tjh.dev
1{
2 lib,
3 stdenv,
4 fetchurl,
5 makeWrapper,
6 perl,
7 libassuan,
8 libgcrypt,
9 perlPackages,
10 lockfileProgs,
11 gnupg,
12 coreutils,
13 # For the tests:
14 openssh,
15 which,
16 socat,
17 cpio,
18 hexdump,
19 procps,
20 openssl,
21}:
22
23let
24 # A patch is needed to run the tests inside the Nix sandbox:
25 # /etc/passwd: "nixbld:x:1000:100:Nix build user:/build:/noshell"
26 # sshd: "User nixbld not allowed because shell /noshell does not exist"
27 opensshUnsafe = openssh.overrideAttrs (oldAttrs: {
28 patches = oldAttrs.patches ++ [ ./openssh-nixos-sandbox.patch ];
29 });
30in
31stdenv.mkDerivation rec {
32 pname = "monkeysphere";
33 version = "0.44";
34
35 # The patched OpenSSH binary MUST NOT be used (except in the check phase):
36 disallowedRequisites = [ opensshUnsafe ];
37
38 src = fetchurl {
39 url = "http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_${version}.orig.tar.gz";
40 sha256 = "1ah7hy8r9gj96pni8azzjb85454qky5l17m3pqn37854l6grgika";
41 };
42
43 patches = [ ./monkeysphere.patch ];
44
45 postPatch = ''
46 sed -i "s,/usr/bin/env,${coreutils}/bin/env," src/share/ma/update_users
47 '';
48
49 nativeBuildInputs = [ makeWrapper ];
50 buildInputs = [
51 perl
52 libassuan
53 libgcrypt
54 ]
55 ++ lib.optional doCheck (
56 [
57 gnupg
58 opensshUnsafe
59 which
60 socat
61 cpio
62 hexdump
63 procps
64 lockfileProgs
65 ]
66 ++ (with perlPackages; [
67 CryptOpenSSLRSA
68 CryptOpenSSLBignum
69 ])
70 );
71
72 makeFlags = [
73 "PREFIX=/"
74 "DESTDIR=$(out)"
75 ];
76
77 # The tests should be run (and succeed) when making changes to this package
78 # but they aren't enabled by default because they "drain" entropy (GnuPG
79 # still uses /dev/random).
80 doCheck = false;
81 preCheck = lib.optionalString doCheck ''
82 patchShebangs tests/
83 patchShebangs src/
84 sed -i \
85 -e "s,/usr/sbin/sshd,${opensshUnsafe}/bin/sshd," \
86 -e "s,/bin/true,${coreutils}/bin/true," \
87 -e "s,/bin/false,${coreutils}/bin/false," \
88 -e "s,openssl\ req,${openssl}/bin/openssl req," \
89 tests/basic
90 sed -i "s/<(hd/<(hexdump/" tests/keytrans
91 '';
92
93 postFixup =
94 let
95 wrapperArgs =
96 runtimeDeps:
97 "--prefix PERL5LIB : "
98 + (
99 with perlPackages;
100 makePerlPath [
101 # Optional (only required for keytrans)
102 CryptOpenSSLRSA
103 CryptOpenSSLBignum
104 ]
105 )
106 + lib.optionalString (
107 builtins.length runtimeDeps > 0
108 ) " --prefix PATH : ${lib.makeBinPath runtimeDeps}";
109 wrapMonkeysphere =
110 runtimeDeps: program: "wrapProgram $out/bin/${program} ${wrapperArgs runtimeDeps}\n";
111 wrapPrograms = runtimeDeps: programs: lib.concatMapStrings (wrapMonkeysphere runtimeDeps) programs;
112 in
113 wrapPrograms [ gnupg ] [ "monkeysphere-authentication" "monkeysphere-host" ]
114 + wrapPrograms [ gnupg lockfileProgs ] [ "monkeysphere" ]
115 + ''
116 # These 4 programs depend on the program name ($0):
117 for program in openpgp2pem openpgp2spki openpgp2ssh pem2openpgp; do
118 rm $out/bin/$program
119 ln -sf keytrans $out/share/monkeysphere/$program
120 makeWrapper $out/share/monkeysphere/$program $out/bin/$program \
121 ${wrapperArgs [ ]}
122 done
123 '';
124
125 meta = with lib; {
126 homepage = "http://web.monkeysphere.info/";
127 description = "Leverage the OpenPGP web of trust for SSH and TLS authentication";
128 longDescription = ''
129 The Monkeysphere project's goal is to extend OpenPGP's web of
130 trust to new areas of the Internet to help us securely identify
131 servers we connect to, as well as each other while we work online.
132 The suite of Monkeysphere utilities provides a framework to
133 transparently leverage the web of trust for authentication of
134 TLS/SSL communications through the normal use of tools you are
135 familiar with, such as your web browser0 or secure shell.
136 '';
137 license = licenses.gpl3Plus;
138 platforms = platforms.linux;
139 maintainers = with maintainers; [ ];
140 };
141}