Signed Crypto Gets Its Own Tarball
By mkupfer on Nov 25, 2009
The OS/Net (ON) component of OpenSolaris has some closed-source code. The binaries for this code (well, the binaries that are redistributable) are made available to non-Sun developers in the form of a compressed tar file, which the build tools incorporate into BFU archives or packages. These closed-bins tarballs also contain binaries for open-source cryptographic code. To satisfy US government regulations, the OpenSolaris cryptography framework requires that certain crypto binaries be signed. Most external developers don't have the necessary key and certificate to sign their binaries, so we provide a working set for them.
This setup has worked okay since the launch of
OpenSolaris in 2005, but it's got a couple problems. First,
bindrop, the script that puts the crypto binaries
into the closed-bins tarball, works off a hard-coded list. As
with any manually-maintained list, this introduces a risk that
it will not be updated when a new crypto module is added to the
bindrop gets the crypto binaries
by extracting them from the SVR4-format
packages that are generated from the ON gate.
With the upcoming move to IPS, those packages will go away, and it will
be much harder to extract the binaries from the IPS
packages that will replace them.
So I'm working on changes to the way we deliver the signed crypto binaries. First, we'll be splitting the crypto out into its own tarball. This gives us more flexibility about when we deliver the crypto binaries. Second, instead of using a hard-coded list, we'll scan the proto area, which is the staging area before files are packaged. Any properly signed binaries will be included in the crypto tarball. If you're interested, CR 6855998 has more details.
The code for this has been written, though it still needs a little more polishing, like making sure that error messages are handled correctly. I'm hoping to get this into build 130, but it might slip into 131.