Hi Steve,
It would be good to confirm this one:
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=40316
Still fails to reproduce with those changes applied.
The culprit is in nss/cmd/shlibsign/shlibsign.c:
shlibSignHMAC generates a new key-pair each time it's run:
/* Generate a DSA key pair */
logIt("Generate an HMAC key ... \n");
crv = pFunctionList->C_GenerateKey(hRwSession, &hmacKeyGenMech,
hmacKeyTemplate,
PR_ARRAY_SIZE(hmacKeyTemplate),
&hHMACKey);
Three options:
1. Disable library signing entirely.
2. Seed the generation to be deterministic.
3. Drop in a HMAC key-pair and patch the code to use that instead of
generating.
2 and 3 defeat the point of the cryptographically secure supply chain as
the private key can be obtained deterministically, so my vote would be
simply to not sign the libraries (1), which would be easier to
maintain. We're not the primary distributor and users can verify our
distribution of nss by running `guix challenge` anyway.
It looks like Zhen Junjie applied two patches to fix NSS cross-compilation on
Master [0]
Building everything cross-compiled to ARM now.
Kind regards,
Christina
