Hi,
I believe I have a fix for this, I'm just waiting on my machine to hurry
up and confirm it, might end up running over night, then I'll send my
patch up.
I'm doing two native builds and two cross-builds.
I've also updated to 3.99.
Kind regards,
Christina
On 25/04/2024 15:06, Christina O'Donnell wrote:
Hi Steve,
It would be good to confirm this one:
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=40316
Still fails to reproduce with those changes applied.
The culprit is in nss/cmd/shlibsign/shlibsign.c:
shlibSignHMAC generates a new key-pair each time it's run:
/* Generate a DSA key pair */
logIt("Generate an HMAC key ... \n");
crv = pFunctionList->C_GenerateKey(hRwSession, &hmacKeyGenMech,
hmacKeyTemplate,
PR_ARRAY_SIZE(hmacKeyTemplate),
&hHMACKey);
Three options:
1. Disable library signing entirely.
2. Seed the generation to be deterministic.
3. Drop in a HMAC key-pair and patch the code to use that instead of
generating.
2 and 3 defeat the point of the cryptographically secure supply chain
as the private key can be obtained deterministically, so my vote would
be simply to not sign the libraries (1), which would be easier to
maintain. We're not the primary distributor and users can verify our
distribution of nss by running `guix challenge` anyway.
It looks like Zhen Junjie applied two patches to fix NSS
cross-compilation on Master [0]
Building everything cross-compiled to ARM now.
Kind regards,
Christina