gnu: libcamera: Disable signature verification.

Signature verification breaks, when libcamera is grafted.  Running built-in
libcamera modules via proxy is not recommended by upstream and not always
work.  We control the build process of all libcamera modules, so to workaround
the issue we disable signature verification.  For more information see:
<https://issues.guix.gnu.org/72828>

* gnu/packages/patches/libcamera-ipa_manager-disable-signature-verification.patch: New file.
* gnu/local.mk (dist_patch_DATA): Adjust accordingly.
* gnu/packages/networking.scm (libcamera): Disable signature verification.
[inputs]: Remove gnutls and openssl.
[arguments]: Remove re-sign-binaries phase.
[source]: Add disable-signature patch.

Change-Id: Icf422553c0f49b28d7997a1e818a4b8d9a6b5732

3 files changed, 59 insertions, 17 deletions

diff --git a/gnu/local.mk b/gnu/local.mk
index 8d8c552a4d..656d61e760 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1589,6 +1589,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/julia-SOURCE_DATE_EPOCH-mtime.patch	\
   %D%/packages/patches/julia-Use-MPFR-4.2.patch	                \
   %D%/packages/patches/libcall-ui-make-it-installable.patch	\
+  %D%/packages/patches/libcamera-ipa_manager-disable-signature-verification.patch	\
   %D%/packages/patches/libcss-check-format.patch		\
   %D%/packages/patches/libextractor-tidy-support.patch		\
   %D%/packages/patches/libftdi-fix-paths-when-FTDIPP-set.patch	\
diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index 9facbae82d..11e92b919f 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -382,6 +382,8 @@ them in order to efficiently transfer a minimal amount of data.")
         (git-reference
          (url "https://git.libcamera.org/libcamera/libcamera.git")
          (commit (string-append "v" version))))
+       (patches (search-patches
+                 "libcamera-ipa_manager-disable-signature-verification.patch"))
        (file-name
         (git-file-name name version))
        (sha256
@@ -431,21 +433,7 @@ them in order to efficiently transfer a minimal amount of data.")
                      (mkdir-p (string-append gst "/lib"))
                      (rename-file
                       (string-append out "/lib/gstreamer-1.0")
-                      (string-append gst "/lib/gstreamer-1.0")))))
-               (add-after 'shrink-runpath 're-sign-binaries
-                 (lambda* (#:key outputs #:allow-other-keys)
-                   "Update signatures of all ipa libraries.
-
-After stipping phases signatures are not valid anymore, so it's necessary to
-re-sign."
-                   (let* ((out (assoc-ref outputs "out")))
-                     (for-each
-                      (lambda (file)
-                        (invoke
-                         "source/src/ipa/ipa-sign.sh" "src/ipa-priv-key.pem"
-                         file (string-append file ".sign")))
-                      (find-files
-                       (string-append out "/lib/libcamera") "\\.so$"))))))))
+                      (string-append gst "/lib/gstreamer-1.0"))))))))
     (native-inputs
      (list googletest
            graphviz                     ;for 'dot'
@@ -458,11 +446,9 @@ re-sign."
      (list eudev
            glib
            gst-plugins-base
-           gnutls
            libevent
            libtiff
            libyaml
-           openssl
            python-jinja2
            python-ply
            qtbase))
diff --git a/gnu/packages/patches/libcamera-ipa_manager-disable-signature-verification.patch b/gnu/packages/patches/libcamera-ipa_manager-disable-signature-verification.patch
new file mode 100644
index 0000000000..aa4dff3fe3
--- /dev/null
+++ b/gnu/packages/patches/libcamera-ipa_manager-disable-signature-verification.patch
@@ -0,0 +1,55 @@
+From c99706475cde3d963a17f4f8871149711ce6c467 Mon Sep 17 00:00:00 2001
+From: Andrew Tropin <andrew@trop.in>
+Date: Wed, 4 Sep 2024 21:36:16 +0400
+Subject: [PATCH] libcamera: ipa_manager: Disable signature verification
+
+---
+ src/libcamera/ipa_manager.cpp | 28 +++++-----------------------
+ 1 file changed, 5 insertions(+), 23 deletions(-)
+
+diff --git a/src/libcamera/ipa_manager.cpp b/src/libcamera/ipa_manager.cpp
+index cfc24d38..4fd3cf3e 100644
+--- a/src/libcamera/ipa_manager.cpp
++++ b/src/libcamera/ipa_manager.cpp
+@@ -284,33 +284,15 @@ IPAModule *IPAManager::module(PipelineHandler *pipe, uint32_t minVersion,
+ 
+ bool IPAManager::isSignatureValid([[maybe_unused]] IPAModule *ipa) const
+ {
+-#if HAVE_IPA_PUBKEY
+-	char *force = utils::secure_getenv("LIBCAMERA_IPA_FORCE_ISOLATION");
+-	if (force && force[0] != '\0') {
+-		LOG(IPAManager, Debug)
+-			<< "Isolation of IPA module " << ipa->path()
+-			<< " forced through environment variable";
+-		return false;
+-	}
+-
+-	File file{ ipa->path() };
+-	if (!file.open(File::OpenModeFlag::ReadOnly))
+-		return false;
+-
+-	Span<uint8_t> data = file.map();
+-	if (data.empty())
+-		return false;
+-
+-	bool valid = pubKey_.verify(data, ipa->signature());
++	LOG(IPAManager, Debug)
++		<< "Signature verification is disabled by Guix. "
++		<< "See https://issues.guix.gnu.org/72828 for more details.";
+ 
+ 	LOG(IPAManager, Debug)
+ 		<< "IPA module " << ipa->path() << " signature is "
+-		<< (valid ? "valid" : "not valid");
++		<< "not verified (verification skipped).";
+ 
+-	return valid;
+-#else
+-	return false;
+-#endif
++	return true;
+ }
+ 
+ } /* namespace libcamera */
+-- 
+2.45.2
+