diff options
| -rw-r--r-- | gnu/local.mk | 1 | ||||
| -rw-r--r-- | gnu/packages/networking.scm | 20 | ||||
| -rw-r--r-- | gnu/packages/patches/libcamera-ipa_manager-disable-signature-verification.patch | 55 |
3 files changed, 59 insertions, 17 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 8d8c552a4d..656d61e760 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1589,6 +1589,7 @@ dist_patch_DATA = \ %D%/packages/patches/julia-SOURCE_DATE_EPOCH-mtime.patch \ %D%/packages/patches/julia-Use-MPFR-4.2.patch \ %D%/packages/patches/libcall-ui-make-it-installable.patch \ + %D%/packages/patches/libcamera-ipa_manager-disable-signature-verification.patch \ %D%/packages/patches/libcss-check-format.patch \ %D%/packages/patches/libextractor-tidy-support.patch \ %D%/packages/patches/libftdi-fix-paths-when-FTDIPP-set.patch \ diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm index 9facbae82d..11e92b919f 100644 --- a/gnu/packages/networking.scm +++ b/gnu/packages/networking.scm @@ -382,6 +382,8 @@ them in order to efficiently transfer a minimal amount of data.") (git-reference (url "https://git.libcamera.org/libcamera/libcamera.git") (commit (string-append "v" version)))) + (patches (search-patches + "libcamera-ipa_manager-disable-signature-verification.patch")) (file-name (git-file-name name version)) (sha256 @@ -431,21 +433,7 @@ them in order to efficiently transfer a minimal amount of data.") (mkdir-p (string-append gst "/lib")) (rename-file (string-append out "/lib/gstreamer-1.0") - (string-append gst "/lib/gstreamer-1.0"))))) - (add-after 'shrink-runpath 're-sign-binaries - (lambda* (#:key outputs #:allow-other-keys) - "Update signatures of all ipa libraries. - -After stipping phases signatures are not valid anymore, so it's necessary to -re-sign." - (let* ((out (assoc-ref outputs "out"))) - (for-each - (lambda (file) - (invoke - "source/src/ipa/ipa-sign.sh" "src/ipa-priv-key.pem" - file (string-append file ".sign"))) - (find-files - (string-append out "/lib/libcamera") "\\.so$")))))))) + (string-append gst "/lib/gstreamer-1.0")))))))) (native-inputs (list googletest graphviz ;for 'dot' @@ -458,11 +446,9 @@ re-sign." (list eudev glib gst-plugins-base - gnutls libevent libtiff libyaml - openssl python-jinja2 python-ply qtbase)) diff --git a/gnu/packages/patches/libcamera-ipa_manager-disable-signature-verification.patch b/gnu/packages/patches/libcamera-ipa_manager-disable-signature-verification.patch new file mode 100644 index 0000000000..aa4dff3fe3 --- /dev/null +++ b/gnu/packages/patches/libcamera-ipa_manager-disable-signature-verification.patch @@ -0,0 +1,55 @@ +From c99706475cde3d963a17f4f8871149711ce6c467 Mon Sep 17 00:00:00 2001 +From: Andrew Tropin <andrew@trop.in> +Date: Wed, 4 Sep 2024 21:36:16 +0400 +Subject: [PATCH] libcamera: ipa_manager: Disable signature verification + +--- + src/libcamera/ipa_manager.cpp | 28 +++++----------------------- + 1 file changed, 5 insertions(+), 23 deletions(-) + +diff --git a/src/libcamera/ipa_manager.cpp b/src/libcamera/ipa_manager.cpp +index cfc24d38..4fd3cf3e 100644 +--- a/src/libcamera/ipa_manager.cpp ++++ b/src/libcamera/ipa_manager.cpp +@@ -284,33 +284,15 @@ IPAModule *IPAManager::module(PipelineHandler *pipe, uint32_t minVersion, + + bool IPAManager::isSignatureValid([[maybe_unused]] IPAModule *ipa) const + { +-#if HAVE_IPA_PUBKEY +- char *force = utils::secure_getenv("LIBCAMERA_IPA_FORCE_ISOLATION"); +- if (force && force[0] != '\0') { +- LOG(IPAManager, Debug) +- << "Isolation of IPA module " << ipa->path() +- << " forced through environment variable"; +- return false; +- } +- +- File file{ ipa->path() }; +- if (!file.open(File::OpenModeFlag::ReadOnly)) +- return false; +- +- Span<uint8_t> data = file.map(); +- if (data.empty()) +- return false; +- +- bool valid = pubKey_.verify(data, ipa->signature()); ++ LOG(IPAManager, Debug) ++ << "Signature verification is disabled by Guix. " ++ << "See https://issues.guix.gnu.org/72828 for more details."; + + LOG(IPAManager, Debug) + << "IPA module " << ipa->path() << " signature is " +- << (valid ? "valid" : "not valid"); ++ << "not verified (verification skipped)."; + +- return valid; +-#else +- return false; +-#endif ++ return true; + } + + } /* namespace libcamera */ +-- +2.45.2 + |