681624 - Allow skipping shlibsign (for cross compilation)

Status: RESOLVED WONTFIX

(NSS :: Build, defect)

Description

[(not currently active) Ted Mielczarek]

Attachment: Set SKIP_SHLIBSIGN=1 to skip the signing step

If you do a top-level NSS build, shlibsign is always invoked to sign the binaries. If you're cross-compiling, this step always fails, since shlibsign is built for the target architecture. The Mozilla build system works around this by only calling certain NSS Makefiles, and skipping shlibsign when cross-compiling. It would be nice to provide a variable that would allow skipping the shlibsign invocation so you could still do a top-level make for a cross-compile.

Comment 1

[Kai Engert [:KaiE:]]

Comment on attachment 555375 [details] [diff] [review]
Set SKIP_SHLIBSIGN=1 to skip the signing step

You keep the current default unchanged, which is good.

Being able to "optionally" skip library signing seems to be an acceptable offering.

r=kaie

Please allow 1-2 days for Bob or Wan-Teh to comment, in case they want to veto.

Comment 2

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

I have already fixed this bug in the second patch for bug 772144. Instead of skipping the signing, it requires that you build NSS for the host (or have it pre-installed) and then uses the host's shlibsign to do the signing.

If you skip the signing then you also end up having to skip some of the tests that depend on the signing. So, I think it is better to avoid skipping the signing.

Comment 3

[(not currently active) Ted Mielczarek]

That seems like a lot of extra effort just to make this work, but I'm not married to this patch. It was just the easiest thing to do to work around the issue when I was trying to test NSS on iOS.

Comment 4

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

I thought of another reason that we need to skip signing:

For Gecko, at least on Windows, we cannot shlibsign the libraries until after we've Authenticode signed them, but we don't Authenticode sign the libraries as part of the build. So, instead, we do the shlibsign as part of the separate signing step.

> NSS on iOS.

Awesome! You might check with rsleevi and wtc about whether they've already done a port of NSS to iOS.

Comment 5

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

Comment on attachment 555375 [details] [diff] [review]
Set SKIP_SHLIBSIGN=1 to skip the signing step

Review of attachment 555375 [details] [diff] [review]:
-----------------------------------------------------------------

::: security/nss/cmd/shlibsign/Makefile
@@ +124,2 @@
>  libs install :: $(CHECKLOC)
> +endif

Nit: A more make-y way of doing this would be to provide new targets.

Comment 6

[Ryan Sleevi]

[slightly offtopic of the original bug] In response to Comment #4 - As with most things Chromium, we did it in a way that ignores the NSS build system :)

We do build NSS for Chromium on iOS, but build it as a static library (see bug #534471 / http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/nss/patches/nss-static.patch?revision=169374&view=markup ), as required by Apple.

[slightly on-topic to the original bug] In response to Comment #1 - Note that on Gentoo (ergo on ChromiumOS), cross-compiling NSS is also treated as a build-depends on the host machine having a runnable shlibsign to sign the target-machine binaries. Gentoo (and CrOS) basically have a patch similar to what Brian's done, to move it out of the compile path and put it into the ebuild/configuration path.

Comment 7

[Wan-Teh Chang]

(In reply to Brian Smith (:bsmith) from comment #2)
>
> If you skip the signing then you also end up having to skip some of the
> tests that depend on the signing. So, I think it is better to avoid skipping
> the signing.

We can change the test script to run shlibsign first if SKIP_SHLIBSIGN
is set. It would be nice to name the variable SKIP_SHLIBSIGN_DURING_BUILD
to make the intention clearer.