[INFO ONLY] official openssl discussion

Arch based Porteus community project
Post Reply
aus9

[INFO ONLY] official openssl discussion

Post#1 by aus9 » 20 Nov 2015, 07:34

Note I am not a part of the dev team. I will ask this post to be archived or deleted at certain point in time.

This is a continuation of 2 other posts namcap and abs in the nemesis forum. Before I can change things or get things changed for ca-certificates we begin with a simpler build partially related to ca-certificates. Its my learning curve but am trying to pass on what little or great knowledge I have.

OK lets begin.

Research
1) abs post read it please if interested
viewtopic.php?f=137&t=5235
2) namcap read it please if interested
viewtopic.php?f=137&t=5233

OK here is official PKGBUILD for openssl
# $Id: PKGBUILD 241910 2015-07-09 14:57:09Z foutrelis $
# Maintainer: Pierre Schmitz <pierre@archlinux.de>

pkgname=openssl
_ver=1.0.2d
# use a pacman compatible version scheme
pkgver=${_ver/[a-z]/.${_ver//[0-9.]/}}
#pkgver=$_ver
pkgrel=1
pkgdesc='The Open Source toolkit for Secure Sockets Layer and Transport Layer Security'
arch=('i686' 'x86_64')
url='https://www.openssl.org'
license=('custom:BSD')
depends=('zlib' 'perl')
optdepends=('ca-certificates')
options=('!makeflags')
backup=('etc/ssl/openssl.cnf')
source=("https://www.openssl.org/source/${pkgnam ... er}.tar.gz"
"https://www.openssl.org/source/${pkgnam ... tar.gz.asc"
'no-rpath.patch'
'ca-dir.patch')
md5sums=('38dd619b2e77cbac69b99f52a053d25a'
'SKIP'
'dc78d3d06baffc16217519242ce92478'
'3bf51be3a1bbd262be46dc619f92aa90')
validpgpkeys=('8657ABB260F056B1E5190839D9C4D26D0E604491')

prepare() {
cd $srcdir/$pkgname-$_ver

# remove rpath: http://bugs.archlinux.org/task/14367
patch -p0 -i $srcdir/no-rpath.patch
# set ca dir to /etc/ssl by default
patch -p0 -i $srcdir/ca-dir.patch
}

build() {
cd $srcdir/$pkgname-$_ver

if [ "${CARCH}" == 'x86_64' ]; then
openssltarget='linux-x86_64'
optflags='enable-ec_nistp_64_gcc_128'
elif [ "${CARCH}" == 'i686' ]; then
openssltarget='linux-elf'
optflags=''
fi

# mark stack as non-executable: http://bugs.archlinux.org/task/12434
./Configure --prefix=/usr --openssldir=/etc/ssl --libdir=lib \
shared zlib ${optflags} \
"${openssltarget}" \
"-Wa,--noexecstack ${CPPFLAGS} ${CFLAGS} ${LDFLAGS}"

make depend
make
}

check() {
cd $srcdir/$pkgname-$_ver
# the test fails due to missing write permissions in /etc/ssl
# revert this patch for make test
patch -p0 -R -i $srcdir/ca-dir.patch
make test
patch -p0 -i $srcdir/ca-dir.patch
}

package() {
cd $srcdir/$pkgname-$_ver
make INSTALL_PREFIX=$pkgdir MANDIR=/usr/share/man MANSUFFIX=ssl install
install -D -m644 LICENSE $pkgdir/usr/share/licenses/$pkgname/LICENSE
}
Downstream maintainer also has 2 other files
no-rpath.patch
--- Makefile.shared.no-rpath 2005-06-23 22:47:54.000000000 +0200
+++ Makefile.shared 2005-11-16 22:35:37.000000000 +0100
@@ -153,7 +153,7 @@
NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"

-DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"
+DO_GNU_APP=LDFLAGS="$(CFLAGS)"

#This is rather special. It's a special target with which one can link
#applications without bothering with any features that have anything to
^^ file seems incomplete but because I had an download error as mentioned in abs post?
EDIT on makepkg.....looking at file at /tmp....this is how it really is....just a badly finished bottom sentences.

and ca-dir.patch
--- apps/CA.pl.in 2006-04-28 02:30:49.000000000 +0200
+++ apps/CA.pl.in 2010-04-01 00:35:02.600553509 +0200
@@ -53,7 +53,7 @@
$X509="$openssl x509";
$PKCS12="$openssl pkcs12";

