Re: [OE-core] [PATCH 05/10] nss: move create blank certificates to pkg_postinst

Tue, 02 Oct 2018 09:36:57 -0700 

On 2018年10月02日 23:53, [email protected] wrote:

On Tue, 2018-10-02 at 23:29 +0800, Kang Kai wrote:

On 2018年09月29日 20:44, Richard Purdie wrote:

On Sat, 2018-09-29 at 13:43 +0800, [email protected] wrote:

From: Kai Kang <[email protected]>

There is a multilib install file conflict of nss:

file /etc/pki/nssdb/key4.db conflicts between attempted
installs of
lib32-nss-3.38-r0.corei7_32 and nss-3.38-r0.corei7_64

Move the creation of blank certificates to pkg_postinst. And
check if
certificates exist already, don't re-create them.

Signed-off-by: Kai Kang <[email protected]>
---
  meta/recipes-support/nss/nss_3.38.bb | 32 +++++++++++++++++-----
----
--
  1 file changed, 20 insertions(+), 12 deletions(-)

This does raise a question - why aren't the generated files the
same?
Is there a determinism problem here? This sounds like the image
would
change with each build and couldn't be reproduced so we have a
bigger
problem?
It calls certutil to create blank certificates: 

certutil -N -d sql:${D}${sysconfdir}/pki/nssdb/ -f ./empty_password

It should be current time related that create blank certificates in
current directory, the key4.db files are different:

kkang@msp-lpggp1:~/buildarea/bar-build
$ touch empty
kkang@msp-lpggp1:~/buildarea/bar-build
$ ./tmp/sysroots-components/x86_64/nss-native/usr/bin/certutil -N -d
sql:./ -f ./empty
password file contains no data
kkang@msp-lpggp1:~/buildarea/bar-build
$ md5sum *.db
1de1260b3f38349a8633d33acd4e4de7  cert9.db
*7fea1d4dbc99db3ba1b72e30428eb5dc  key4.db*
kkang@msp-lpggp1:~/buildarea/bar-build
$ rm *.db
kkang@msp-lpggp1:~/buildarea/bar-build
$ ./tmp/sysroots-components/x86_64/nss-native/usr/bin/certutil -N -d
sql:./ -f ./empty
password file contains no data
kkang@msp-lpggp1:~/buildarea/bar-build
$ md5sum *.db
1de1260b3f38349a8633d33acd4e4de7  cert9.db
*9fbbae3e2d65d29f51e357a2dc4650a2  key4.db*

Can we generate them with a known standard time then? Is there some way
to specify that or can we add one?
The md5sum of cert9.db are same but key4.db are different, so I have been checking the source code of nss but no conclusion yet. 

Regards,
Kai



Cheers,

Richard



--
Regards,
Neil | Kai Kang

--
_______________________________________________
Openembedded-core mailing list
[email protected]
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Reply via email to