[3/3] gnu: icedtea-6: Generate keystore.
Commit Message
Ricardo Wurmus <rekado@elephly.net> writes:
> Andreas Enge <andreas@enge.fr> writes:
>
>> Hello, Ricardo!
>>
>> Icedtea@1 in master now fails to build in the install-keystore phase.
>> http://hydra.gnu.org:3000/build/1309224
>> http://hydra.gnu.org:3000/build/1308950
>> Could you have a look, please?
[…]
> The keytool from icedtea@1 doesn’t like this certificate. My hunch is
> that we may need to remove comments from the certificate files, only
> leaving the certificate block.
>
> I’ll fix this as soon as I can.
Attached is an untested patch to fix this. I’m now building icedtea@1
again with this patch (on a remote machine). Not sure when I can check
on the result as I’ll be out for the most part of tomorrow.
You’re welcome to give it a try yourself! (Who knows, maybe this change
would also allow us to reinstate the phase in the latest icedtea
version?)
~~ Ricardo
Comments
On Sat, Jul 23, 2016 at 11:33:12PM +0200, Ricardo Wurmus wrote:
> You’re welcome to give it a try yourself! (Who knows, maybe this change
> would also allow us to reinstate the phase in the latest icedtea
> version?)
Unfortunately it fails for me with the following error message:
starting phase `install-keystore'
Importing certificate ACCVRAIZ1:2.8.94.195.183.166.67.127.164.224.pem
Backtrace:
In ice-9/boot-9.scm:
157: 17 [catch #t #<catch-closure 8c9580> ...]
In unknown file:
?: 16 [apply-smob/1 #<catch-closure 8c9580>]
In ice-9/boot-9.scm:
63: 15 [call-with-prompt prompt0 ...]
In ice-9/eval.scm:
432: 14 [eval # #]
In ice-9/boot-9.scm:
2401: 13 [save-module-excursion #<procedure 8e6880 at ice-9/boot-9.scm:4045:3 ()>]
4050: 12 [#<procedure 8e6880 at ice-9/boot-9.scm:4045:3 ()>]
1724: 11 [%start-stack load-stack #<procedure 8f97c0 at ice-9/boot-9.scm:4041:10 ()>]
1729: 10 [#<procedure 8fcc60 ()>]
In unknown file:
?: 9 [primitive-load "/gnu/store/i0322cxlmymrnxrlsnplh4894fzjbj9h-icedtea-1.13.11-guile-builder"]
In ice-9/eval.scm:
387: 8 [eval # ()]
In srfi/srfi-1.scm:
830: 7 [every1 #<procedure 16d8c60 at /gnu/store/vs75q74qsfr3h45vkbr559p5w6fn4mw2-module-import/guix/build/gnu-build-system.scm:589:9 (expr)> ...]
In /gnu/store/vs75q74qsfr3h45vkbr559p5w6fn4mw2-module-import/guix/build/gnu-build-system.scm:
593: 6 [#<procedure 16d8c60 at /gnu/store/vs75q74qsfr3h45vkbr559p5w6fn4mw2-module-import/guix/build/gnu-build-system.scm:589:9 (expr)> #]
In ice-9/eval.scm:
432: 5 [eval # #]
In ice-9/boot-9.scm:
768: 4 [for-each #<procedure 31c3a80 at ice-9/eval.scm:416:20 (a)> #]
In ice-9/eval.scm:
432: 3 [eval # #]
In ice-9/boot-9.scm:
867: 2 [call-with-input-file "/gnu/store/lp7s9x1llgw1rc675yvslxsnpcyy05ld-nss-certs-3.23/etc/ssl/certs/ACCVRAIZ1:2.8.94.195.183.166.67.127.164.224.pem" ...]
883: 1 [call-with-output-file #<input-output: file 11> ...]
In unknown file:
?: 0 [open-file #<input-output: file 11> "w" #:encoding #f]
ERROR: In procedure open-file:
ERROR: Wrong type (expecting string): #<input-output: file 11>
Andreas
Andreas Enge <andreas@enge.fr> writes:
> On Sat, Jul 23, 2016 at 11:33:12PM +0200, Ricardo Wurmus wrote:
>> You’re welcome to give it a try yourself! (Who knows, maybe this change
>> would also allow us to reinstate the phase in the latest icedtea
>> version?)
>
> Unfortunately it fails for me with the following error message:
>
> starting phase `install-keystore'
> Importing certificate ACCVRAIZ1:2.8.94.195.183.166.67.127.164.224.pem
> Backtrace:
> In ice-9/boot-9.scm:
> 157: 17 [catch #t #<catch-closure 8c9580> ...]
> In unknown file:
> ?: 16 [apply-smob/1 #<catch-closure 8c9580>]
> In ice-9/boot-9.scm:
> 63: 15 [call-with-prompt prompt0 ...]
