[OE-core] [PATCH 05/10] nss: move create blank certificates to pkg_postinst

richard.purdie at linuxfoundation.org richard.purdie at linuxfoundation.org
Tue Oct 2 15:53:01 UTC 2018 

On Tue, 2018-10-02 at 23:29 +0800, Kang Kai wrote:
> On 2018年09月29日 20:44, Richard Purdie wrote:
> > On Sat, 2018-09-29 at 13:43 +0800, kai.kang at windriver.com wrote:
> > > From: Kai Kang <kai.kang at windriver.com>
> > > 
> > > There is a multilib install file conflict of nss:
> > > > file /etc/pki/nssdb/key4.db conflicts between attempted
> > > > installs of
> > > > lib32-nss-3.38-r0.corei7_32 and nss-3.38-r0.corei7_64
> > > 
> > > Move the creation of blank certificates to pkg_postinst. And
> > > check if
> > > certificates exist already, don't re-create them.
> > > 
> > > Signed-off-by: Kai Kang <kai.kang at windriver.com>
> > > ---
> > >  meta/recipes-support/nss/nss_3.38.bb | 32 +++++++++++++++++-----
> > > ----
> > > --
> > >  1 file changed, 20 insertions(+), 12 deletions(-)
> > 
> > This does raise a question - why aren't the generated files the
> > same?
> > Is there a determinism problem here? This sounds like the image
> > would
> > change with each build and couldn't be reproduced so we have a
> > bigger
> > problem?
>  
> It calls certutil to create blank certificates: 
> 
> certutil -N -d sql:${D}${sysconfdir}/pki/nssdb/ -f ./empty_password
> 
> It should be current time related that create blank certificates in
> current directory, the key4.db files are different:
> 
> kkang at msp-lpggp1:~/buildarea/bar-build
> $ touch empty
> kkang at msp-lpggp1:~/buildarea/bar-build
> $ ./tmp/sysroots-components/x86_64/nss-native/usr/bin/certutil -N -d
> sql:./ -f ./empty 
> password file contains no data
> kkang at msp-lpggp1:~/buildarea/bar-build
> $ md5sum *.db
> 1de1260b3f38349a8633d33acd4e4de7  cert9.db
> *7fea1d4dbc99db3ba1b72e30428eb5dc  key4.db*
> kkang at msp-lpggp1:~/buildarea/bar-build
> $ rm *.db
> kkang at msp-lpggp1:~/buildarea/bar-build
> $ ./tmp/sysroots-components/x86_64/nss-native/usr/bin/certutil -N -d
> sql:./ -f ./empty 
> password file contains no data
> kkang at msp-lpggp1:~/buildarea/bar-build
> $ md5sum *.db
> 1de1260b3f38349a8633d33acd4e4de7  cert9.db
> *9fbbae3e2d65d29f51e357a2dc4650a2  key4.db*

Can we generate them with a known standard time then? Is there some way
to specify that or can we add one?

Cheers,

Richard

More information about the Openembedded-core mailing list