-$CATOP="./demoCA";
+$CATOP="/etc/ssl";
$CAKEY="cakey.pem";
$CAREQ="careq.pem";
$CACERT="cacert.pem";
--- apps/CA.sh 2009-10-15 19:27:47.000000000 +0200
+++ apps/CA.sh 2010-04-01 00:35:02.600553509 +0200
@@ -68,7 +68,7 @@
X509="$OPENSSL x509"
PKCS12="openssl pkcs12"

-if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi
+if [ -z "$CATOP" ] ; then CATOP=/etc/ssl ; fi
CAKEY=./cakey.pem
CAREQ=./careq.pem
CACERT=./cacert.pem
--- apps/openssl.cnf 2009-04-04 20:09:43.000000000 +0200
+++ apps/openssl.cnf 2010-04-01 00:35:02.607220681 +0200
@@ -39,7 +39,7 @@
####################################################################
[ CA_default ]

-dir = ./demoCA # Where everything is kept
+dir = /etc/ssl # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
post is getting a bit long so more to follow
Last edited by aus9 on 20 Nov 2015, 12:20, edited 3 times in total.

aus9

Re: offiicial openssl discussion

Post#2 by aus9 » 20 Nov 2015, 08:03

At time of writing I am testing a Nemesis build and using cheatcode without changes=
so as root I need to do this to update my ca-certs

Code: Select all

update-ca-trust
I copy those 3 files to tmp and run

Code: Select all

guest /tmp $ namcap -i PKGBUILD 
(output below)
PKGBUILD (openssl) W: Reference to x86_64 should be changed to $CARCH
PKGBUILD (openssl) I: Missing Contributor tag
We know that I(nfo) can be ignored but W(arnings) should be looked at more closely. Because we are (planning) building on Nemesis we don't yet have a profile or environment set to export CARCH.

so 2 edits are:
arch=('x86_64')
and delete if then for CARCH

EDIT, I forgot that downstream has used configure and by me deleting the CARCH entries his configure borks
so extra edit is change ./Configure to ./config.....Luckily it does not affect the code box for namcap below

new namcap is

Code: Select all

namcap -i PKGBUILD 
PKGBUILD (openssl) I: Missing Contributor tag
Meaning no errors no warning and trivial Info lets see if it builds?

Code: Select all

makepkg PKGBUILD 
==> ERROR: A package has already been built. (use -f to overwrite)
OK you witch

Code: Select all

makepkg -f PKGBUILD 
Last edited by aus9 on 20 Nov 2015, 08:39, edited 2 times in total.

aus9

Re: offiicial openssl discussion

Post#3 by aus9 » 20 Nov 2015, 08:08

Code: Select all

makepkg -f PKGBUILD 
==> Making package: openssl 1.0.2.d-1 (Fri Nov 20 16:06:13 AWST 2015)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Downloading openssl-1.0.2d.tar.gz...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 5171k  100 5171k    0     0   257k      0  0:00:20  0:00:20 --:--:--  296k
  -> Downloading openssl-1.0.2d.tar.gz.asc...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   473  100   473    0     0    291      0  0:00:01  0:00:01 --:--:--   291
  -> Found no-rpath.patch
  -> Found ca-dir.patch
==> Validating source files with md5sums...
    openssl-1.0.2d.tar.gz ... Passed
    openssl-1.0.2d.tar.gz.asc ... Skipped
    no-rpath.patch ... Passed
    ca-dir.patch ... Passed
==> Verifying source file signatures with gpg...
    openssl-1.0.2d.tar.gz ... FAILED (unknown public key D9C4D26D0E604491)
==> ERROR: One or more PGP signatures could not be verified!
OK lets get that key.....the first time you run a gpg command you will get a message like this

Code: Select all

gpg --search-keys D9C4D26D0E604491
gpg: directory '/home/guest/.gnupg' created
gpg: new configuration file '/home/guest/.gnupg/dirmngr.conf' created
gpg: new configuration file '/home/guest/.gnupg/gpg.conf' created
gpg: WARNING: options in '/home/guest/.gnupg' are not yet active during this run
gpg: keybox '/home/guest/.gnupg/pubring.kbx' created
(and no prompt after that, meaning its hanging)
Above I have exit by pressing the control key (Ctrl) and the c key, now you can repeat the command and it should now work YMMV

