[OE-core] [PATCH 05/10] nss: move create blank certificates to pkg_postinst

Kang Kai Kai.Kang at windriver.com
Thu Oct 11 07:55:53 UTC 2018 

On 2018年10月02日 23:53, richard.purdie at linuxfoundation.org wrote:
> On Tue, 2018-10-02 at 23:29 +0800, Kang Kai wrote:
>> On 2018年09月29日 20:44, Richard Purdie wrote:
>>> On Sat, 2018-09-29 at 13:43 +0800, kai.kang at windriver.com wrote:
>>>> From: Kai Kang <kai.kang at windriver.com>
>>>>
>>>> There is a multilib install file conflict of nss:
>>>>> file /etc/pki/nssdb/key4.db conflicts between attempted
>>>>> installs of
>>>>> lib32-nss-3.38-r0.corei7_32 and nss-3.38-r0.corei7_64
>>>> Move the creation of blank certificates to pkg_postinst. And
>>>> check if
>>>> certificates exist already, don't re-create them.
>>>>
>>>> Signed-off-by: Kai Kang <kai.kang at windriver.com>
>>>> ---
>>>>   meta/recipes-support/nss/nss_3.38.bb | 32 +++++++++++++++++-----
>>>> ----
>>>> --
>>>>   1 file changed, 20 insertions(+), 12 deletions(-)
>>> This does raise a question - why aren't the generated files the
>>> same?
>>> Is there a determinism problem here? This sounds like the image
>>> would
>>> change with each build and couldn't be reproduced so we have a
>>> bigger
>>> problem?
>>   
>> It calls certutil to create blank certificates:
>>
>> certutil -N -d sql:${D}${sysconfdir}/pki/nssdb/ -f ./empty_password
>>
>> It should be current time related that create blank certificates in
>> current directory, the key4.db files are different:
>>
>> kkang at msp-lpggp1:~/buildarea/bar-build
>> $ touch empty
>> kkang at msp-lpggp1:~/buildarea/bar-build
>> $ ./tmp/sysroots-components/x86_64/nss-native/usr/bin/certutil -N -d
>> sql:./ -f ./empty
>> password file contains no data
>> kkang at msp-lpggp1:~/buildarea/bar-build
>> $ md5sum *.db
>> 1de1260b3f38349a8633d33acd4e4de7  cert9.db
>> *7fea1d4dbc99db3ba1b72e30428eb5dc  key4.db*
>> kkang at msp-lpggp1:~/buildarea/bar-build
>> $ rm *.db
>> kkang at msp-lpggp1:~/buildarea/bar-build
>> $ ./tmp/sysroots-components/x86_64/nss-native/usr/bin/certutil -N -d
>> sql:./ -f ./empty
>> password file contains no data
>> kkang at msp-lpggp1:~/buildarea/bar-build
>> $ md5sum *.db
>> 1de1260b3f38349a8633d33acd4e4de7  cert9.db
>> *9fbbae3e2d65d29f51e357a2dc4650a2  key4.db*
> Can we generate them with a known standard time then? Is there some way
> to specify that or can we add one?

Unfortunately there is no such option for certutil when create new 
databases.

For Fedora, it provides pre-created blank database files. If provide 
blank db files is ok, I'll verify it for all archs.

Regards,
Kai


>
> Cheers,
>
> Richard
>

-- 
Regards,
Neil | Kai Kang

More information about the Openembedded-core mailing list