diff options
Diffstat (limited to 'pkgs/tools/security')
-rw-r--r-- | pkgs/tools/security/amber/default.nix | 6 | ||||
-rw-r--r-- | pkgs/tools/security/ghidra/build.nix | 141 | ||||
-rw-r--r-- | pkgs/tools/security/notary/default.nix | 66 | ||||
-rw-r--r-- | pkgs/tools/security/notary/no-git-usage.patch | 15 | ||||
-rw-r--r-- | pkgs/tools/security/onlykey-agent/default.nix | 2 | ||||
-rw-r--r-- | pkgs/tools/security/spire/default.nix | 2 | ||||
-rw-r--r-- | pkgs/tools/security/uncover/default.nix | 6 | ||||
-rw-r--r-- | pkgs/tools/security/vals/default.nix | 6 |
8 files changed, 97 insertions, 147 deletions
diff --git a/pkgs/tools/security/amber/default.nix b/pkgs/tools/security/amber/default.nix index 2b64480c4a00a..5cb96596564ce 100644 --- a/pkgs/tools/security/amber/default.nix +++ b/pkgs/tools/security/amber/default.nix @@ -3,16 +3,16 @@ rustPlatform.buildRustPackage rec { # Renaming it to amber-secret because another package named amber exists pname = "amber-secret"; - version = "0.1.5"; + version = "0.1.6"; src = fetchFromGitHub { owner = "fpco"; repo = "amber"; rev = "v${version}"; - sha256 = "sha256-11dqfOi/DdfFrFTeboPyFkixXG+fCJ2jpHM55qsQ1jw="; + sha256 = "sha256-FoERgkyFCZ1nU01LXpzrqz9eJ9a16L/t+9g8jsABHK4="; }; - cargoHash = "sha256-u0vceIurenYnKfF3gWNw304hX4vVFoszZD7AMwffOmc="; + cargoHash = "sha256-Joy+SO1zR78Eh5eK2bxyT0l3hCuLX/J3u/UvN+++6vg="; buildInputs = lib.optionals stdenv.isDarwin [ Security ]; diff --git a/pkgs/tools/security/ghidra/build.nix b/pkgs/tools/security/ghidra/build.nix index ba23647c9c2db..2a3bb65f8a79b 100644 --- a/pkgs/tools/security/ghidra/build.nix +++ b/pkgs/tools/security/ghidra/build.nix @@ -1,25 +1,27 @@ -{ stdenv -, fetchFromGitHub -, lib -, callPackage -, gradle_7 -, perl -, makeBinaryWrapper -, openjdk17 -, unzip -, makeDesktopItem -, copyDesktopItems -, desktopToDarwinBundle -, icoutils -, xcbuild -, protobuf -, ghidra-extensions +{ + stdenv, + fetchFromGitHub, + lib, + callPackage, + gradle_7, + perl, + makeBinaryWrapper, + openjdk17, + unzip, + makeDesktopItem, + copyDesktopItems, + desktopToDarwinBundle, + xcbuild, + protobuf, + ghidra-extensions, + python3, + python3Packages, }: let pkg_path = "$out/lib/ghidra"; pname = "ghidra"; - version = "11.0.3"; + version = "11.1.1"; releaseName = "NIX"; distroPrefix = "ghidra_${version}_${releaseName}"; @@ -27,7 +29,7 @@ let owner = "NationalSecurityAgency"; repo = "Ghidra"; rev = "Ghidra_${version}_build"; - hash = "sha256-IiLxaJvfJcK275FDZEsUCGp7haJjp8O2fUIoM4F9H30="; + hash = "sha256-t96FcAK3JwO66dOf4OhpOfU8CQfAczfF61Cg7m+B3fA="; # populate values that require us to use git. By doing this in postFetch we # can delete .git afterwards and maintain better reproducibility of the src. leaveDotGit = true; @@ -76,26 +78,26 @@ let # Adds a gradle step that downloads all the dependencies to the gradle cache. addResolveStep = '' - cat >>build.gradle <<HERE -task resolveDependencies { - doLast { - project.rootProject.allprojects.each { subProject -> - subProject.buildscript.configurations.each { configuration -> - resolveConfiguration(subProject, configuration, "buildscript config \''${configuration.name}") + cat >>build.gradle <<HERE + task resolveDependencies { + doLast { + project.rootProject.allprojects.each { subProject -> + subProject.buildscript.configurations.each { configuration -> + resolveConfiguration(subProject, configuration, "buildscript config \''${configuration.name}") + } + subProject.configurations.each { configuration -> + resolveConfiguration(subProject, configuration, "config \''${configuration.name}") + } + } } - subProject.configurations.each { configuration -> - resolveConfiguration(subProject, configuration, "config \''${configuration.name}") + } + void resolveConfiguration(subProject, configuration, name) { + if (configuration.canBeResolved) { + logger.info("Resolving project {} {}", subProject.name, name) + configuration.resolve() } } - } -} -void resolveConfiguration(subProject, configuration, name) { - if (configuration.canBeResolved) { - logger.info("Resolving project {} {}", subProject.name, name) - configuration.resolve() - } -} -HERE + HERE ''; # fake