Code: Select all

gpg --search-keys D9C4D26D0E604491
gpg: data source: http://mail.dacr.hu:11371
(1)	Matt Caswell <matt@openssl.org>
	Matt Caswell <frodo@baggins.org>
	  2048 bit RSA key 0E604491, created: 2013-04-30
Keys 1-1 of 1 for "D9C4D26D0E604491".  Enter number(s), N)ext, or Q)uit > 1
gpg: key 0E604491: public key "Matt Caswell <matt@openssl.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1
Last edited by aus9 on 22 Nov 2015, 00:09, edited 2 times in total.

aus9

Re: offiicial openssl discussion

Post#4 by aus9 » 20 Nov 2015, 08:22

let try to build again

Code: Select all

makepkg -f PKGBUILD 
==> Making package: openssl 1.0.2.d-1 (Fri Nov 20 16:19:28 AWST 2015)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Found openssl-1.0.2d.tar.gz
  -> Found openssl-1.0.2d.tar.gz.asc
  -> Found no-rpath.patch
  -> Found ca-dir.patch
==> Validating source files with md5sums...
    openssl-1.0.2d.tar.gz ... Passed
    openssl-1.0.2d.tar.gz.asc ... Skipped
    no-rpath.patch ... Passed
    ca-dir.patch ... Passed
==> Verifying source file signatures with gpg...
    openssl-1.0.2d.tar.gz ... Passed
==> Extracting sources...
  -> Extracting openssl-1.0.2d.tar.gz with bsdtar
==> Starting prepare()...
patching file Makefile.shared
patching file apps/CA.pl.in
patching file apps/CA.sh
patching file apps/openssl.cnf
==> Starting build()...
Configuring for 
Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]

pick os/compiler from:
BC-32 BS2000-OSD BSD-generic32 BSD-generic64 BSD-ia64 BSD-sparc64 BSD-sparcv8 
BSD-x86 BSD-x86-elf BSD-x86_64 Cygwin Cygwin-x86_64 DJGPP MPE/iX-gcc OS2-EMX 
OS390-Unix QNX6 QNX6-i386 ReliantUNIX SINIX SINIX-N UWIN VC-CE VC-WIN32 
VC-WIN64A VC-WIN64I aix-cc aix-gcc aix3-cc aix64-cc aix64-gcc android 
android-armv7 android-mips android-x86 aux3-gcc beos-x86-bone beos-x86-r5 
bsdi-elf-gcc cc cray-j90 cray-t3e darwin-i386-cc darwin-ppc-cc darwin64-ppc-cc 
darwin64-x86_64-cc dgux-R3-gcc dgux-R4-gcc dgux-R4-x86-gcc dist gcc hpux-cc 
hpux-gcc hpux-ia64-cc hpux-ia64-gcc hpux-parisc-cc hpux-parisc-cc-o4 
hpux-parisc-gcc hpux-parisc1_1-cc hpux-parisc1_1-gcc hpux-parisc2-cc 
hpux-parisc2-gcc hpux64-ia64-cc hpux64-ia64-gcc hpux64-parisc2-cc 
hpux64-parisc2-gcc hurd-x86 iphoneos-cross irix-cc irix-gcc irix-mips3-cc 
irix-mips3-gcc irix64-mips4-cc irix64-mips4-gcc linux-aarch64 
linux-alpha+bwx-ccc linux-alpha+bwx-gcc linux-alpha-ccc linux-alpha-gcc 
linux-aout linux-armv4 linux-elf linux-generic32 linux-generic64 
linux-ia32-icc linux-ia64 linux-ia64-icc linux-mips32 linux-mips64 linux-ppc 
linux-ppc64 linux-ppc64le linux-sparcv8 linux-sparcv9 linux-x32 linux-x86_64 
linux-x86_64-clang linux-x86_64-icc linux32-s390x linux64-mips64 linux64-s390x 
linux64-sparcv9 mingw mingw64 ncr-scde netware-clib netware-clib-bsdsock 
netware-clib-bsdsock-gcc netware-clib-gcc netware-libc netware-libc-bsdsock 
netware-libc-bsdsock-gcc netware-libc-gcc newsos4-gcc nextstep nextstep3.3 
osf1-alpha-cc osf1-alpha-gcc purify qnx4 rhapsody-ppc-cc sco5-cc sco5-gcc 
solaris-sparcv7-cc solaris-sparcv7-gcc solaris-sparcv8-cc solaris-sparcv8-gcc 
solaris-sparcv9-cc solaris-sparcv9-gcc solaris-x86-cc solaris-x86-gcc 
solaris64-sparcv9-cc solaris64-sparcv9-gcc solaris64-x86_64-cc 
solaris64-x86_64-gcc sunos-gcc tandem-c89 tru64-alpha-cc uClinux-dist 
uClinux-dist64 ultrix-cc ultrix-gcc unixware-2.0 unixware-2.1 unixware-7 
unixware-7-gcc vos-gcc vxworks-mips vxworks-ppc405 vxworks-ppc60x 
vxworks-ppc750 vxworks-ppc750-debug vxworks-ppc860 vxworks-ppcgen 
vxworks-simlinux debug debug-BSD-x86-elf debug-VC-WIN32 debug-VC-WIN64A 
debug-VC-WIN64I debug-ben debug-ben-darwin64 debug-ben-debug 
debug-ben-debug-64 debug-ben-debug-64-clang debug-ben-macos 
debug-ben-macos-gcc46 debug-ben-no-opt debug-ben-openbsd 
debug-ben-openbsd-debug debug-ben-strict debug-bodo debug-darwin-i386-cc 
debug-darwin-ppc-cc debug-darwin64-x86_64-cc debug-geoff32 debug-geoff64 
debug-levitte-linux-elf debug-levitte-linux-elf-extreme 
debug-levitte-linux-noasm debug-levitte-linux-noasm-extreme debug-linux-elf 
debug-linux-elf-noefence debug-linux-generic32 debug-linux-generic64 
debug-linux-ia32-aes debug-linux-pentium debug-linux-ppro debug-linux-x86_64 
debug-rse debug-solaris-sparcv8-cc debug-solaris-sparcv8-gcc 
debug-solaris-sparcv9-cc debug-solaris-sparcv9-gcc debug-steve-opt 
debug-steve32 debug-steve64 debug-vos-gcc 

