commit fb0ddd9186170fe297e2274c01ee410d79874f9f · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

libcamera: fix binary reproduciblity

Jörg Thalheim 2 years ago fb0ddd91 f2c7ecb8

+45 -13

2 changed files

expand all

unified split

pkgs

by-name

libcamera

ipa-priv-key.pem

package.nix

+28

pkgs/by-name/li/libcamera/ipa-priv-key.pem

··· 1 + -----BEGIN PRIVATE KEY----- 2 + MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCocmtyzPPjv+52 3 + JiZrpZFfaZ0eeUgugc8gV+0+2Q9GEkl/xxqjiDVg31gBO3iwQov2NmGuPbXr+vwZ 4 + QcUqNQakmmdi22tBaTtd6hMuhu9OfbP8sIFaf0dToZRHkPgf63+WCF6w0O9enEz4 5 + zjW3kPa1eVRVekiYCXGML/VhN+h5WwWouNWgEOw5JH39ZuGmhsGN5XekkHtyMkwq 6 + Vr+JodoSizhYs9VBYNA1J4PlyiS4BYr4pLiLffzPwRjcSS777x33g+nWNr1lsFxB 7 + nDoVvVnq0E7fiXxlmCtAr/7dv0Ug5ixuNfZ9yoT0f+mfUiG/anmfodHujIm2Db37 8 + jvmfxaq1AgMBAAECggEAFhJKBHSY92xod0g37A55fiZFTV8oZ1mgdXU386522yBd 9 + y5Wf5rIcBmm1axHrFjNeCgClq3JQEk/kdP3Ccy2YBXzq04/7HYrHmd5oLYZGOINt 10 + kExjYqN/SdTH7FmxPWN66AKIP8RcvQmfZ1GDxd4DiZNQitO3S96e53bIQPkVp8Lg 11 + GfK6LQCdOGimD00wvRoeqbV0PWGGVMfx+KvD5hxKYolyi/hNUxToD28qCAoMlMTi 12 + yL+17q3nIYZvUmL0k7d64U+lXF8ov3cVXNJzAzFi41MXZ2Xqk3Lj+IhNweUhlOyn 13 + fTo8QntNlirNL/XmtJ+5mPbGufE/6zsSNOf2Cyz2aQKBgQDio/tA3tFBzOz31hox 14 + gW6NKarhp7e5R3XHQjZPmQXKq2lGCTBN+LzwCLYDa+ZWkS+cel/xSbkUFl0dopCu 15 + 7uGrSvmVAv+l1k879WHsYmLlDjJSa8WmDtVQ0SJr70X9UJmD2BivWnTnzrpZFu2A 16 + Nv57gvebJTI4tLfAAyIfbg8gOQKBgQC+RJRv8/jVha/4sPonQYvpH0scS0Xzwca6 17 + xd23e+vULBpk7IVzMbVGJEDdfWXVJeAO++FSQcgTJA38nfYm2XRPZAProliLaW8o 18 + XVhhhWbXP7Jc8BmL5zyfDaLOXNFBX2kfr/oKeOoQ+0dRDlWKlarw1SxC+RT6i2qQ 19 + YETgXHKmXQKBgGk8mWsqy2HRZOtDqE/6eLnlciprtVy7+M14Sj21oUHVTAGwPJTH 20 + /fs7IEEAdikWK1RuYmRoxh60r7IWDTadR35BRxjRFqILnCkMLNcVbDRN3kH1NwZ/ 21 + dr+bDG+v4ADazx2wVu39g7Erhc3eXpOddZcmXhDVObeo+nWXPt33PeDJAoGBAJ4v 22 + +FVnuo8Tee1Cfogat87W5KSedIcnqSjpjt+Y2MXq8PrNplnSjwrE42UCd6KRvcnX 23 + Ykr4Q/ad+D75uYgtLMVAuv2yWPl3bCJcETnrJkh5PbqFKEgntT/rn1sA0j0OrSDa 24 + NwFz6+64a1+ZkkcJDjjykr0Px4BSXwOv9jOuyOdFAoGADZEADOLX5y4utxboe1M0 25 + UnaFKGEDE6H8qdRJQ9bSvEwJI142al02CvnvqvP4cpd8rKOCRs9nSXFJFXCedTLy 26 + ojSVfjTyJMTVJxab/c/Qugkxb/TqGfEnZF2yoTsfPYp2pXRd6DvyKlDQzlSOj933 27 + FrqeSe1QKapuPRsujVwLZDU= 28 + -----END PRIVATE KEY-----

+17 -13

pkgs/by-name/li/libcamera/package.nix

··· 1 1 { stdenv 2 2 , fetchgit 3 3 , lib 4 - , fetchpatch 5 4 , meson 6 5 , ninja 7 6 , pkg-config ··· 33 32 hash = "sha256-x0Im9m9MoACJhQKorMI34YQ+/bd62NdAPc2nWwaJAvM="; 34 33 }; 35 34 36 - outputs = [ "out" "dev" "doc" ]; 35 + outputs = [ "out" "dev" ]; 37 36 38 37 postPatch = '' 39 38 patchShebangs utils/ 39 + ''; 40 + 41 + # libcamera signs the IPA module libraries at install time, but they are then 42 + # modified by stripping and RPATH fixup. Therefore, we need to generate the 43 + # signatures again ourselves. For reproducibility, we use a static private key. 44 + # 45 + # If this is not done, libcamera will still try to load them, but it will 46 + # isolate them in separate processes, which can cause crashes for IPA modules 47 + # that are not designed for this (notably ipa_rpi.so). 48 + preBuild = '' 49 + ninja src/ipa-priv-key.pem 50 + install -D ${./ipa-priv-key.pem} src/ipa-priv-key.pem 40 51 ''; 41 52 42 53 strictDeps = true; ··· 86 97 # Avoid blanket -Werror to evade build failures on less 87 98 # tested compilers. 88 99 "-Dwerror=false" 100 + # Documentation breaks binary compatibility. 101 + # Given that upstream also provides public documentation, 102 + # we can disable it here. 103 + "-Ddocumentation=disabled" 89 104 ]; 90 105 91 106 # Fixes error on a deprecated declaration ··· 93 108 94 109 # Silence fontconfig warnings about missing config 95 110 FONTCONFIG_FILE = makeFontsConf { fontDirectories = [ ]; }; 96 - 97 - # libcamera signs the IPA module libraries at install time, but they are then 98 - # modified by stripping and RPATH fixup. Therefore, we need to generate the 99 - # signatures again ourselves. 100 - # 101 - # If this is not done, libcamera will still try to load them, but it will 102 - # isolate them in separate processes, which can cause crashes for IPA modules 103 - # that are not designed for this (notably ipa_rpi.so). 104 - postFixup = '' 105 - ../src/ipa/ipa-sign-install.sh src/ipa-priv-key.pem $out/lib/libcamera/ipa_*.so 106 - ''; 107 111 108 112 meta = with lib; { 109 113 description = "An open source camera stack and framework for Linux, Android, and ChromeOS";