build to pre-download deps into fixed-output derivation @@ -106,7 +108,10 @@ HERE postPatch = addResolveStep; - nativeBuildInputs = [ gradle perl ] ++ lib.optional stdenv.isDarwin xcbuild; + nativeBuildInputs = [ + gradle + perl + ] ++ lib.optional stdenv.isDarwin xcbuild; buildPhase = '' runHook preBuild export HOME="$NIX_BUILD_TOP/home" @@ -132,11 +137,23 @@ HERE ''; outputHashAlgo = "sha256"; outputHashMode = "recursive"; - outputHash = "sha256-nKfJiGoZlDEpbCmYVKNZXz2PYIosCd4nPFdy3MfprHc="; + outputHash = "sha256-66gL4UFlBUo2JIEOXoF6tFvXtBdEX4b2MeSrV1b6Vg4="; }; - -in stdenv.mkDerivation (finalAttrs: { - inherit pname version src patches postPatch; +in +stdenv.mkDerivation (finalAttrs: { + inherit + pname + version + src + patches + postPatch + ; + + # Don't create .orig files if the patch isn't an exact match. + patchFlags = [ + "--no-backup-if-mismatch" + "-p1" + ]; desktopItems = [ (makeDesktopItem { @@ -150,16 +167,20 @@ in stdenv.mkDerivation (finalAttrs: { }) ]; - nativeBuildInputs = [ - gradle - unzip - makeBinaryWrapper - copyDesktopItems - protobuf - ] ++ lib.optionals stdenv.isDarwin [ - xcbuild - desktopToDarwinBundle - ]; + nativeBuildInputs = + [ + gradle + unzip + makeBinaryWrapper + copyDesktopItems + protobuf + python3 + python3Packages.pip + ] + ++ lib.optionals stdenv.isDarwin [ + xcbuild + desktopToDarwinBundle + ]; dontStrip = true; @@ -211,7 +232,10 @@ in stdenv.mkDerivation (finalAttrs: { passthru = { inherit releaseName distroPrefix; - inherit (ghidra-extensions.override { ghidra = finalAttrs.finalPackage; }) buildGhidraExtension buildGhidraScripts; + inherit (ghidra-extensions.override { ghidra = finalAttrs.finalPackage; }) + buildGhidraExtension + buildGhidraScripts + ; withExtensions = callPackage ./with-extensions.nix { ghidra = finalAttrs.finalPackage; }; }; @@ -221,14 +245,21 @@ in stdenv.mkDerivation (finalAttrs: { description = "Software reverse engineering (SRE) suite of tools"; mainProgram = "ghidra"; homepage = "https://ghidra-sre.org/"; - platforms = [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ]; + platforms = [ + "x86_64-linux" + "aarch64-linux" + "x86_64-darwin" + "aarch64-darwin" + ]; sourceProvenance = with sourceTypes; [ fromSource - binaryBytecode # deps + binaryBytecode # deps ]; license = licenses.asl20; - maintainers = with maintainers; [ roblabla vringar ]; + maintainers = with maintainers; [ + roblabla + vringar + ]; broken = stdenv.isDarwin && stdenv.isx86_64; }; - }) diff --git a/pkgs/tools/security/notary/default.nix b/pkgs/tools/security/notary/default.nix deleted file mode 100644 index be147369ffe29..0000000000000 --- a/pkgs/tools/security/notary/default.nix +++ /dev/null @@ -1,66 +0,0 @@ -{ lib, fetchFromGitHub, buildGoPackage, libtool }: - -buildGoPackage rec { - pname = "notary"; - version = "0.6.1"; - gitcommit = "d6e1431f"; - - src = fetchFromGitHub { - owner = "theupdateframework"; - repo = "notary"; - rev = "v${version}"; - sha256 = "1ak9dk6vjny5069hp3w36dbjawcnaq82l3i2qvf7mn7zfglbsnf9"; - }; - - patches = [ ./no-git-usage.patch ]; - - buildInputs = [ libtool ]; - buildPhase = '' - runHook preBuild - cd go/src/github.com/theupdateframework/notary - SKIPENVCHECK=1 make client GITCOMMIT=${gitcommit} - runHook postBuild - ''; - - goPackagePath = "github.com/theupdateframework/notary"; - - installPhase = '' - runHook preInstall - install -D bin/notary $out/bin/notary - runHook postInstall - ''; - - #doCheck = true; # broken by tzdata: 2018g -> 2019a - checkPhase = '' - make test PKGS=github.com/theupdateframework/notary/cmd/notary - ''; - - meta = with lib; { - description = "Project that allows anyone to have trust over arbitrary collections of data"; - mainProgram = "notary"; - longDescription = '' - The Notary project comprises a server and a client for running and - interacting with trusted collections. See the service architecture - documentation for more information. - - Notary aims to make the internet more secure by making it easy for people - to publish and verify content. We often rely on TLS to secure our - communications with a web server which is inherently flawed, as any - compromise