From dlawrence at IECOK.com Fri May 17 12:51:00 2019 From: dlawrence at IECOK.com (Don Lawrence) Date: Fri, 17 May 2019 12:51:00 +0000 Subject: Build failing on tinycore linux Message-ID: Here is the last few lines of make config.status: creating po/Makefile test ! -f ./p11-kit.pot || \ test -z "ar.gmo as.gmo ast.gmo az.gmo bg.gmo bn_IN.gmo ca.gmo ca at valencia.gmo cs.gmo cy.gmo da.gmo de.gmo el.gmo en at boldquot.gmo en at quot.gmo en_GB.gmo eo.gmo es.gmo et.gmo eu.gmo fa.gmo fi.gmo fo.gmo fr.gmo fur.gmo ga.gmo gl.gmo gu.gmo he.gmo hi.gmo hr.gmo hu.gmo ia.gmo id.gmo it.gmo ja.gmo ka.gmo kk.gmo kn.gmo ko.gmo lt.gmo lv.gmo ml.gmo mr.gmo ms.gmo nb.gmo nl.gmo nn.gmo oc.gmo or.gmo pa.gmo pl.gmo pt.gmo pt_BR.gmo ro.gmo ru.gmo sk.gmo sl.gmo sq.gmo sr.gmo sr at latin.gmo sv.gmo ta.gmo te.gmo th.gmo tr.gmo uk.gmo vi.gmo wa.gmo zh_CN.gmo zh_HK.gmo zh_TW.gmo" || make ar.gmo as.gmo ast.gmo az.gmo bg.gmo bn_IN.gmo ca.gmo ca at valencia.gmo cs.gmo cy.gmo da.gmo de.gmo el.gmo en at boldquot.gmo en at quot.gmo en_GB.gmo eo.gmo es.gmo et.gmo eu.gmo fa.gmo fi.gmo fo.gmo fr.gmo fur.gmo ga.gmo gl.gmo gu.gmo he.gmo hi.gmo hr.gmo hu.gmo ia.gmo id.gmo it.gmo ja.gmo ka.gmo kk.gmo kn.gmo ko.gmo lt.gmo lv.gmo ml.gmo mr.gmo ms.gmo nb.gmo nl.gmo nn.gmo oc.gmo or.gmo pa.gmo pl.gmo pt.gmo pt_BR.gmo ro.gmo ru.gmo sk.gmo sl.gmo sq.gmo sr.gmo sr at latin.gmo sv.gmo ta.gmo te.gmo th.gmo tr.gmo uk.gmo vi.gmo wa.gmo zh_CN.gmo zh_HK.gmo zh_TW.gmo make[3]: Entering directory '/home/tc/p11-kit/po' rm -f ar.gmo && /usr/local/bin/msgmerge --for-msgfmt -o ar.1po ar.po p11-kit.pot && /usr/local/bin/msgfmt -c --statistics --verbose -o ar.gmo ar.1po && rm -f ar.1po /usr/local/bin/msgfmt: error while opening "ar.1po" for reading: No such file or directory make[3]: *** [Makefile:190: ar.gmo] Error 1 make[3]: Leaving directory '/home/tc/p11-kit/po' make[2]: *** [Makefile:233: stamp-po] Error 2 make[2]: Leaving directory '/home/tc/p11-kit/po' make[1]: *** [Makefile:4626: all-recursive] Error 1 make[1]: Leaving directory '/home/tc/p11-kit' make: *** [Makefile:2268: all] Error 2 What program am I missing or how can I disable making the docs to avoid this? Any help would be appreciated. Don Lawrence Manager of Corporate Services Indian Electric Cooperative, Inc. (918) 295-9533 From dueno at redhat.com Mon May 20 07:47:59 2019 From: dueno at redhat.com (Daiki Ueno) Date: Mon, 20 May 2019 09:47:59 +0200 Subject: Build failing on tinycore linux In-Reply-To: (Don Lawrence's message of "Fri, 17 May 2019 12:51:00 +0000") References: Message-ID: Hello, Don Lawrence writes: > make[3]: Entering directory '/home/tc/p11-kit/po' > rm -f ar.gmo && /usr/local/bin/msgmerge --for-msgfmt -o ar.1po ar.po > p11-kit.pot && /usr/local/bin/msgfmt -c --statistics --verbose -o > ar.gmo ar.1po && rm -f ar.1po > /usr/local/bin/msgfmt: error while opening "ar.1po" for reading: No > such file or directory > make[3]: *** [Makefile:190: ar.gmo] Error 1 > make[3]: Leaving directory '/home/tc/p11-kit/po' > make[2]: *** [Makefile:233: stamp-po] Error 2 > make[2]: Leaving directory '/home/tc/p11-kit/po' > make[1]: *** [Makefile:4626: all-recursive] Error 1 > make[1]: Leaving directory '/home/tc/p11-kit' > make: *** [Makefile:2268: all] Error 2 Thank you for the report. I suppose you are building p11-kit from git using gettext >= 0.20 (because msgmerge --for-msgfmt is new in that version). I forwarded it to the gettext mailing list and it turned out to be a bug in that tool: https://lists.gnu.org/archive/html/bug-gettext/2019-05/msg00125.html > What program am I missing or how can I disable making the docs to avoid this? I think you could workaround this either by: - applying the patch for gettext from the above link - manually copying older gettext files from the archive, which can be found in /usr/local/share/gettext/archive.dir.tar.