#61884 closed defect (fixed)
yubico-piv-tool fails to build after libressl upgrade to 3.2.3
| Reported by: | bK4gYuRo | Owned by: | lbschenkel (Leonardo Brondani Schenkel) |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | ports | Version: | |
| Keywords: | Cc: | bK4gYuRo, drebes (Roberto Jung Drebes) | |
| Port: | yubico-piv-tool |
Description
After libressl was upgraded to 3.2.3, yubico-piv-tool fails to build. It looks like it stumbles here:
:info:build [ 98%] Building manpage for yubico-piv-tool :info:build cd /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/yubico-piv-tool-2.1.1/tool && /opt/local/bin/help2man -s1 -N -o /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/yubico-piv-tool-2.1.1/tool/yubico-piv-tool.1 ./yubico-piv-tool :info:build sh: line 1: 89541 Abort trap: 6 ./yubico-piv-tool --help 2> /dev/null :info:build help2man: can't get `--help' info from ./yubico-piv-tool :info:build Try `--no-discard-stderr' if option outputs to stderr :info:build make[2]: *** [tool/yubico-piv-tool.1] Error 134
If I run the failing command without redirection to /dev/null, it shows this error:
$ ./yubico-piv-tool --help dyld: Library not loaded: /opt/local/lib/libykpiv.1.dylib Referenced from: /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/Yubico-yubico-piv-tool-6752c30/tool/./yubico-piv-tool Reason: image not found Abort
Before my attempt to upgrade, the library existed:
$ ls -l /opt/local/lib/libykpiv.1.dylib lrwxr-xr-x 1 root admin 20 Oct 10 07:25 /opt/local/lib/libykpiv.1.dylib -> libykpiv.2.1.1.dylib
and it was part of the port I am trying to build:
$ port provides /opt/local/lib/libykpiv.2.1.1.dylib /opt/local/lib/libykpiv.2.1.1.dylib is provided by: yubico-piv-tool
Attachments (1)
Change History (14)
Changed 3 years ago by bK4gYuRo
comment:1 Changed 3 years ago by bK4gYuRo
| Cc: | bK4gYuRo added |
|---|
comment:2 Changed 3 years ago by bK4gYuRo
comment:3 follow-up: 13 Changed 3 years ago by bK4gYuRo
Shouldn't build process use something like this to point to the library in a temporary location:
$ DYLD_FALLBACK_LIBRARY_PATH=/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/Yubico-yubico-piv-tool-6752c30/lib ./yubico-piv-tool --help
yubico-piv-tool 2.1.1
Usage: yubico-piv-tool [OPTIONS]...
-h, --help Print help and exit
--full-help Print help, including hidden options, and exit
-V, --version Print version and exit
-v, --verbose[=INT] Print more information (default=`0')
-r, --reader=STRING Only use a matching reader (default=`Yubikey')
-k, --key[=STRING] Management key to use, if no value is specified key
will be asked for
(default=`010203040506070801020304050607080102030405060708')
-a, --action=ENUM Action to take (possible values="version",
"generate", "set-mgm-key", "reset",
"pin-retries", "import-key",
"import-certificate", "set-chuid",
"request-certificate", "verify-pin",
"change-pin", "change-puk", "unblock-pin",
"selfsign-certificate", "delete-certificate",
"read-certificate", "status",
"test-signature", "test-decipher",
"list-readers", "set-ccc", "write-object",
"read-object", "attest")
Multiple actions may be given at once and will be executed in order
for example --action=verify-pin --action=request-certificate
-s, --slot=ENUM What key slot to operate on (possible
values="9a", "9c", "9d", "9e", "82",
"83", "84", "85", "86", "87", "88",
"89", "8a", "8b", "8c", "8d", "8e",
"8f", "90", "91", "92", "93", "94",
"95", "f9")
9a is for PIV Authentication
9c is for Digital Signature (PIN always checked)
9d is for Key Management
9e is for Card Authentication (PIN never checked)
82-95 is for Retired Key Management
f9 is for Attestation
-A, --algorithm=ENUM What algorithm to use (possible values="RSA1024",
"RSA2048", "ECCP256", "ECCP384"
default=`RSA2048')
-H, --hash=ENUM Hash to use for signatures (possible