of the server enables malicious content to be substituted for - the legitimate content. - - With Notary, publishers can sign their content offline using keys kept - highly secure. Once the publisher is ready to make the content available, - they can push their signed trusted collection to a Notary Server. - - Consumers, having acquired the publisher's public key through a secure - channel, can then communicate with any notary server or (insecure) mirror, - relying only on the publisher's key to determine the validity and - integrity of the received content. - ''; - license = licenses.asl20; - homepage = "https://github.com/theupdateframework/notary"; - maintainers = with maintainers; [ vdemeester ]; - platforms = platforms.unix; - }; -} diff --git a/pkgs/tools/security/notary/no-git-usage.patch b/pkgs/tools/security/notary/no-git-usage.patch deleted file mode 100644 index 363eefe36921d..0000000000000 --- a/pkgs/tools/security/notary/no-git-usage.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/Makefile b/Makefile -index ab794165..0cbd047f 100644 ---- a/Makefile -+++ b/Makefile -@@ -5,8 +5,8 @@ PREFIX?=$(shell pwd) - # Add to compile time flags - NOTARY_PKG := github.com/theupdateframework/notary - NOTARY_VERSION := $(shell cat NOTARY_VERSION) --GITCOMMIT := $(shell git rev-parse --short HEAD) --GITUNTRACKEDCHANGES := $(shell git status --porcelain --untracked-files=no) -+GITCOMMIT ?= $(shell git rev-parse --short HEAD) -+GITUNTRACKEDCHANGES := - ifneq ($(GITUNTRACKEDCHANGES),) - GITCOMMIT := $(GITCOMMIT)-dirty - endif diff --git a/pkgs/tools/security/onlykey-agent/default.nix b/pkgs/tools/security/onlykey-agent/default.nix index c88e1d2b064d9..36a1cb2847596 100644 --- a/pkgs/tools/security/onlykey-agent/default.nix +++ b/pkgs/tools/security/onlykey-agent/default.nix @@ -52,7 +52,7 @@ python3Packages.buildPythonApplication rec { sha256 = "sha256-SbGb7CjcD7cFPvASZtip56B4uxRiFKZBvbsf6sb8fds="; }; - propagatedBuildInputs = with python3Packages; [ lib-agent onlykey-cli ]; + propagatedBuildInputs = with python3Packages; [ lib-agent onlykey-cli setuptools ]; # move the python library into the sitePackages. postInstall = '' diff --git a/pkgs/tools/security/spire/default.nix b/pkgs/tools/security/spire/default.nix index 861167c15ae82..82e4d3624d1e6 100644 --- a/pkgs/tools/security/spire/default.nix +++ b/pkgs/tools/security/spire/default.nix @@ -32,6 +32,6 @@ buildGoModule rec { homepage = "https://github.com/spiffe/spire"; changelog = "https://github.com/spiffe/spire/releases/tag/v${version}"; license = licenses.asl20; - maintainers = with maintainers; [ jonringer fkautz ]; + maintainers = with maintainers; [ fkautz ]; }; } diff --git a/pkgs/tools/security/uncover/default.nix b/pkgs/tools/security/uncover/default.nix index 7bb56ce21451e..70dd968456ad2 100644 --- a/pkgs/tools/security/uncover/default.nix +++ b/pkgs/tools/security/uncover/default.nix @@ -5,16 +5,16 @@ buildGoModule rec { pname = "uncover"; - version = "1.0.8"; + version = "1.0.9"; src = fetchFromGitHub { owner = "projectdiscovery"; repo = pname; rev = "refs/tags/v${version}"; - hash = "sha256-iBZwR4hEd1pmmq4WzY/kfwHmpFj/MG+xGitbIQI8K5I="; + hash = "sha256-avGbawIeh7ZUtacRLo/tLz4D6U7JAlu9BXDYu/xvoa0="; }; - vendorHash = "sha256-cf9Itdz1hR74TVoFOsOdUcrvEuT57RZn2tgrEXU4c8E="; + vendorHash = "sha256-93iXho+WCQyhw9DoLgo9ZKiPrd88D2ibgp1M9uP7bUU="; meta = with lib; { description = "API wrapper to search for exposed hosts"; diff --git a/pkgs/tools/security/vals/default.nix b/pkgs/tools/security/vals/default.nix index ff7f8246ef060..0d0d1070bbd7f 100644 --- a/pkgs/tools/security/vals/default.nix +++ b/pkgs/tools/security/vals/default.nix @@ -2,16 +2,16 @@ buildGoModule rec { pname = "vals"; - version = "0.37.2"; + version = "0.37.3"; src = fetchFromGitHub { rev = "v${version}"; owner = "helmfile"; repo = pname; - sha256 = "sha256-L0T0Lu5UP/KG2jdJfw5lM6/FagZUpMLGNWyf4tktzmQ="; + sha256 = "sha256-RCvqoikROFpFvza24PGocdxFaOI6hZLSy3Jnag7Oz4s="; }; - vendorHash = "sha256-7ethl7BL6JBzIbyvpUE2TdvvPWs/CUvJQhjH2P5UCTY="; + vendorHash = "sha256-iKfNAQRsVUjhUmDH/HevnDnocQm4k9jEfW40+AncojM="; proxyVendor = true; |