guix: Package codesigning tools

Author: dongcarl

contrib/guix/manifest.scm

@@ -4,12 +4,14 @@
              (gnu packages base)
              (gnu packages bash)
              (gnu packages bison)
+             (gnu packages certs)
              (gnu packages cdrom)
              (gnu packages check)
              (gnu packages cmake)
              (gnu packages commencement)
              (gnu packages compression)
              (gnu packages cross-base)
+             (gnu packages curl)
              (gnu packages file)
              (gnu packages gawk)
              (gnu packages gcc)
@@ -23,7 +25,9 @@
              (gnu packages perl)
              (gnu packages pkg-config)
              (gnu packages python)
+             (gnu packages python-web)
              (gnu packages shells)
+             (gnu packages tls)
              (gnu packages version-control)
              (guix build-system font)
              (guix build-system gnu)
@@ -217,6 +221,337 @@ chain for " target " development."))
 parse, modify and abstract ELF, PE and MachO formats.")
    (license license:asl2.0)))
 
+(define osslsigncode
+  (package
+    (name "osslsigncode")
+    (version "2.0")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://github.com/mtrojnar/"
+                                  name "/archive/" version ".tar.gz"))
+              (sha256
+               (base32
+                "0byri6xny770wwb2nciq44j5071122l14bvv65axdd70nfjf0q2s"))))
+    (build-system gnu-build-system)
+    (native-inputs
+     `(("pkg-config" ,pkg-config)
+       ("autoconf" ,autoconf)
+       ("automake" ,automake)
+       ("libtool" ,libtool)))
+    (inputs
+     `(("openssl" ,openssl)))
+    (arguments
+     `(#:configure-flags
+       `("--without-gsf"
+         "--without-curl"
+         "--disable-dependency-tracking")))
+    (home-page "https://github.com/mtrojnar/osslsigncode")
+    (synopsis "Authenticode signing and timestamping tool")
+    (description "osslsigncode is a small tool that implements part of the
+functionality of the Microsoft tool signtool.exe - more exactly the Authenticode
+signing and timestamping. But osslsigncode is based on OpenSSL and cURL, and
+thus should be able to compile on most platforms where these exist.")
+    (license license:gpl3+))) ; license is with openssl exception
+
+(define-public python-asn1crypto
+  (package
+    (name "python-asn1crypto")
+    (version "1.4.0")
+    (source
+     (origin
+       (method git-fetch)
+       (uri (git-reference
+             (url "https://github.com/wbond/asn1crypto")
+             (commit version)))
+       (file-name (git-file-name name version))
+       (sha256
+        (base32
+         "19abibn6jw20mzi1ln4n9jjvpdka8ygm4m439hplyrdfqbvgm01r"))))
+    (build-system python-build-system)
+    (arguments
+     '(#:phases
+       (modify-phases %standard-phases
+         (replace 'check
+           (lambda _
+             (invoke "python" "run.py" "tests"))))))
+    (home-page "https://github.com/wbond/asn1crypto")
+    (synopsis "ASN.1 parser and serializer in Python")
+    (description "asn1crypto is an ASN.1 parser and serializer with definitions
+for private keys, public keys, certificates, CRL, OCSP, CMS, PKCS#3, PKCS#7,
+PKCS#8, PKCS#12, PKCS#5, X.509 and TSP.")
+    (license license:expat)))
+
+(define-public python-elfesteem
+  (let ((commit "87bbd79ab7e361004c98cc8601d4e5f029fd8bd5"))
+    (package
+      (name "python-elfesteem")
+      (version (git-version "0.1" "1" commit))
+      (source
+       (origin
+         (method git-fetch)
+         (uri (git-reference
+               (url "https://github.com/LRGH/elfesteem")
+               (commit commit)))
+         (file-name (git-file-name name commit))
+         (sha256
+          (base32
+           "1nyvjisvyxyxnd0023xjf5846xd03lwawp5pfzr8vrky7wwm5maz"))))
+      (build-system python-build-system)
+      ;; There are no tests, but attempting to run python setup.py test leads to
+      ;; PYTHONPATH problems, just disable the test
+      (arguments '(#:tests? #f))
+      (home-page "https://github.com/LRGH/elfesteem")
+      (synopsis "ELF/PE/Mach-O parsing library")
+      (description "elfesteem parses ELF, PE and Mach-O files.")
+      (license license:lgpl2.1))))
+
+(define-public python-oscrypto
+  (package
+    (name "python-oscrypto")
+    (version "1.2.1")
+    (source
+     (origin
+       (method git-fetch)
+       (uri (git-reference
+             (url "https://github.com/wbond/oscrypto")
+             (commit version)))
+       (file-name (git-file-name name version))
+       (sha256
+        (base32
+         "1d4d8s4z340qhvb3g5m5v3436y3a71yc26wk4749q64m09kxqc3l"))
+       (patches (search-our-patches "oscrypto-hard-code-openssl.patch"))))
+    (build-system python-build-system)
+    (native-search-paths
+     (list (search-path-specification
+            (variable "SSL_CERT_FILE")
+            (file-type 'regular)
+            (separator #f)                ;single entry
+            (files '("etc/ssl/certs/ca-certificates.crt")))))
+
+    (propagated-inputs
+     `(("python-asn1crypto" ,python-asn1crypto)
+       ("openssl" ,openssl)))
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (add-after 'unpack 'hard-code-path-to-libscrypt
+           (lambda* (#:key inputs #:allow-other-keys)
+             (let ((openssl (assoc-ref inputs "openssl")))
+               (substitute* "oscrypto/__init__.py"
+                 (("@GUIX_OSCRYPTO_USE_OPENSSL@")
+                  (string-append openssl "/lib/libcrypto.so" "," openssl "/lib/libssl.so")))
+               #t)))
+         (add-after 'unpack 'disable-broken-tests
+           (lambda _
+             ;; This test is broken as there is no keyboard interrupt.
+             (substitute* "tests/test_trust_list.py"
+               (("^(.*)class TrustListTests" line indent)
+                (string-append indent
+                               "@unittest.skip(\"Disabled by Guix\")\n"
+                               line)))
+             (substitute* "tests/test_tls.py"
+               (("^(.*)class TLSTests" line indent)
+                (string-append indent
+                               "@unittest.skip(\"Disabled by Guix\")\n"
+                               line)))
+             #t))
+         (replace 'check
+           (lambda _
+             (invoke "python" "run.py" "tests")
+             #t)))))
+    (home-page "https://github.com/wbond/oscrypto")
+    (synopsis "Compiler-free Python crypto library backed by the OS")
+    (description "oscrypto is a compilation-free, always up-to-date encryption library for Python.")
+    (license license:expat)))
+
+(define-public python-oscryptotests
+  (package (inherit python-oscrypto)
+    (name "python-oscryptotests")
+    (arguments
+     `(#:tests? #f
+       #:phases
+       (modify-phases %standard-phases
+         (add-after 'unpack 'hard-code-path-to-libscrypt
+           (lambda* (#:key inputs #:allow-other-keys)
+             (chdir "tests")
+             #t)))))))
+
+(define-public python-certvalidator
+  (let ((commit "e5bdb4bfcaa09fa0af355eb8867d00dfeecba08c"))
+    (package
+      (name "python-certvalidator")
+      (version (git-version "0.1" "1" commit))
+      (source
+       (origin
+         (method git-fetch)
+         (uri (git-reference
+               (url "https://github.com/achow101/certvalidator")
+               (commit commit)))
+         (file-name (git-file-name name commit))
+         (sha256
+          (base32
+           "18pvxkvpkfkzgvfylv0kx65pmxfcv1hpsg03cip93krfvrrl4c75"))))
+      (build-system python-build-system)
+      (propagated-inputs
+       `(("python-asn1crypto" ,python-asn1crypto)
+         ("python-oscrypto" ,python-oscrypto)
+         ("python-oscryptotests", python-oscryptotests))) ;; certvalidator tests import oscryptotests
+      (arguments
+       `(#:phases
+         (modify-phases %standard-phases
+           (add-after 'unpack 'disable-broken-tests
+             (lambda _
+               (substitute* "tests/test_certificate_validator.py"
