Opened 12 months ago

Closed 10 months ago

Last modified 10 months ago

#61884 closed defect (fixed)

yubico-piv-tool fails to build after libressl upgrade to 3.2.3

Reported by: bK4gYuRo Owned by: lbschenkel (Leonardo Brondani Schenkel)
Priority: Normal Milestone:
Component: ports Version:
Keywords: Cc: bK4gYuRo, drebes (Roberto Jung Drebes)
Port: yubico-piv-tool

Description

After libressl was upgraded to 3.2.3, yubico-piv-tool fails to build. It looks like it stumbles here:

:info:build [ 98%] Building manpage for yubico-piv-tool
:info:build cd /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/yubico-piv-tool-2.1.1/tool && /opt/local/bin/help2man -s1 -N -o /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/yubico-piv-tool-2.1.1/tool/yubico-piv-tool.1 ./yubico-piv-tool
:info:build sh: line 1: 89541 Abort trap: 6           ./yubico-piv-tool --help 2> /dev/null
:info:build help2man: can't get `--help' info from ./yubico-piv-tool
:info:build Try `--no-discard-stderr' if option outputs to stderr
:info:build make[2]: *** [tool/yubico-piv-tool.1] Error 134

If I run the failing command without redirection to /dev/null, it shows this error:

$ ./yubico-piv-tool --help
dyld: Library not loaded: /opt/local/lib/libykpiv.1.dylib
  Referenced from: /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/Yubico-yubico-piv-tool-6752c30/tool/./yubico-piv-tool
  Reason: image not found
Abort

Before my attempt to upgrade, the library existed:

$ ls -l /opt/local/lib/libykpiv.1.dylib
lrwxr-xr-x  1 root  admin  20 Oct 10 07:25 /opt/local/lib/libykpiv.1.dylib -> libykpiv.2.1.1.dylib

and it was part of the port I am trying to build:

$ port provides /opt/local/lib/libykpiv.2.1.1.dylib
/opt/local/lib/libykpiv.2.1.1.dylib is provided by: yubico-piv-tool

Attachments (1)

main.log (174.0 KB) - added by bK4gYuRo 12 months ago.

Download all attachments as: .zip

Change History (14)

Changed 12 months ago by bK4gYuRo

Attachment: main.log added

comment:1 Changed 12 months ago by bK4gYuRo

Cc: bK4gYuRo added

comment:2 Changed 12 months ago by bK4gYuRo

Maybe libressl upgrade is not related to the problem. I guess port version 2.6.4 has something to do with it. The library in question is built, but it is in this location before port is installed:

$ find /opt/local -name libykpiv.1.dylib
/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/Yubico-yubico-piv-tool-6752c30/lib/libykpiv.1.dylib

yubico-piv-tool looks for it in /opt/local/lib, but it is not there yet.

I am not sure how it worked before.

comment:3 Changed 12 months ago by bK4gYuRo

Shouldn't build process use something like this to point to the library in a temporary location:

$ DYLD_FALLBACK_LIBRARY_PATH=/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/Yubico-yubico-piv-tool-6752c30/lib ./yubico-piv-tool --help
yubico-piv-tool 2.1.1

Usage: yubico-piv-tool [OPTIONS]...

  -h, --help               Print help and exit
      --full-help          Print help, including hidden options, and exit
  -V, --version            Print version and exit
  -v, --verbose[=INT]      Print more information  (default=`0')
  -r, --reader=STRING      Only use a matching reader  (default=`Yubikey')
  -k, --key[=STRING]       Management key to use, if no value is specified key
                             will be asked for
                             (default=`010203040506070801020304050607080102030405060708')
  -a, --action=ENUM        Action to take  (possible values="version",
                             "generate", "set-mgm-key", "reset",
                             "pin-retries", "import-key",
                             "import-certificate", "set-chuid",
                             "request-certificate", "verify-pin",
                             "change-pin", "change-puk", "unblock-pin",
                             "selfsign-certificate", "delete-certificate",
                             "read-certificate", "status",
                             "test-signature", "test-decipher",
                             "list-readers", "set-ccc", "write-object",
                             "read-object", "attest")

       Multiple actions may be given at once and will be executed in order
       for example --action=verify-pin --action=request-certificate