> In ice-9/eval.scm:
> 432: 14 [eval # #]
> In ice-9/boot-9.scm:
> 2401: 13 [save-module-excursion #<procedure 8e6880 at ice-9/boot-9.scm:4045:3 ()>]
> 4050: 12 [#<procedure 8e6880 at ice-9/boot-9.scm:4045:3 ()>]
> 1724: 11 [%start-stack load-stack #<procedure 8f97c0 at ice-9/boot-9.scm:4041:10 ()>]
> 1729: 10 [#<procedure 8fcc60 ()>]
> In unknown file:
> ?: 9 [primitive-load "/gnu/store/i0322cxlmymrnxrlsnplh4894fzjbj9h-icedtea-1.13.11-guile-builder"]
> In ice-9/eval.scm:
> 387: 8 [eval # ()]
> In srfi/srfi-1.scm:
> 830: 7 [every1 #<procedure 16d8c60 at /gnu/store/vs75q74qsfr3h45vkbr559p5w6fn4mw2-module-import/guix/build/gnu-build-system.scm:589:9 (expr)> ...]
> In /gnu/store/vs75q74qsfr3h45vkbr559p5w6fn4mw2-module-import/guix/build/gnu-build-system.scm:
> 593: 6 [#<procedure 16d8c60 at /gnu/store/vs75q74qsfr3h45vkbr559p5w6fn4mw2-module-import/guix/build/gnu-build-system.scm:589:9 (expr)> #]
> In ice-9/eval.scm:
> 432: 5 [eval # #]
> In ice-9/boot-9.scm:
> 768: 4 [for-each #<procedure 31c3a80 at ice-9/eval.scm:416:20 (a)> #]
> In ice-9/eval.scm:
> 432: 3 [eval # #]
> In ice-9/boot-9.scm:
> 867: 2 [call-with-input-file "/gnu/store/lp7s9x1llgw1rc675yvslxsnpcyy05ld-nss-certs-3.23/etc/ssl/certs/ACCVRAIZ1:2.8.94.195.183.166.67.127.164.224.pem" ...]
> 883: 1 [call-with-output-file #<input-output: file 11> ...]
> In unknown file:
> ?: 0 [open-file #<input-output: file 11> "w" #:encoding #f]
>
> ERROR: In procedure open-file:
> ERROR: Wrong type (expecting string): #<input-output: file 11>
Oh, “(tmpfile)” returns a port. Changed to a string (it can be the same
temp file for each certificate) rebuilt all three icedtea packages
successfully and pushed to master as
6af691723ed6c70fc468768e1e07b19b27c6f4d8.
Thanks again for reporting this!
~~ Ricardo
On Sun, Jul 24, 2016 at 09:43:59AM +0200, Ricardo Wurmus wrote:
> Thanks again for reporting this!
Thanks for fixing it so quickly! 2 more packages out of the 700 that
currently fail :-)
Andreas
From 04cafa35d7e226843cdccaf5a3ea5a82d9dc5d3e Mon Sep 17 00:00:00 2001
From: Ricardo Wurmus <rekado@elephly.net>
Date: Sat, 23 Jul 2016 23:25:11 +0200
Subject: [PATCH] gnu: icedtea-6: Narrow file to certificate block.
* gnu/packages/java.scm (icedtea-6)[arguments]: Extract certificate
blocks from pem files before importing.
---
gnu/packages/java.scm | 39 ++++++++++++++++++++++++++++++---------
1 file changed, 30 insertions(+), 9 deletions(-)
@@ -535,17 +535,38 @@ build process and its dependencies, whereas Make uses Makefile format.")
"/etc/ssl/certs"))
(keytool (string-append (assoc-ref outputs "jdk")
"/bin/keytool")))
+ (define (extract-cert file target)
+ (call-with-input-file file
+ (lambda (in)
+ (call-with-output-file target
+ (lambda (out)
+ (let loop ((line (read-line in 'concat))
+ (copying? #f))
+ (cond
+ ((eof-object? line) #t)
+ ((string-prefix? "-----BEGIN" line)
+ (display line out)
+ (loop (read-line in 'concat) #t))
+ ((string-prefix? "-----END" line)
+ (display line out)
+ #t)
+ (else
+ (when copying? (display line out))
+ (loop (read-line in 'concat) copying?)))))))))
(define (import-cert cert)
(format #t "Importing certificate ~a\n" (basename cert))
- (let* ((port (open-pipe* OPEN_WRITE keytool
- "-import"
- "-alias" (basename cert)
- "-keystore" keystore
- "-storepass" "changeit"
- "-file" cert)))
- (display "yes\n" port)
- (when (not (zero? (status:exit-val (close-pipe port))))
- (error "failed to import" cert))))
+ (let ((temp (tmpfile)))
+ (extract-cert cert temp)
+ (let ((port (open-pipe* OPEN_WRITE keytool
+ "-import"
+ "-alias" (basename cert)
+ "-keystore" keystore
+ "-storepass" "changeit"
+ "-file" temp)))
+ (display "yes\n" port)
+ (when (not (zero? (status:exit-val (close-pipe port))))
+ (error "failed to import" cert)))
+ (delete-file temp)))
;; This is necessary because the certificate directory contains
;; files with non-ASCII characters in their names.
--
2.9.0