summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarius Bakke <marius@gnu.org>2021-12-16 19:05:27 +0100
committerMarius Bakke <marius@gnu.org>2021-12-16 22:21:13 +0100
commit40ebf85b865cb942c2551bfdc2ca3065eb3d9186 (patch)
treec1233140ee16c96ac2ad2451e9896d1830f17b17
parent173860eb41102c5af2cfdc0404808075d5a5ff3a (diff)
chromium-extension: Avoid usage of gcrypt at evaluation time.
* gnu/build/chromium-extension.scm (make-signing-key): Wrap builder in with-extensions, and compute the seed checksum at build time.
-rw-r--r--gnu/build/chromium-extension.scm47
1 files changed, 23 insertions, 24 deletions
diff --git a/gnu/build/chromium-extension.scm b/gnu/build/chromium-extension.scm
index fb157127d5..5bda8f84ce 100644
--- a/gnu/build/chromium-extension.scm
+++ b/gnu/build/chromium-extension.scm
@@ -17,9 +17,6 @@
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
(define-module (gnu build chromium-extension)
- #:use-module (gcrypt base16)
- #:use-module ((gcrypt hash) #:prefix hash:)
- #:use-module (ice-9 iconv)
#:use-module (guix gexp)
#:use-module (guix packages)
#:use-module (gnu packages base)
@@ -39,28 +36,30 @@
(define (make-signing-key seed)
"Return a derivation for a deterministic PKCS #8 private key using SEED."
+ (computed-file
+ (string-append seed "-signing-key.pem")
+ (with-extensions (list guile-gcrypt)
+ #~(begin
+ (use-modules (gcrypt base16) (gcrypt hash) (ice-9 iconv))
+ (let* ((sha256sum (bytevector->base16-string
+ (sha256 (string->bytevector #$seed "UTF-8"))))
+ ;; certtool.c wants a 56 byte seed for a 2048 bit key.
+ (key-size 2048)
+ (normalized-seed (string-take sha256sum 56)))
- (define sha256sum
- (bytevector->base16-string (hash:sha256 (string->bytevector seed "UTF-8"))))
-
- ;; certtool.c wants a 56 byte seed for a 2048 bit key.
- (define size 2048)
- (define normalized-seed (string-take sha256sum 56))
-
- (computed-file (string-append seed "-signing-key.pem")
- #~(system* #$(file-append gnutls "/bin/certtool")
- "--generate-privkey"
- "--key-type=rsa"
- "--pkcs8"
- ;; Use the provable FIPS-PUB186-4 algorithm for
- ;; deterministic results.
- "--provable"
- "--password="
- "--no-text"
- (string-append "--bits=" #$(number->string size))
- (string-append "--seed=" #$normalized-seed)
- "--outfile" #$output)
- #:local-build? #t))
+ (system* #$(file-append gnutls "/bin/certtool")
+ "--generate-privkey"
+ "--key-type=rsa"
+ "--pkcs8"
+ ;; Use the provable FIPS-PUB186-4 algorithm for
+ ;; deterministic results.
+ "--provable"
+ "--password="
+ "--no-text"
+ (string-append "--bits=" (number->string key-size))
+ (string-append "--seed=" normalized-seed)
+ "--outfile" #$output))))
+ #:local-build? #t))
(define* (make-crx signing-key package #:optional (package-output "out"))
"Create a signed \".crx\" file from the unpacked Chromium extension residing