values="SHA1", "SHA256", "SHA384",
"SHA512" default=`SHA256')
-n, --new-key=STRING New management key to use for action set-mgm-key, if
omitted key will be asked for
--pin-retries=INT Number of retries before the pin code is blocked
--puk-retries=INT Number of retries before the puk code is blocked
-i, --input=STRING Filename to use as input, - for stdin (default=`-')
-o, --output=STRING Filename to use as output, - for stdout
(default=`-')
-K, --key-format=ENUM Format of the key being read/written (possible
values="PEM", "PKCS12", "GZIP", "DER",
"SSH" default=`PEM')
-p, --password=STRING Password for decryption of private key file, if
omitted password will be asked for
-S, --subject=STRING The subject to use for certificate request
The subject must be written as:
/CN=host.example.com/OU=test/O=example.com/
--serial=INT Serial number of the self-signed certificate
--valid-days=INT Time (in days) until the self-signed certificate
expires (default=`365')
-P, --pin=STRING Pin/puk code for verification, if omitted pin/puk
will be asked for
-N, --new-pin=STRING New pin/puk code for changing, if omitted pin/puk
will be asked for
--pin-policy=ENUM Set pin policy for action generate or import-key.
Only available on YubiKey 4 (possible
values="never", "once", "always")
--touch-policy=ENUM Set touch policy for action generate, import-key or
set-mgm-key. Only available on YubiKey 4
(possible values="never", "always",
"cached")
--id=INT Id of object for write/read object
-f, --format=ENUM Format of data for write/read object (possible
values="hex", "base64", "binary"
default=`hex')
--attestation Add attestation cross-signature (default=off)
comment:4 Changed 3 years ago by bK4gYuRo
Another data point: I upgraded cmake to cmake @3.19.1_2+universal today before trying to rebuild yubico-piv-tool for the new version of libressl
comment:5 Changed 3 years ago by mf2k (Frank Schima)
| Cc: | lbschenkel removed |
|---|---|
| Owner: | set to lbschenkel |
| Status: | new → assigned |
comment:6 Changed 3 years ago by bK4gYuRo
According to /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/yubico-piv-tool-2.1.1/CMakeLists.txt: set(GENERATE_MAN_PAGES OFF), it should not generate man pages, but the cache has the opposite value: /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/yubico-piv-tool-2.1.1/CMakeCache.txt:GENERATE_MAN_PAGES:BOOL=ON
Also, options file sets it to on: /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/yubico-piv-tool-2.1.1/cmake/options.cmake:option(GENERATE_MAN_PAGES "Generate man pages for the command line tool" ON)
Options file has quite old timestamp:
$ ls -l /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/yubico-piv-tool-2.1.1/cmake/options.cmake -rw-r--r-- 1 macports wheel 3851 Jul 20 02:37 /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/yubico-piv-tool-2.1.1/cmake/options.cmake
I just don't know how I managed to build yubico-piv-tool without man pages back in October:
$ port content yubico-piv-tool Port yubico-piv-tool contains: /opt/local/bin/yubico-piv-tool /opt/local/include/ykpiv/ykpiv-config.h /opt/local/include/ykpiv/ykpiv.h /opt/local/lib/libykcs11.1.dylib /opt/local/lib/libykcs11.2.1.1.dylib /opt/local/lib/libykcs11.a /opt/local/lib/libykcs11.dylib /opt/local/lib/libykpiv.1.dylib /opt/local/lib/libykpiv.2.1.1.dylib /opt/local/lib/libykpiv.a /opt/local/lib/libykpiv.dylib /opt/local/lib/pkcs11/libykcs11.so /opt/local/lib/pkgconfig/ykcs11.pc /opt/local/lib/pkgconfig/ykpiv.pc /opt/local/share/p11-kit/modules/yubico-piv-tool.module $ ls -l /opt/local/bin/yubico-piv-tool -rwxr-xr-x 1 root admin 86880 Oct 10 07:25 /opt/local/bin/yubico-piv-tool
comment:7 Changed 3 years ago by bK4gYuRo
I am just guessing, could configure command have had -DCMAKE_GENERATE_MAN_PAGES=OFF in the previous version of macports?