  -s, --slot=ENUM          What key slot to operate on  (possible
                             values="9a", "9c", "9d", "9e", "82",
                             "83", "84", "85", "86", "87", "88",
                             "89", "8a", "8b", "8c", "8d", "8e",
                             "8f", "90", "91", "92", "93", "94",
                             "95", "f9")

       9a is for PIV Authentication
       9c is for Digital Signature (PIN always checked)
       9d is for Key Management
       9e is for Card Authentication (PIN never checked)
       82-95 is for Retired Key Management
       f9 is for Attestation

  -A, --algorithm=ENUM     What algorithm to use  (possible values="RSA1024",
                             "RSA2048", "ECCP256", "ECCP384"
                             default=`RSA2048')
  -H, --hash=ENUM          Hash to use for signatures  (possible
                             values="SHA1", "SHA256", "SHA384",
                             "SHA512" default=`SHA256')
  -n, --new-key=STRING     New management key to use for action set-mgm-key, if
                             omitted key will be asked for
      --pin-retries=INT    Number of retries before the pin code is blocked
      --puk-retries=INT    Number of retries before the puk code is blocked
  -i, --input=STRING       Filename to use as input, - for stdin  (default=`-')
  -o, --output=STRING      Filename to use as output, - for stdout
                             (default=`-')
  -K, --key-format=ENUM    Format of the key being read/written  (possible
                             values="PEM", "PKCS12", "GZIP", "DER",
                             "SSH" default=`PEM')
  -p, --password=STRING    Password for decryption of private key file, if
                             omitted password will be asked for
  -S, --subject=STRING     The subject to use for certificate request

       The subject must be written as:
       /CN=host.example.com/OU=test/O=example.com/

      --serial=INT         Serial number of the self-signed certificate
      --valid-days=INT     Time (in days) until the self-signed certificate
                             expires  (default=`365')
  -P, --pin=STRING         Pin/puk code for verification, if omitted pin/puk
                             will be asked for
  -N, --new-pin=STRING     New pin/puk code for changing, if omitted pin/puk
                             will be asked for
      --pin-policy=ENUM    Set pin policy for action generate or import-key.
                             Only available on YubiKey 4  (possible
                             values="never", "once", "always")
      --touch-policy=ENUM  Set touch policy for action generate, import-key or
                             set-mgm-key. Only available on YubiKey 4
                             (possible values="never", "always",
                             "cached")
      --id=INT             Id of object for write/read object
  -f, --format=ENUM        Format of data for write/read object  (possible
                             values="hex", "base64", "binary"
                             default=`hex')
      --attestation        Add attestation cross-signature  (default=off)

comment:4 Changed 12 months ago by bK4gYuRo

Another data point: I upgraded cmake to cmake @3.19.1_2+universal today before trying to rebuild yubico-piv-tool for the new version of libressl

comment:5 Changed 12 months ago by mf2k (Frank Schima)

Cc: lbschenkel removed
Owner: set to lbschenkel
Status: newassigned

comment:6 Changed 12 months ago by bK4gYuRo

According to /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/yubico-piv-tool-2.1.1/CMakeLists.txt: set(GENERATE_MAN_PAGES OFF), it should not generate man pages, but the cache has the opposite value: /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/yubico-piv-tool-2.1.1/CMakeCache.txt:GENERATE_MAN_PAGES:BOOL=ON

Also, options file sets it to on: /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/yubico-piv-tool-2.1.1/cmake/options.cmake:option(GENERATE_MAN_PAGES "Generate man pages for the command line tool" ON)

Options file has quite old timestamp:

$ ls -l /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/yubico-piv-tool-2.1.1/cmake/options.cmake
-rw-r--r--  1 macports  wheel  3851 Jul 20 02:37 /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/yubico-piv-tool-2.1.1/cmake/options.cmake

I just don't know how I managed to build yubico-piv-tool without man pages back in October:

$ port content yubico-piv-tool
Port yubico-piv-tool contains:
  /opt/local/bin/yubico-piv-tool
  /opt/local/include/ykpiv/ykpiv-config.h
  /opt/local/include/ykpiv/ykpiv.h
  /opt/local/lib/libykcs11.1.dylib
  /opt/local/lib/libykcs11.2.1.1.dylib
  /opt/local/lib/libykcs11.a
  /opt/local/lib/libykcs11.dylib
  /opt/local/lib/libykpiv.1.dylib
  /opt/local/lib/libykpiv.2.1.1.dylib
  /opt/local/lib/libykpiv.a
  /opt/local/lib/libykpiv.dylib
  /opt/local/lib/pkcs11/libykcs11.so
  /opt/local/lib/pkgconfig/ykcs11.pc
  /opt/local/lib/pkgconfig/ykpiv.pc
  /opt/local/share/p11-kit/modules/yubico-piv-tool.module
$ ls -l /opt/local/bin/yubico-piv-tool
-rwxr-xr-x  1 root  admin  86880 Oct 10 07:25 /opt/local/bin/yubico-piv-tool

comment:7 Changed 12 months ago by bK4gYuRo

I am just guessing, could configure command have had -DCMAKE_GENERATE_MAN_PAGES=OFF in the previous version of macports?

:info:configure Executing:  cd "/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-too
l/yubico-piv-tool/work/yubico-piv-tool-2.1.1" && /opt/local/bin/cmake -DCMAKE_INSTALL_PREFIX='/opt/local' -DCMAKE_BUILD_TYPE=Release -DCMAKE_BUILD_WITH_INSTALL_RPATH=ON
 -DCMAKE_C_COMPILER="$CC" -DCMAKE_COLOR_MAKEFILE=ON -DCMAKE_CXX_COMPILER="$CXX" -DCMAKE_FIND_FRAMEWORK=LAST -DCMAKE_INSTALL_NAME_DIR=/opt/local/lib -DCMAKE_INSTALL_RPAT
H=/opt/local/lib -DCMAKE_MAKE_PROGRAM=/usr/bin/make -DCMAKE_MODULE_PATH=/opt/local/share/cmake/Modules -DCMAKE_SYSTEM_PREFIX_PATH="/opt/local;/opt/local;/usr" -DCMAKE_V
ERBOSE_MAKEFILE=ON -DCMAKE_POLICY_DEFAULT_CMP0025=NEW -Wno-dev -DCMAKE_C_FLAGS_RELEASE="-DNDEBUG" -DCMAKE_CXX_FLAGS_RELEASE="-DNDEBUG" -DCMAKE_OSX_ARCHITECTURES="x86_64
" -DCMAKE_OSX_DEPLOYMENT_TARGET="10.13" -DCMAKE_OSX_SYSROOT="/" /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarbal
ls_ports_security_yubico-piv-tool/yubico-piv-tool/work/yubico-piv-tool-2.1.1 

comment:8 Changed 12 months ago by kencu (Ken)

This:

$ ./yubico-piv-tool --help
dyld: Library not loaded: /opt/local/lib/libykpiv.1.dylib
  Referenced from: /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/Yubico-yubico-piv-tool-6752c30/tool/./yubico-piv-tool
  Reason: image not found

could be caused by the cmake PortGroup setting this option:

-DCMAKE_BUILD_WITH_INSTALL_RPATH=ON

Every once in a while we come across a port that won't work right with this, and this might be one of them. To override this, in the Portfile we put:

configure.args-replace -DCMAKE_BUILD_WITH_INSTALL_RPATH=ON -DCMAKE_BUILD_WITH_INSTALL_RPATH=OFF

comment:9 Changed 12 months ago by kencu (Ken)

or don't build the manpages maybe, and never run the failing tool at all, sure.

comment:10 Changed 11 months ago by drebes (Roberto Jung Drebes)

Cc: drebes added

comment:11 Changed 11 months ago by drebes (Roberto Jung Drebes)

I was having the same issue and can confirm that adding

configure.args-append -DCMAKE_BUILD_WITH_INSTALL_RPATH=OFF

to the end of yubico-piv-tool/Portfile made the port successfully build for me.

comment:12 Changed 10 months ago by lbschenkel (Leonardo Brondani Schenkel)

Resolution: fixed
Status: assignedclosed

In cd308ff42b2d3c63d92713ee308e7975b96a87a3/macports-ports (master):

yubico-piv-tool: fix build failure

Fixes: #61884

comment:13 in reply to:  3 Changed 10 months ago by ryandesign (Ryan Schmidt)

Replying to bK4gYuRo:

Shouldn't build process use something like this to point to the library in a temporary location:

$ DYLD_FALLBACK_LIBRARY_PATH=/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/Yubico-yubico-piv-tool-6752c30/lib ./yubico-piv-tool --help

The correct environment variable for this scenario is DYLD_LIBRARY_PATH not DYLD_FALLBACK_LIBRARY_PATH.

Note: See TracTickets for help on using tickets.