Ricardo Wurmus <ricardo.wur...@mdc-berlin.de> skribis: > From: Ricardo Wurmus <rek...@elephly.net> > > * gnu/packages/java.scm (icedtea-6)[arguments]: Add phase > "install-keystore". > [native-inputs]: Add nss-certs and openssl.
[...] > + (add-after 'install 'install-keystore > + (lambda* (#:key inputs outputs #:allow-other-keys) Could you add a comment to explain what’s going on here? Too bad IceTea’s build system doesn’t take care of that. > + (let* ((keystore "cacerts") > + (certs-dir (string-append (assoc-ref inputs "nss-certs") > + "/etc/ssl/certs")) > + (keytool (string-append (assoc-ref outputs "jdk") > + "/bin/keytool")) > + (openssl (which "openssl")) > + (recent (date->time-utc (string->date "2016-1-1" > + "~Y-~m-~d")))) > + (define (valid? cert) > + (let* ((port (open-pipe* OPEN_READ openssl > + "x509" "-enddate" "-in" cert > "-noout")) > + (str (read-line port)) > + (end (begin (close-pipe port) > + ;; TODO: use match? > + (cadr (string-split str #\=))))) Why not use ‘match’, indeed. :-) No big deal though. > + (time>? (date->time-utc > + (string->date end "~b ~d ~H:~M:~S ~Y")) recent))) > + > + (define (import-cert cert) > + (format #t "Importing certificate ~a\n" (basename cert)) > + (let* ((port (open-pipe* OPEN_WRITE keytool > + "-import" > + "-alias" (basename cert) > + "-keystore" keystore > + "-storepass" "changeit" > + "-file" cert))) > + (display "yes\n" port) > + (when (not (eqv? 0 (status:exit-val (close-pipe port)))) Maybe (zero? (status:exit-val …)). > + (format (current-error-port) > + "Failed to import certificate.\n")))) Rather (error "failed to import" cert) so the process stops here. > + ;; This is necessary because the certificate directory > contains > + ;; files with non-ASCII characters in their names. > + (setlocale LC_ALL "en_US.utf8") > + (setenv "LC_ALL" "en_US.utf8") > + > + (for-each import-cert > + (filter valid? (find-files certs-dir "\\.pem$"))) Why do we need to filter out invalid certificates? The problem I see is that the result of ‘valid?’, and thus the output of the build process, depends on the build time, which isn’t great. I would prefer to unconditionally install all the certificates if that doesn’t cause any problems. WDYT? Thank you for working on it! Ludo’.