:info:configure Executing: cd "/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-too l/yubico-piv-tool/work/yubico-piv-tool-2.1.1" && /opt/local/bin/cmake -DCMAKE_INSTALL_PREFIX='/opt/local' -DCMAKE_BUILD_TYPE=Release -DCMAKE_BUILD_WITH_INSTALL_RPATH=ON -DCMAKE_C_COMPILER="$CC" -DCMAKE_COLOR_MAKEFILE=ON -DCMAKE_CXX_COMPILER="$CXX" -DCMAKE_FIND_FRAMEWORK=LAST -DCMAKE_INSTALL_NAME_DIR=/opt/local/lib -DCMAKE_INSTALL_RPAT H=/opt/local/lib -DCMAKE_MAKE_PROGRAM=/usr/bin/make -DCMAKE_MODULE_PATH=/opt/local/share/cmake/Modules -DCMAKE_SYSTEM_PREFIX_PATH="/opt/local;/opt/local;/usr" -DCMAKE_V ERBOSE_MAKEFILE=ON -DCMAKE_POLICY_DEFAULT_CMP0025=NEW -Wno-dev -DCMAKE_C_FLAGS_RELEASE="-DNDEBUG" -DCMAKE_CXX_FLAGS_RELEASE="-DNDEBUG" -DCMAKE_OSX_ARCHITECTURES="x86_64 " -DCMAKE_OSX_DEPLOYMENT_TARGET="10.13" -DCMAKE_OSX_SYSROOT="/" /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarbal ls_ports_security_yubico-piv-tool/yubico-piv-tool/work/yubico-piv-tool-2.1.1
comment:8 Changed 3 years ago by kencu (Ken)
This:
$ ./yubico-piv-tool --help dyld: Library not loaded: /opt/local/lib/libykpiv.1.dylib Referenced from: /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/Yubico-yubico-piv-tool-6752c30/tool/./yubico-piv-tool Reason: image not found
could be caused by the cmake PortGroup setting this option:
-DCMAKE_BUILD_WITH_INSTALL_RPATH=ON
Every once in a while we come across a port that won't work right with this, and this might be one of them. To override this, in the Portfile we put:
configure.args-replace -DCMAKE_BUILD_WITH_INSTALL_RPATH=ON -DCMAKE_BUILD_WITH_INSTALL_RPATH=OFF
comment:9 Changed 3 years ago by kencu (Ken)
or don't build the manpages maybe, and never run the failing tool at all, sure.
comment:10 Changed 3 years ago by drebes (Roberto Jung Drebes)
| Cc: | drebes added |
|---|
comment:11 Changed 3 years ago by drebes (Roberto Jung Drebes)
I was having the same issue and can confirm that adding
configure.args-append -DCMAKE_BUILD_WITH_INSTALL_RPATH=OFF
to the end of yubico-piv-tool/Portfile made the port successfully build for me.
comment:12 Changed 3 years ago by lbschenkel (Leonardo Brondani Schenkel)
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
comment:13 Changed 3 years ago by ryandesign (Ryan Carsten Schmidt)
Replying to bK4gYuRo:
Shouldn't build process use something like this to point to the library in a temporary location:
$ DYLD_FALLBACK_LIBRARY_PATH=/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/Yubico-yubico-piv-tool-6752c30/lib ./yubico-piv-tool --help
The correct environment variable for this scenario is DYLD_LIBRARY_PATH not DYLD_FALLBACK_LIBRARY_PATH.
Maybe libressl upgrade is not related to the problem. I guess port version 2.6.4 has something to do with it. The library in question is built, but it is in this location before port is installed:
yubico-piv-tool looks for it in /opt/local/lib, but it is not there yet.
I am not sure how it worked before.