Re: nss not reproducible

[Christina O'Donnell]

Hi,

I believe I have a fix for this, I'm just waiting on my machine to hurry 
up and confirm it, might end up running over night, then I'll send my 
patch up.

I'm doing two native builds and two cross-builds.

I've also updated to 3.99.

Kind regards,

Christina

On 25/04/2024 15:06, Christina O'Donnell wrote:
> Hi Steve,
>
> > It would be good to confirm this one:
> >
> > https://debbugs.gnu.org/cgi/bugreport.cgi?bug=40316
>
> Still fails to reproduce with those changes applied.
>
> The culprit is in nss/cmd/shlibsign/shlibsign.c:
>
> shlibSignHMAC generates a new key-pair each time it's run:
>
>     /* Generate a DSA key pair */
>     logIt("Generate an HMAC key ... \n");
>     crv = pFunctionList->C_GenerateKey(hRwSession, &hmacKeyGenMech,
>                                        hmacKeyTemplate,
> PR_ARRAY_SIZE(hmacKeyTemplate),
>                                        &hHMACKey);
>
> Three options:
>  1. Disable library signing entirely.
>  2. Seed the generation to be deterministic.
>  3. Drop in a HMAC key-pair and patch the code to use that instead of 
> generating.
>
> 2 and 3 defeat the point of the cryptographically secure supply chain 
> as the private key can be obtained deterministically, so my vote would 
> be simply  to not sign the libraries (1), which would be easier to 
> maintain. We're not the primary distributor and users can verify our 
> distribution of nss by running `guix challenge` anyway.
>
> > It looks like Zhen Junjie applied two patches to fix NSS 
> > cross-compilation on Master [0]
>
> Building everything cross-compiled to ARM now.
>
> Kind regards,
>
> Christina