We control the build process of all libcamera modules, so to
workaround
the issue we disable signature verification. For more information see:
<https://issues.guix.gnu.org/72828>
*
gnu/packages/patches/libcamera-ipa_manager-disable-signature-verification.patch:
New file.
* gnu/local.mk (dist_patch_DATA): Adjust accordingly.
* gnu/packages/networking.scm (libcamera): Disable signature verification.
[inputs]: Remove gnutls and openssl.
[arguments]: Remove re-sign-binaries phase.
[source]: Add disable-signature patch.
Change-Id: Icf422553c0f49b28d7997a1e818a4b8d9a6b5732
---
gnu/local.mk | 1 +
gnu/packages/networking.scm | 20 ++------
...pa_manager-disable-signature-verification.patch | 55 ++++++++++++++++++++++
3 files changed, 59 insertions(+), 17 deletions(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index 8d8c552a4d..656d61e760 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1589,6 +1589,7 @@ dist_patch_DATA =
\
%D%/packages/patches/julia-SOURCE_DATE_EPOCH-mtime.patch \
%D%/packages/patches/julia-Use-MPFR-4.2.patch \
%D%/packages/patches/libcall-ui-make-it-installable.patch \
+
%D%/packages/patches/libcamera-ipa_manager-disable-signature-verification.patch
\
%D%/packages/patches/libcss-check-format.patch \
%D%/packages/patches/libextractor-tidy-support.patch \
%D%/packages/patches/libftdi-fix-paths-when-FTDIPP-set.patch \
diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index 9facbae82d..11e92b919f 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -382,6 +382,8 @@ them in order to efficiently transfer a minimal amount of
data.")
(git-reference
(url "https://git.libcamera.org/libcamera/libcamera.git";)
(commit (string-append "v" version))))
+ (patches (search-patches
+ "libcamera-ipa_manager-disable-signature-verification.patch"))
(file-name
(git-file-name name version))
(sha256
@@ -431,21 +433,7 @@ them in order to efficiently transfer a minimal amount of
data.")
(mkdir-p (string-append gst "/lib"))
(rename-file
(string-append out "/lib/gstreamer-1.0")
- (string-append gst "/lib/gstreamer-1.0")))))
- (add-after 'shrink-runpath 're-sign-binaries
- (lambda* (#:key outputs #:allow-other-keys)
- "Update signatures of all ipa libraries.
-
-After stipping phases signatures are not valid anymore, so it's necessary to
-re-sign."
- (let* ((out (assoc-ref outputs "out")))
- (for-each
- (lambda (file)
- (invoke
- "source/src/ipa/ipa-sign.sh" "src/ipa-priv-key.pem"
- file (string-append file ".sign")))
- (find-files
- (string-append out "/lib/libcamera") "\\.so$"))))))))
+ (string-append gst "/lib/gstreamer-1.0"))))))))
(native-inputs
(list googletest
graphviz ;for 'dot'
@@ -458,11 +446,9 @@ re-sign."
(list eudev
glib
gst-plugins-base
- gnutls
libevent
libtiff
libyaml
- openssl
python-jinja2
python-ply
qtbase))
diff --git
a/gnu/packages/patches/libcamera-ipa_manager-disable-signature-verification.patch
b/gnu/packages/patches/libcamera-ipa_manager-disable-signature-verification.patch
new file mode 100644
index 0000000000..aa4dff3fe3
--- /dev/null
+++
b/gnu/packages/patches/libcamera-ipa_manager-disable-signature-verification.patch
@@ -0,0 +1,55 @@
+From c99706475cde3d963a17f4f8871149711ce6c467 Mon Sep 17 00:00:00 2001
+From: Andrew Tropin <andrew@trop.in>
+Date: Wed, 4 Sep 2024 21:36:16 +0400
+Subject: [PATCH] libcamera: ipa_manager: Disable signature verification
+
+---
+ src/libcamera/ipa_manager.cpp | 28 +++++-----------------------
+ 1 file changed, 5 insertions(+), 23 deletions(-)
+
+diff --git a/src/libcamera/ipa_manager.cpp b/src/libcamera/ipa_manager.cpp
+index cfc24d38..4fd3cf3e 100644
+--- a/src/libcamera/ipa_manager.cpp
++++ b/src/libcamera/ipa_manager.cpp
+@@ -284,33 +284,15 @@ IPAModule *IPAManager::module(PipelineHandler *pipe,
uint32_t minVersion,
+
+ bool IPAManager::isSignatureValid([[maybe_unused]] IPAModule *ipa) const
+ {
+-#if HAVE_IPA_PUBKEY
+- char *force = utils::secure_getenv("LIBCAMERA_IPA_FORCE_ISOLATION");
+- if (force && force[0] != '\0') {
+- LOG(IPAManager, Debug)
+- << "Isolation of IPA module " << ipa->path()
+- << " forced through environment variable";
+- return false;
+- }
+-
+- File file{ ipa->path() };
+- if (!file.open(File::OpenModeFlag::ReadOnly))
+- return false;
+-
+- Span<uint8_t> data = file.map();
+- if (data.empty())
+- return false;
+-
+- bool valid = pubKey_.verify(data, ipa->signature());
++ LOG(IPAManager, Debug)
++ << "Signature verification is disabled by Guix. "
++ << "See https://issues.guix.gnu.org/72828 for more details.";
+
+ LOG(IPAManager, Debug)
+ << "IPA module " << ipa->path() << " signature is "
+- << (valid ? "valid" : "not valid");
++ << "not verified (verification skipped).";
+
+- return valid;
+-#else
+- return false;
+-#endif
++ return true;
+ }
+
+ } /* namespace libcamera */
+--
+2.45.2
+