104 lines
3.8 KiB
Nix
104 lines
3.8 KiB
Nix
{ stdenv, fetchurl, makeWrapper
|
|
, perl, libassuan, libgcrypt
|
|
, perlPackages, lockfileProgs, gnupg, coreutils
|
|
# For the tests:
|
|
, bash, openssh, which, socat, cpio, hexdump, openssl
|
|
}:
|
|
|
|
let
|
|
# A patch is needed to run the tests inside the Nix sandbox:
|
|
# /etc/passwd: "nixbld:x:1000:100:Nix build user:/build:/noshell"
|
|
# sshd: "User nixbld not allowed because shell /noshell does not exist"
|
|
opensshUnsafe = openssh.overrideAttrs (oldAttrs: {
|
|
patches = oldAttrs.patches ++ [ ./openssh-nixos-sandbox.patch ];
|
|
});
|
|
in stdenv.mkDerivation rec {
|
|
name = "monkeysphere-${version}";
|
|
version = "0.42";
|
|
|
|
# The patched OpenSSH binary MUST NOT be used (except in the check phase):
|
|
disallowedRequisites = [ opensshUnsafe ];
|
|
|
|
src = fetchurl {
|
|
url = "http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_${version}.orig.tar.gz";
|
|
sha256 = "1haqgjxm8v2xnhc652lx79p2cqggb9gxgaf19w9l9akar2qmdjf1";
|
|
};
|
|
|
|
patches = [ ./monkeysphere.patch ];
|
|
|
|
postPatch = ''
|
|
sed -i "s,/usr/bin/env,${coreutils}/bin/env," src/share/ma/update_users
|
|
'';
|
|
|
|
nativeBuildInputs = [ makeWrapper ];
|
|
buildInputs = [ perl libassuan libgcrypt ]
|
|
++ stdenv.lib.optional doCheck
|
|
([ gnupg opensshUnsafe which socat cpio hexdump lockfileProgs ] ++
|
|
(with perlPackages; [ CryptOpenSSLRSA CryptOpenSSLBignum ]));
|
|
|
|
makeFlags = ''
|
|
PREFIX=/
|
|
DESTDIR=$(out)
|
|
'';
|
|
|
|
# The tests should be run (and succeed) when making changes to this package
|
|
# but they aren't enabled by default because they "drain" entropy (GnuPG
|
|
# still uses /dev/random).
|
|
doCheck = false;
|
|
preCheck = stdenv.lib.optionalString doCheck ''
|
|
patchShebangs tests/
|
|
patchShebangs src/
|
|
sed -i \
|
|
-e "s,/usr/sbin/sshd,${opensshUnsafe}/bin/sshd," \
|
|
-e "s,/bin/true,${coreutils}/bin/true," \
|
|
-e "s,/bin/false,${coreutils}/bin/false," \
|
|
-e "s,openssl\ req,${openssl}/bin/openssl req," \
|
|
tests/basic
|
|
sed -i "s/<(hd/<(hexdump/" tests/keytrans
|
|
'';
|
|
|
|
postFixup =
|
|
let wrapperArgs = runtimeDeps:
|
|
"--prefix PERL5LIB : "
|
|
+ (with perlPackages; stdenv.lib.makePerlPath [
|
|
CryptOpenSSLRSA
|
|
CryptOpenSSLBignum
|
|
])
|
|
+ stdenv.lib.optionalString
|
|
(builtins.length runtimeDeps > 0)
|
|
" --prefix PATH : ${stdenv.lib.makeBinPath runtimeDeps}";
|
|
wrapMonkeysphere = runtimeDeps: program:
|
|
"wrapProgram $out/bin/${program} ${wrapperArgs runtimeDeps}\n";
|
|
wrapPrograms = runtimeDeps: programs: stdenv.lib.concatMapStrings
|
|
(wrapMonkeysphere runtimeDeps)
|
|
programs;
|
|
in wrapPrograms [ gnupg ] [ "monkeysphere-authentication" "monkeysphere-host" ]
|
|
+ wrapPrograms [ lockfileProgs ] [ "monkeysphere" ]
|
|
+ ''
|
|
# These 4 programs depend on the program name ($0):
|
|
for program in openpgp2pem openpgp2spki openpgp2ssh pem2openpgp; do
|
|
rm $out/bin/$program
|
|
ln -sf keytrans $out/share/monkeysphere/$program
|
|
makeWrapper $out/share/monkeysphere/$program $out/bin/$program \
|
|
${wrapperArgs [ ]}
|
|
done
|
|
'';
|
|
|
|
meta = with stdenv.lib; {
|
|
homepage = http://web.monkeysphere.info/;
|
|
description = "Leverage the OpenPGP web of trust for SSH and TLS authentication";
|
|
longDescription = ''
|
|
The Monkeysphere project's goal is to extend OpenPGP's web of
|
|
trust to new areas of the Internet to help us securely identify
|
|
servers we connect to, as well as each other while we work online.
|
|
The suite of Monkeysphere utilities provides a framework to
|
|
transparently leverage the web of trust for authentication of
|
|
TLS/SSL communications through the normal use of tools you are
|
|
familiar with, such as your web browser0 or secure shell.
|
|
'';
|
|
license = licenses.gpl3Plus;
|
|
platforms = platforms.all;
|
|
maintainers = with maintainers; [ primeos ];
|
|
};
|
|
}
|