;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2020, 2021 Marius Bakke <marius@gnu.org>
;;; Copyright © 2022 Nicolas Graves <ngraves@ngraves.fr>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
(define-module (gnu build chromium-extension)
#:use-module (guix gexp)
#:use-module (guix packages)
#:use-module (gnu packages gnupg)
#:use-module (gnu packages tls)
#:use-module (gnu packages node-xyz)
#:use-module (guix build-system trivial)
#:export (make-chromium-extension))
;;; Commentary:
;;;
;;; Tools to deal with Chromium extensions.
;;;
;;; Code:
(define (make-signing-key seed)
"Return a derivation for a deterministic PKCS #8 private key using SEED."
(computed-file
(string-append seed "-signing-key.pem")
(with-extensions (list guile-gcrypt)
#~(begin
(use-modules (gcrypt base16) (gcrypt hash) (ice-9 iconv))
(let* ((sha256sum (bytevector->base16-string
(sha256 (string->bytevector #$seed "UTF-8"))))
;; certtool.c wants a 56 byte seed for a 2048 bit key.
(key-size 2048)
(normalized-seed (string-take sha256sum 56)))
(system* #$(file-append gnutls "/bin/certtool")
"--generate-privkey"
"--key-type=rsa"
"--pkcs8"
;; Use the provable FIPS-PUB186-4 algorithm for
;; deterministic results.
"--provable"
"--password="
"--no-text"
(string-append "--bits=" (number->string key-size))
(string-append "--seed=" normalized-seed)
"--outfile" #$output))))
#:local-build? #t))
(define* (make-crx signing-key package #:optional (package-output "out"))
"Create a signed \".crx\" file from the unpacked Chromium extension residing
in PACKAGE-OUTPUT of PACKAGE. The extension will be signed with SIGNING-KEY."
(define name (package-name package))
(define version (package-version package))
(computed-file
(string-append name "-" version ".crx")
(with-imported-modules '((guix build utils))
#~(begin
(use-modules (guix build utils))
(let ((crx3 #+(file-append node-crx3 "/bin/crx3"))
(packdir (string-append (getcwd) "/extension")))
(mkdir packdir)
(copy-recursively (ungexp package package-output) packdir
;; Ensure consistent file modification times.
#:keep-mtime? #t)
(invoke crx3 "--keyPath" #$signing-key packdir)
(copy-file (string-append packdir ".crx") #$output))))
#:local-build? #t))
(define (crx->chromium-json crx version)
"Return a derivation that creates a Chromium JSON settings file for the
extension given as CRX. VERSION is used to signify the CRX version, and
must match the version listed in the extension manifest.json."
;; See chrome/browser/extensions/external_provider_impl.cc and
;; extensions/common/extension.h for documentation on the JSON format.
(computed-file "extension.json"
#~(call-with-output-file #$output
(lambda (port)
(format port "{
\"external_crx\": \"~a\",
\"external_version\": \"~a\"
}
"
#$crx #$version)))
#:local-build? #t))
(define (signing-key->public-der key)
"Return a derivation for a file containing the public key of KEY in DER
format."
(computed-file "der"
#~(system* #$(file-append gnutls "/bin/certtool")
"--load-privkey" #$key
"--pubkey-info"
"--outfile" #$output
"--outder")
#:local-build? #t))
(define (file-sha256sum file)
(with-extensions (list guile-gcrypt)
#~(begin
(use-modules (gcrypt base16) (gcrypt hash))
(bytevector->base16-string (file-sha256 #$file)))))
(define* (make-chromium-extension pkg #:optional (pkg-output "out"))
"Create a Chromium extension from package PKG and return a package that,
when installed, will make the extension contained in PKG available as a
Chromium browser extension. PKG-OUTPUT specifies which output of PKG to use."
(let* ((name (package-name pkg))
(version (package-version pkg)))
(package
(inherit pkg)
(name (string-append name "-chromium"))
(source #f)
(native-inputs '())
(inputs '())
(propagated-inputs '())
(outputs '("out"))
(build-system trivial-build-system)
(arguments
(list #:modules '((guix build utils))
#:builder
(let*
((private-key (make-signing-key name))
(public-key (signing-key->public-der private-key))
(checksum (file-sha256sum public-key))
(crx (make-crx private-key pkg pkg-output))
(json (crx->chromium-json crx version)))
#~(begin
(use-modules (guix build utils))
(define (base16-char->chromium-base16 char)
;; Translate CHAR, a hexadecimal character, to a Chromium-style
;; representation using the letters a-p (where a=0, p=15).
(string-ref "abcdefghijklmnop"
(string-index "0123456789abcdef" char)))
(let ((file-name (string-map base16-char->chromium-base16
(string-take #$checksum 32)))
(extension-directory
(string-append #$output
"/share/chromium/extensions")))
(mkdir-p extension-directory)
(symlink #$json (string-append extension-directory "/"
file-name ".json"))))))))))
