Re: [OE-core] [PATCH 05/10] nss: move create blank certificates to pkg_postinst

Thu, 11 Oct 2018 01:00:34 -0700 

On 2018年10月02日 23:53, [email protected] wrote:

On Tue, 2018-10-02 at 23:29 +0800, Kang Kai wrote:

On 2018年09月29日 20:44, Richard Purdie wrote:

On Sat, 2018-09-29 at 13:43 +0800, [email protected] wrote:

From: Kai Kang <[email protected]>

There is a multilib install file conflict of nss:

file /etc/pki/nssdb/key4.db conflicts between attempted
installs of
lib32-nss-3.38-r0.corei7_32 and nss-3.38-r0.corei7_64

Move the creation of blank certificates to pkg_postinst. And
check if
certificates exist already, don't re-create them.

Signed-off-by: Kai Kang <[email protected]>
---
  meta/recipes-support/nss/nss_3.38.bb | 32 +++++++++++++++++-----
----
--
  1 file changed, 20 insertions(+), 12 deletions(-)

This does raise a question - why aren't the generated files the
same?
Is there a determinism problem here? This sounds like the image
would
change with each build and couldn't be reproduced so we have a
bigger
problem?
It calls certutil to create blank certificates: 

certutil -N -d sql:${D}${sysconfdir}/pki/nssdb/ -f ./empty_password

It should be current time related that create blank certificates in
current directory, the key4.db files are different:

kkang@msp-lpggp1:~/buildarea/bar-build
$ touch empty
kkang@msp-lpggp1:~/buildarea/bar-build
$ ./tmp/sysroots-components/x86_64/nss-native/usr/bin/certutil -N -d
sql:./ -f ./empty
password file contains no data
kkang@msp-lpggp1:~/buildarea/bar-build
$ md5sum *.db
1de1260b3f38349a8633d33acd4e4de7  cert9.db
*7fea1d4dbc99db3ba1b72e30428eb5dc  key4.db*
kkang@msp-lpggp1:~/buildarea/bar-build
$ rm *.db
kkang@msp-lpggp1:~/buildarea/bar-build
$ ./tmp/sysroots-components/x86_64/nss-native/usr/bin/certutil -N -d
sql:./ -f ./empty
password file contains no data
kkang@msp-lpggp1:~/buildarea/bar-build
$ md5sum *.db
1de1260b3f38349a8633d33acd4e4de7  cert9.db
*9fbbae3e2d65d29f51e357a2dc4650a2  key4.db*

Can we generate them with a known standard time then? Is there some way
to specify that or can we add one?
Unfortunately there is no such option for certutil when create new databases.
For Fedora, it provides pre-created blank database files. If provide blank db files is ok, I'll verify it for all archs. 

Regards,
Kai




Cheers,

Richard



--
Regards,
Neil | Kai Kang

--
_______________________________________________
Openembedded-core mailing list
[email protected]
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Reply via email to