* in your case, or - using ./configure --disable-nls Regards, -- Daiki Ueno From andrej.valek at siemens.com Fri May 24 10:53:46 2019 From: andrej.valek at siemens.com (Valek, Andrej) Date: Fri, 24 May 2019 10:53:46 +0000 Subject: libnss replacement Message-ID: Hello Everyone! I have found your nice project, which could solves my problems. I am trying to get rid of the libnss due to some problems. My application is QtWebengine + chromium based. Previously SSL certificates have been handled by openssl. Chromium read ca-certificates from /etc/ssl/certs, but from QT version 5.12.3 they have switched to used nss. When the application starts, it loads certificates from ~/.pki/nssdb . Application is still using the old certificates, even if I upload the new certificate and the nssdb is updated via certutil from ca-certificate update hook. Application just reads nssdb during starting. After application restarting, it re-loaded the library and worked. But this case is unwanted. I was trying to use your p11-kit a replacement to be able to update certificates during application running. So I have replaced libnss (/usr/lib/libnssckbi.so -> /usr/lib/pkcs11/p11-kit-trust.so) with your library. Started my application and import new certificate via "trust anchor --store /var/lib/xxx.pem". But application still couldn't verified the page. Same behavior as before, after restarts, application was working. So is it possible to use your SW for my runtime use-cases? If yes, how I can do that? Many thanks, Andrej -------------- next part -------------- An HTML attachment was scrubbed... URL: From rsleevi at chromium.org Tue May 28 00:29:51 2019 From: rsleevi at chromium.org (Ryan Sleevi) Date: Mon, 27 May 2019 20:29:51 -0400 Subject: libnss replacement In-Reply-To: References: Message-ID: On Fri, May 24, 2019 at 7:09 AM Valek, Andrej wrote: > Hello Everyone! > > > > I have found your nice project, which could solves my problems. > > > > I am trying to get rid of the libnss due to some problems. > > My application is QtWebengine + chromium based. Previously SSL > certificates have been handled by openssl. Chromium read ca-certificates > from /etc/ssl/certs, but from QT version 5.12.3 they have switched to used > nss. When the application starts, it loads certificates from ~/.pki/nssdb . > Application is still using the old certificates, even if I upload the new > certificate and the nssdb is updated via certutil from ca-certificate > update hook. Application just reads nssdb during starting. After > application restarting, it re-loaded the library and worked. But this case > is unwanted. > Since you mentioned Chromium and libnss - this isn't something p11-kit can help with. While you're not using nssckbi anymore, you're still using libnss for all of the certificate verification and operations, and libnss (and the mozilla::pkix APIs that Chromium-based distributions use from libnss) has a host of internal caches. Additionally, Chromium itself has a host of internal caches, and officially, does not support your use case. If you'd like to resolve this, you'd need to switch to using something not-Chromium-based, not-libnss-based (although Chromium using the other backends similarly makes no guarantee of immediate visibility of changes absent process restarts), or maintain patches for or on top of QtWebEngine. In any event, those are probably easily answered on a Chromium bug, with the knowledge it may be WontFixed, but at least provide more thorough answers if you have follow-up questions. Hope that helps! /Chromium maintainer of that code, who happens to lurk here. -------------- next part -------------- An HTML attachment was scrubbed... URL: