nixpkgs/pkgs/tools/security/eid-mw/default.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

106 lines
3.2 KiB
Nix
Raw Normal View History

2021-05-22 13:47:53 +00:00
{ lib
, stdenv
, fetchFromGitHub
, autoconf-archive
, autoreconfHook
, makeWrapper
, pkg-config
, substituteAll
2021-05-22 13:47:53 +00:00
, curl
, gtk3
, libassuan
, libbsd
, libproxy
, libxml2
, nssTools
2021-05-22 13:47:53 +00:00
, openssl
, p11-kit
, pcsclite
, wrapGAppsHook
2021-05-22 13:47:53 +00:00
}:
stdenv.mkDerivation rec {
pname = "eid-mw";
2021-05-22 13:47:53 +00:00
# NOTE: Don't just blindly update to the latest version/tag. Releases are always for a specific OS.
2024-02-21 18:33:13 +00:00
version = "5.1.16";
2015-03-26 17:19:57 +00:00
src = fetchFromGitHub {
owner = "Fedict";
2021-08-13 14:23:05 +00:00
repo = "eid-mw";
rev = "v${version}";
2024-02-21 18:33:13 +00:00
hash = "sha256-UOZVCTXiqYnatS/ZhJZZprqtwtkVt8EJRHZ9XuX5W5o=";
};
postPatch = ''
sed 's@m4_esyscmd_s(.*,@[${version}],@' -i configure.ac
substituteInPlace configure.ac --replace 'p11kitcfdir=""' 'p11kitcfdir="'$out/share/p11-kit/modules'"'
'';
nativeBuildInputs = [ wrapGAppsHook autoreconfHook autoconf-archive pkg-config makeWrapper ];
2021-05-22 13:47:53 +00:00
buildInputs = [ curl gtk3 libassuan libbsd libproxy libxml2 openssl p11-kit pcsclite ];
preConfigure = ''
mkdir openssl
treewide: use lib.getLib for OpenSSL libraries At some point, I'd like to make another attempt at 71f1f4884b5 ("openssl: stop static binaries referencing libs"), which was reverted in 195c7da07df. One problem with my previous attempt is that I moved OpenSSL's libraries to a lib output, but many dependent packages were hardcoding the out output as the location of the libraries. This patch fixes every such case I could find in the tree. It won't have any effect immediately, but will mean these packages will automatically use an OpenSSL lib output if it is reintroduced in future. This patch should cause very few rebuilds, because it shouldn't make any change at all to most packages I'm touching. The few rebuilds that are introduced come from when I've changed a package builder not to use variable names like openssl.out in scripts / substitution patterns, which would be confusing since they don't hardcode the output any more. I started by making the following global replacements: ${pkgs.openssl.out}/lib -> ${lib.getLib pkgs.openssl}/lib ${openssl.out}/lib -> ${lib.getLib openssl}/lib Then I removed the ".out" suffix when part of the argument to lib.makeLibraryPath, since that function uses lib.getLib internally. Then I fixed up cases where openssl was part of the -L flag to the compiler/linker, since that unambigously is referring to libraries. Then I manually investigated and fixed the following packages: - pycurl - citrix-workspace - ppp - wraith - unbound - gambit - acl2 I'm reasonably confindent in my fixes for all of them. For acl2, since the openssl library paths are manually provided above anyway, I don't think openssl is required separately as a build input at all. Removing it doesn't make a difference to the output size, the file list, or the closure. I've tested evaluation with the OfBorg meta checks, to protect against introducing evaluation failures.
2022-03-25 15:33:21 +00:00
ln -s ${lib.getLib openssl}/lib openssl
ln -s ${openssl.bin}/bin openssl
ln -s ${openssl.dev}/include openssl
export SSL_PREFIX=$(realpath openssl)
2020-07-04 08:28:59 +00:00
substituteInPlace plugins_tools/eid-viewer/Makefile.in \
--replace "c_rehash" "openssl rehash"
2021-05-22 13:47:53 +00:00
'';
# pinentry uses hardcoded `/usr/bin/pinentry`, so use the built-in (uglier) dialogs for pinentry.
configureFlags = [ "--disable-pinentry" ];
postInstall =
2021-05-22 13:47:53 +00:00
let
eid-nssdb-in = substituteAll {
inherit (stdenv) shell;
isExecutable = true;
src = ./eid-nssdb.in;
};
in
''
install -D ${eid-nssdb-in} $out/bin/eid-nssdb
substituteInPlace $out/bin/eid-nssdb \
--replace "modutil" "${nssTools}/bin/modutil"
2021-05-22 13:47:53 +00:00
rm $out/bin/about-eid-mw
wrapProgram $out/bin/eid-viewer --prefix XDG_DATA_DIRS : "$out/share/gsettings-schemas/$name"
'';
enableParallelBuilding = true;
doCheck = true;
meta = with lib; {
description = "Belgian electronic identity card (eID) middleware";
2022-02-05 22:47:16 +00:00
homepage = "https://eid.belgium.be/en";
2021-06-08 07:51:02 +00:00
license = licenses.lgpl3Only;
longDescription = ''
Allows user authentication and digital signatures with Belgian ID cards.
Also requires a running pcscd service and compatible card reader.
eid-viewer is also installed.
This package only installs the libraries. To use eIDs in Firefox or
Chromium, the eID Belgium add-on must be installed.
This package only installs the libraries. To use eIDs in NSS-compatible
browsers like Chrom{e,ium} or Firefox, each user must first execute:
~$ eid-nssdb add
(Running the script once as root with the --system option enables eID
support for all users, but will *not* work when using Chrom{e,ium}!)
Before uninstalling this package, it is a very good idea to run
~$ eid-nssdb [--system] remove
and remove all ~/.pki and/or /etc/pki directories no longer needed.
The above procedure doesn't seem to work in Firefox. You can override the
firefox wrapper to add this derivation to the PKCS#11 modules, like so:
firefox.override { pkcs11Modules = [ pkgs.eid-mw ]; }
'';
2015-08-13 23:27:53 +00:00
platforms = platforms.linux;
2021-05-22 13:47:53 +00:00
maintainers = with maintainers; [ bfortz chvp ];
};
}