mirror of
https://git.savannah.gnu.org/git/guix.git
synced 2025-01-24 19:27:44 +01:00
chromium-extension: Avoid usage of gcrypt at evaluation time.
* gnu/build/chromium-extension.scm (make-signing-key): Wrap builder in with-extensions, and compute the seed checksum at build time.
This commit is contained in:
parent
173860eb41
commit
40ebf85b86
1 changed files with 23 additions and 24 deletions
|
@ -17,9 +17,6 @@
|
|||
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
(define-module (gnu build chromium-extension)
|
||||
#:use-module (gcrypt base16)
|
||||
#:use-module ((gcrypt hash) #:prefix hash:)
|
||||
#:use-module (ice-9 iconv)
|
||||
#:use-module (guix gexp)
|
||||
#:use-module (guix packages)
|
||||
#:use-module (gnu packages base)
|
||||
|
@ -39,28 +36,30 @@ (define-module (gnu build chromium-extension)
|
|||
|
||||
(define (make-signing-key seed)
|
||||
"Return a derivation for a deterministic PKCS #8 private key using SEED."
|
||||
(computed-file
|
||||
(string-append seed "-signing-key.pem")
|
||||
(with-extensions (list guile-gcrypt)
|
||||
#~(begin
|
||||
(use-modules (gcrypt base16) (gcrypt hash) (ice-9 iconv))
|
||||
(let* ((sha256sum (bytevector->base16-string
|
||||
(sha256 (string->bytevector #$seed "UTF-8"))))
|
||||
;; certtool.c wants a 56 byte seed for a 2048 bit key.
|
||||
(key-size 2048)
|
||||
(normalized-seed (string-take sha256sum 56)))
|
||||
|
||||
(define sha256sum
|
||||
(bytevector->base16-string (hash:sha256 (string->bytevector seed "UTF-8"))))
|
||||
|
||||
;; certtool.c wants a 56 byte seed for a 2048 bit key.
|
||||
(define size 2048)
|
||||
(define normalized-seed (string-take sha256sum 56))
|
||||
|
||||
(computed-file (string-append seed "-signing-key.pem")
|
||||
#~(system* #$(file-append gnutls "/bin/certtool")
|
||||
"--generate-privkey"
|
||||
"--key-type=rsa"
|
||||
"--pkcs8"
|
||||
;; Use the provable FIPS-PUB186-4 algorithm for
|
||||
;; deterministic results.
|
||||
"--provable"
|
||||
"--password="
|
||||
"--no-text"
|
||||
(string-append "--bits=" #$(number->string size))
|
||||
(string-append "--seed=" #$normalized-seed)
|
||||
"--outfile" #$output)
|
||||
#:local-build? #t))
|
||||
(system* #$(file-append gnutls "/bin/certtool")
|
||||
"--generate-privkey"
|
||||
"--key-type=rsa"
|
||||
"--pkcs8"
|
||||
;; Use the provable FIPS-PUB186-4 algorithm for
|
||||
;; deterministic results.
|
||||
"--provable"
|
||||
"--password="
|
||||
"--no-text"
|
||||
(string-append "--bits=" (number->string key-size))
|
||||
(string-append "--seed=" normalized-seed)
|
||||
"--outfile" #$output))))
|
||||
#:local-build? #t))
|
||||
|
||||
(define* (make-crx signing-key package #:optional (package-output "out"))
|
||||
"Create a signed \".crx\" file from the unpacked Chromium extension residing
|
||||
|
|
Loading…
Reference in a new issue