NOTE: If in doubt, on Unix-ish systems use './config'.
==> ERROR: A failure occurred in build().
    Aborting...
Verdict this particular has at least one error, not helped due to my knowledge that the tarball prefers .config and I left that in by mistake lets fix
above post changed Configure to config .....build now works too long here
final output is

Code: Select all

==> Tidying install...
  -> Purging unwanted files...
  -> Removing libtool files...
  -> Removing static library files...
  -> Compressing man and info pages...
  -> Stripping unneeded symbols from binaries and libraries...
==> Creating package "openssl"...
  -> Generating .PKGINFO file...
  -> Generating .MTREE file...
  -> Compressing package...
==> Leaving fakeroot environment.
==> Finished making: openssl 1.0.2.d-1 (Fri Nov 20 16:24:53 AWST 2015)

aus9

Re: offiicial openssl discussion

Post#5 by aus9 » 20 Nov 2015, 08:36

now lets show the latest build script, even tho I will mod it for my own evil purposes
# $Id: PKGBUILD 241910 2015-07-09 14:57:09Z foutrelis $
# Maintainer: Pierre Schmitz <pierre@archlinux.de>

pkgname=openssl
_ver=1.0.2d
# use a pacman compatible version scheme
pkgver=${_ver/[a-z]/.${_ver//[0-9.]/}}
#pkgver=$_ver
pkgrel=1
pkgdesc='The Open Source toolkit for Secure Sockets Layer and Transport Layer Security'
arch=('x86_64')
url='https://www.openssl.org'
license=('custom:BSD')
depends=('zlib' 'perl')
optdepends=('ca-certificates')
options=('!makeflags')
backup=('etc/ssl/openssl.cnf')
source=("https://www.openssl.org/source/${pkgnam ... er}.tar.gz"
"https://www.openssl.org/source/${pkgnam ... tar.gz.asc"
'no-rpath.patch'
'ca-dir.patch')
md5sums=('38dd619b2e77cbac69b99f52a053d25a'
'SKIP'
'dc78d3d06baffc16217519242ce92478'
'3bf51be3a1bbd262be46dc619f92aa90')
validpgpkeys=('8657ABB260F056B1E5190839D9C4D26D0E604491')

prepare() {
cd $srcdir/$pkgname-$_ver

# remove rpath: http://bugs.archlinux.org/task/14367
patch -p0 -i $srcdir/no-rpath.patch
# set ca dir to /etc/ssl by default
patch -p0 -i $srcdir/ca-dir.patch
}