+                 (("^(.*)class CertificateValidatorTests" line indent)
+                  (string-append indent
+                                 "@unittest.skip(\"Disabled by Guix\")\n"
+                                 line)))
+               (substitute* "tests/test_crl_client.py"
+                 (("^(.*)def test_fetch_crl" line indent)
+                  (string-append indent
+                                 "@unittest.skip(\"Disabled by Guix\")\n"
+                                 line)))
+               (substitute* "tests/test_ocsp_client.py"
+                 (("^(.*)def test_fetch_ocsp" line indent)
+                  (string-append indent
+                                 "@unittest.skip(\"Disabled by Guix\")\n"
+                                 line)))
+               (substitute* "tests/test_registry.py"
+                 (("^(.*)def test_build_paths" line indent)
+                  (string-append indent
+                                 "@unittest.skip(\"Disabled by Guix\")\n"
+                                 line)))
+               (substitute* "tests/test_validate.py"
+                 (("^(.*)def test_revocation_mode_hard" line indent)
+                  (string-append indent
+                                 "@unittest.skip(\"Disabled by Guix\")\n"
+                                 line)))
+               #t))
+           (replace 'check
+             (lambda _
+               (invoke "python" "run.py" "tests")
+               #t)))))
+      (home-page "https://github.com/wbond/certvalidator")
+      (synopsis "Python library for validating X.509 certificates and paths")
+      (description "certvalidator is a Python library for validating X.509
+certificates or paths. Supports various options, including: validation at a
+specific moment in time, whitelisting and revocation checks.")
+      (license license:expat))))
+
+(define-public python-requests-2.25.1
+  (package (inherit python-requests)
+    (version "2.25.1")
+    (source (origin
+              (method url-fetch)
+              (uri (pypi-uri "requests" version))
+              (sha256
+               (base32
+                "015qflyqsgsz09gnar69s6ga74ivq5kch69s4qxz3904m7a3v5r7"))))))
+
+(define-public python-altgraph
+  (package
+    (name "python-altgraph")
+    (version "0.17")
+    (source
+     (origin
+       (method git-fetch)
+       (uri (git-reference
+             (url "https://github.com/ronaldoussoren/altgraph")
+             (commit (string-append "v" version))))
+       (file-name (git-file-name name version))
+       (sha256
+        (base32
+         "09sm4srvvkw458pn48ga9q7ykr4xlz7q8gh1h9w7nxpf001qgpwb"))))
+    (build-system python-build-system)
+    (home-page "https://github.com/ronaldoussoren/altgraph")
+    (synopsis "Python graph (network) package")
+    (description "altgraph is a fork of graphlib: a graph (network) package for
+constructing graphs, BFS and DFS traversals, topological sort, shortest paths,
+etc. with graphviz output.")
+    (license license:expat)))
+
+
+(define-public python-macholib
+  (package
+    (name "python-macholib")
+    (version "1.14")
+    (source
+     (origin
+       (method git-fetch)
+       (uri (git-reference
+             (url "https://github.com/ronaldoussoren/macholib")
+             (commit (string-append "v" version))))
+       (file-name (git-file-name name version))
+       (sha256
+        (base32
+         "0aislnnfsza9wl4f0vp45ivzlc0pzhp9d4r08700slrypn5flg42"))))
+    (build-system python-build-system)
+    (propagated-inputs
+     `(("python-altgraph" ,python-altgraph)))
+    (arguments
+     '(#:phases
+       (modify-phases %standard-phases
+         (add-after 'unpack 'disable-broken-tests
+           (lambda _
+             ;; This test is broken as there is no keyboard interrupt.
