about summary refs log tree commit diff
path: root/pkgs/development/libraries/nss
diff options
context:
space:
mode:
authoraszlig <aszlig@redmoonstudios.org>2012-08-21 21:35:46 +0200
committeraszlig <aszlig@redmoonstudios.org>2012-08-22 08:29:09 +0200
commit9e0aaf30aab7c61e5cacd4cdc44243a7557e2d2b (patch)
tree02590e31c067df01e61a67ec89c0fb1277a9f17f /pkgs/development/libraries/nss
parent29fce94665b6434ca22e78d873a01396bcd2a85a (diff)
downloadnixlib-9e0aaf30aab7c61e5cacd4cdc44243a7557e2d2b.tar
nixlib-9e0aaf30aab7c61e5cacd4cdc44243a7557e2d2b.tar.gz
nixlib-9e0aaf30aab7c61e5cacd4cdc44243a7557e2d2b.tar.bz2
nixlib-9e0aaf30aab7c61e5cacd4cdc44243a7557e2d2b.tar.lz
nixlib-9e0aaf30aab7c61e5cacd4cdc44243a7557e2d2b.tar.xz
nixlib-9e0aaf30aab7c61e5cacd4cdc44243a7557e2d2b.tar.zst
nixlib-9e0aaf30aab7c61e5cacd4cdc44243a7557e2d2b.zip
nss: Sign libraries after striping.
Running NSS in FIPS mode is only possible if the libraries are signed correctly,
so we're doing this in the postFixup hook, to insure nothing gets altered after
that phase.

For more information about FIPS mode, please see:
https://developer.mozilla.org/en-US/docs/NSS/FIPS_Mode_-_an_explanation
Diffstat (limited to 'pkgs/development/libraries/nss')
-rw-r--r--pkgs/development/libraries/nss/default.nix8
1 files changed, 8 insertions, 0 deletions
diff --git a/pkgs/development/libraries/nss/default.nix b/pkgs/development/libraries/nss/default.nix
index 222fd6e94f6f..3b6cc15754e2 100644
--- a/pkgs/development/libraries/nss/default.nix
+++ b/pkgs/development/libraries/nss/default.nix
@@ -86,4 +86,12 @@ stdenv.mkDerivation rec {
         --subst-var-by includedir $out/include/nss \
         --subst-var-by libdir $out/lib
     ''; # */
+
+  postFixup = ''
+    for libname in freebl3 nssdbm3 softokn3
+    do
+      libfile="$out/lib/lib$libname.so"
+      LD_LIBRARY_PATH=$out/lib $out/bin/shlibsign -v -i "$libfile"
+    done
+  '';
 }
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-18 20:37:16 +0000