build() {
cd $srcdir/$pkgname-$_ver

# mark stack as non-executable: http://bugs.archlinux.org/task/12434
./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib \
shared zlib ${optflags} \
"${openssltarget}" \
"-Wa,--noexecstack ${CPPFLAGS} ${CFLAGS} ${LDFLAGS}"

make depend
make
}

check() {
cd $srcdir/$pkgname-$_ver
# the test fails due to missing write permissions in /etc/ssl
# revert this patch for make test
patch -p0 -R -i $srcdir/ca-dir.patch
make test
patch -p0 -i $srcdir/ca-dir.patch
}

package() {
cd $srcdir/$pkgname-$_ver
make INSTALL_PREFIX=$pkgdir MANDIR=/usr/share/man MANSUFFIX=ssl install
install -D -m644 LICENSE $pkgdir/usr/share/licenses/$pkgname/LICENSE
}
This concludes my learning curve to edit a normal type config-make-install using Arch makepkg with PKGBUILD

aus9

Re: [INFO ONLY] official openssl discussion

Post#6 by aus9 » 20 Nov 2015, 23:30

Actually I need to add a bit more.

There is at least one more error in his script. Unless I have manually downloaded his patches I get a new error

but I needed to change the release number pkgrel=2.....and by doing so, I no longer need to use the force switch.
Therefore makepkg is not hitting on the name but the full filename.
If it exists use the -f switch or up the release number.

Anyhow here is the error

Code: Select all

namcap -i PKGBUILD 
PKGBUILD (openssl) I: Missing Contributor tag
guest /tmp $ makepkg PKGBUILD 
==> Making package: openssl 1.0.2.d-2 (Sat Nov 21 07:23:34 AWST 2015)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Downloading openssl-1.0.2d.tar.gz...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 5171k  100 5171k    0     0   227k      0  0:00:22  0:00:22 --:--:--  308k
  -> Downloading openssl-1.0.2d.tar.gz.asc...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   473  100   473    0     0    287      0  0:00:01  0:00:01 --:--:--   287
==> ERROR: no-rpath.patch was not found in the build directory and is not a URL
As I intend to use my build without those patches and I know it already builds, this will do for now

aus9

Re: [INFO ONLY] official openssl discussion

Post#7 by aus9 » 21 Nov 2015, 08:21

Ok just re-looking at gpg

This is a shorter string and appears to work equally as well

Code: Select all

gpg --search-keys 0E604491
gpg: data source: http://b4ckbone.de:11371
(1)	Matt Caswell <matt@openssl.org>
	Matt Caswell <frodo@baggins.org>
	  2048 bit RSA key 0E604491, created: 2013-04-30
Keys 1-1 of 1 for "0E604491".  Enter number(s), N)ext, or Q)uit > 1
gpg: /home/guest/.gnupg/trustdb.gpg: trustdb created
gpg: key 0E604491: public key "Matt Caswell <matt@openssl.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1
thats because I want to have a test in a future script along these lines...but still working on it
gpg --fingerprint | grep 0E604491 > /tmp/testz
if grep 0E604491 /tmp/testz; then
echo "pub key found lets continue"
else
echo "pub key for openssl not found, exitting now
see the forum post on how to add the key"
sleep 5
exit 1
fi

Code: Select all

gpg --fingerprint | grep 0E604491 > /tmp/testz
guest ~ $ if grep 0E604491 /tmp/testz; then
>    echo "pub key found lets continue"
> else
>    echo "pub key for openssl not found, exitting now
> see the forum post on how to add the key"
> exit 1
> fi
pub   rsa2048/0E604491 2013-04-30
pub key found lets continue
# modify file to test error condition

Code: Select all

if grep 0E604491 /tmp/testz; then
>    echo "pub key found lets continue"
> else
>    echo "pub key for openssl not found, exitting now
> see the forum post on how to add the key"
> sleep 5
> exit 1
> fi
pub key for openssl not found, exitting now
see the forum post on how to add the key
Terminal tab for error condition closes TAB but brokenman reads code better than me. I am attempting to write for anyone tho meaning me.

aus9

Re: [INFO ONLY] official openssl discussion

Post#8 by aus9 » 21 Nov 2015, 23:28

off topic

I can't add any Nemesis tests to check above is done etc as I think the fakeroot is blocking my check of the filesystem.

For newbies, I will post a environment or setup check script later.

Post Reply