gnu: libcamera: Disable signature verification.

Signature verification breaks, when libcamera is grafted. Running built-in libcamera modules via proxy is not recommended by upstream and not always work. We control the build process of all libcamera modules, so to workaround the issue we disable signature verification. For more information see: <https://issues.guix.gnu.org/72828> * gnu/packages/patches/libcamera-ipa_manager-disable-signature-verification.patch: New file. * gnu/local.mk (dist_patch_DATA): Adjust accordingly. * gnu/packages/networking.scm (libcamera): Disable signature verification. [inputs]: Remove gnutls and openssl. [arguments]: Remove re-sign-binaries phase. [source]: Add disable-signature patch. Change-Id: Icf422553c0f49b28d7997a1e818a4b8d9a6b5732
2024-09-05 10:24:08 +04:00 · 2024-09-05 10:24:08 +04:00 · b0e224566f
commit b0e224566f
parent 0b95de9b3b
3 changed files with 59 additions and 17 deletions
--- a/gnu/local.mk
+++ b/gnu/local.mk
@ -1589,6 +1589,7 @@ dist_patch_DATA =						\
  %D%/packages/patches/julia-SOURCE_DATE_EPOCH-mtime.patch	\
  %D%/packages/patches/julia-Use-MPFR-4.2.patch	                \
  %D%/packages/patches/libcall-ui-make-it-installable.patch	\
+  %D%/packages/patches/libcamera-ipa_manager-disable-signature-verification.patch	\
  %D%/packages/patches/libcss-check-format.patch		\
  %D%/packages/patches/libextractor-tidy-support.patch		\
  %D%/packages/patches/libftdi-fix-paths-when-FTDIPP-set.patch	\
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@ -382,6 +382,8 @@ them in order to efficiently transfer a minimal amount of data.")
        (git-reference
         (url "https://git.libcamera.org/libcamera/libcamera.git")
         (commit (string-append "v" version))))
+       (patches (search-patches
+                 "libcamera-ipa_manager-disable-signature-verification.patch"))
       (file-name
        (git-file-name name version))
       (sha256
@ -431,21 +433,7 @@ them in order to efficiently transfer a minimal amount of data.")
                     (mkdir-p (string-append gst "/lib"))
                     (rename-file
                      (string-append out "/lib/gstreamer-1.0")
-                      (string-append gst "/lib/gstreamer-1.0")))))
-               (add-after 'shrink-runpath 're-sign-binaries
-                 (lambda* (#:key outputs #:allow-other-keys)
-                   "Update signatures of all ipa libraries.
-
-After stipping phases signatures are not valid anymore, so it's necessary to
-re-sign."
-                   (let* ((out (assoc-ref outputs "out")))
-                     (for-each
-                      (lambda (file)
-                        (invoke
-                         "source/src/ipa/ipa-sign.sh" "src/ipa-priv-key.pem"
-                         file (string-append file ".sign")))
-                      (find-files
-                       (string-append out "/lib/libcamera") "\\.so$"))))))))
+                      (string-append gst "/lib/gstreamer-1.0"))))))))
    (native-inputs
     (list googletest
           graphviz                     ;for 'dot'
@ -458,11 +446,9 @@ re-sign."
     (list eudev
           glib
           gst-plugins-base
-           gnutls
           libevent
           libtiff
           libyaml
-           openssl
           python-jinja2
           python-ply
           qtbase))
--- a/gnu/packages/patches/libcamera-ipa_manager-disable-signature-verification.patch
+++ b/gnu/packages/patches/libcamera-ipa_manager-disable-signature-verification.patch
@ -0,0 +1,55 @@
+From c99706475cde3d963a17f4f8871149711ce6c467 Mon Sep 17 00:00:00 2001
+From: Andrew Tropin <andrew@trop.in>
+Date: Wed, 4 Sep 2024 21:36:16 +0400
+Subject: [PATCH] libcamera: ipa_manager: Disable signature verification
+
+---
+ src/libcamera/ipa_manager.cpp | 28 +++++-----------------------
+ 1 file changed, 5 insertions(+), 23 deletions(-)
+
+diff --git a/src/libcamera/ipa_manager.cpp b/src/libcamera/ipa_manager.cpp
+index cfc24d38..4fd3cf3e 100644
+--- a/src/libcamera/ipa_manager.cpp
+++ b/src/libcamera/ipa_manager.cpp
+@@ -284,33 +284,15 @@ IPAModule *IPAManager::module(PipelineHandler *pipe, uint32_t minVersion,
+ 
+ bool IPAManager::isSignatureValid([[maybe_unused]] IPAModule *ipa) const
+ {
+-#if HAVE_IPA_PUBKEY
+-	char *force = utils::secure_getenv("LIBCAMERA_IPA_FORCE_ISOLATION");
+-	if (force && force[0] != '\0') {
+-		LOG(IPAManager, Debug)
+-			<< "Isolation of IPA module " << ipa->path()
+-			<< " forced through environment variable";
+-		return false;
+-	}
+-
+-	File file{ ipa->path() };
+-	if (!file.open(File::OpenModeFlag::ReadOnly))
+-		return false;
+-
+-	Span<uint8_t> data = file.map();
+-	if (data.empty())
+-		return false;
+-
+-	bool valid = pubKey_.verify(data, ipa->signature());
+	LOG(IPAManager, Debug)
+		<< "Signature verification is disabled by Guix. "
+		<< "See https://issues.guix.gnu.org/72828 for more details.";
+ 
+ 	LOG(IPAManager, Debug)
+ 		<< "IPA module " << ipa->path() << " signature is "
+-		<< (valid ? "valid" : "not valid");
+		<< "not verified (verification skipped).";
+ 
+-	return valid;
+-#else
+-	return false;
+-#endif
+	return true;
+ }
+ 
+ } /* namespace libcamera */
+-- 
+2.45.2
+