+             (substitute* "macholib_tests/test_command_line.py"
+               (("^(.*)class TestCmdLine" line indent)
+                (string-append indent
+                               "@unittest.skip(\"Disabled by Guix\")\n"
+                               line)))
+             (substitute* "macholib_tests/test_dyld.py"
+               (("^(.*)def test_\\S+_find" line indent)
+                (string-append indent
+                               "@unittest.skip(\"Disabled by Guix\")\n"
+                               line))
+               (("^(.*)def testBasic" line indent)
+                (string-append indent
+                               "@unittest.skip(\"Disabled by Guix\")\n"
+                               line))
+               )
+             #t)))))
+    (home-page "https://github.com/ronaldoussoren/macholib")
+    (synopsis "Python library for analyzing and editing Mach-O headers")
+    (description "macholib is a Macho-O header analyzer and editor. It's
+typically used as a dependency analysis tool, and also to rewrite dylib
+references in Mach-O headers to be @executable_path relative. Though this tool
+targets a platform specific file format, it is pure python code that is platform
+and endian independent.")
+    (license license:expat)))
+
+(define-public python-signapple
+  (let ((commit "4ff1c1754e37042c002a3f6375c47fd931f2030b"))
+    (package
+      (name "python-signapple")
+      (version (git-version "0.1" "1" commit))
+      (source
+       (origin
+         (method git-fetch)
+         (uri (git-reference
+               (url "https://github.com/dongcarl/signapple")
+               (commit commit)))
+         (file-name (git-file-name name commit))
+         (sha256
+          (base32
+           "043czyzfm04rcx5xsp59vsppla3vm5g45dbp1npy2hww4066rlnh"))))
+      (build-system python-build-system)
+      (propagated-inputs
+       `(("python-asn1crypto" ,python-asn1crypto)
+         ("python-oscrypto" ,python-oscrypto)
+         ("python-certvalidator" ,python-certvalidator)
+         ("python-elfesteem" ,python-elfesteem)
+         ("python-requests" ,python-requests-2.25.1)
+         ("python-macholib" ,python-macholib)
+         ("libcrypto" ,openssl)))
+      ;; There are no tests, but attempting to run python setup.py test leads to
+      ;; problems, just disable the test
+      (arguments '(#:tests? #f))
+      (home-page "https://github.com/achow101/signapple")
+      (synopsis "Mach-O binary signature tool")
+      (description "signapple is a Python tool for creating, verifying, and
+inspecting signatures in Mach-O binaries.")
+      (license license:expat))))
+
 (packages->manifest
  (append
   (list ;; The Basics
@@ -262,9 +597,10 @@ parse, modify and abstract ELF, PE and MachO formats.")
            ;; Windows
            (list zip
                  (make-mingw-pthreads-cross-toolchain "x86_64-w64-mingw32")
-                 (make-nsis-with-sde-support nsis-x86_64)))
+                 (make-nsis-with-sde-support nsis-x86_64)
+                 osslsigncode))
           ((string-contains target "-linux-")
            (list (make-bitcoin-cross-toolchain target)))
           ((string-contains target "darwin")
-           (list clang-toolchain-10 binutils imagemagick libtiff librsvg font-tuffy cmake xorriso))
+           (list clang-toolchain-10 binutils imagemagick libtiff librsvg font-tuffy cmake xorriso python-signapple))
           (else '())))))

contrib/guix/patches/oscrypto-hard-code-openssl.patch

@@ -0,0 +1,13 @@
+diff --git a/oscrypto/__init__.py b/oscrypto/__init__.py
+index eb27313..371ab24 100644
+--- a/oscrypto/__init__.py
++++ b/oscrypto/__init__.py
+@@ -302,3 +302,8 @@ def load_order():
+         'oscrypto._win.tls',
+         'oscrypto.tls',
+     ]
++
++
++paths = '@GUIX_OSCRYPTO_USE_OPENSSL@'.split(',')
++assert len(paths) == 2, 'Value for OSCRYPTO_USE_OPENSSL env var must be two paths separated by a comma'
++use_openssl(*paths)