#61884 closed defect (fixed)
yubico-piv-tool fails to build after libressl upgrade to 3.2.3
Reported by: | bK4gYuRo | Owned by: | lbschenkel (Leonardo Brondani Schenkel) |
---|---|---|---|
Priority: | Normal | Milestone: | |
Component: | ports | Version: | |
Keywords: | Cc: | bK4gYuRo, drebes (Roberto Jung Drebes) | |
Port: | yubico-piv-tool |
Description
After libressl was upgraded to 3.2.3, yubico-piv-tool fails to build. It looks like it stumbles here:
:info:build [ 98%] Building manpage for yubico-piv-tool :info:build cd /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/yubico-piv-tool-2.1.1/tool && /opt/local/bin/help2man -s1 -N -o /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/yubico-piv-tool-2.1.1/tool/yubico-piv-tool.1 ./yubico-piv-tool :info:build sh: line 1: 89541 Abort trap: 6 ./yubico-piv-tool --help 2> /dev/null :info:build help2man: can't get `--help' info from ./yubico-piv-tool :info:build Try `--no-discard-stderr' if option outputs to stderr :info:build make[2]: *** [tool/yubico-piv-tool.1] Error 134
If I run the failing command without redirection to /dev/null, it shows this error:
$ ./yubico-piv-tool --help dyld: Library not loaded: /opt/local/lib/libykpiv.1.dylib Referenced from: /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/Yubico-yubico-piv-tool-6752c30/tool/./yubico-piv-tool Reason: image not found Abort
Before my attempt to upgrade, the library existed:
$ ls -l /opt/local/lib/libykpiv.1.dylib lrwxr-xr-x 1 root admin 20 Oct 10 07:25 /opt/local/lib/libykpiv.1.dylib -> libykpiv.2.1.1.dylib
and it was part of the port I am trying to build:
$ port provides /opt/local/lib/libykpiv.2.1.1.dylib /opt/local/lib/libykpiv.2.1.1.dylib is provided by: yubico-piv-tool
Attachments (1)
Change History (14)
Changed 4 years ago by bK4gYuRo
comment:1 Changed 4 years ago by bK4gYuRo
Cc: | bK4gYuRo added |
---|
comment:2 Changed 4 years ago by bK4gYuRo
comment:3 follow-up: 13 Changed 4 years ago by bK4gYuRo
Shouldn't build process use something like this to point to the library in a temporary location:
$ DYLD_FALLBACK_LIBRARY_PATH=/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/Yubico-yubico-piv-tool-6752c30/lib ./yubico-piv-tool --help yubico-piv-tool 2.1.1 Usage: yubico-piv-tool [OPTIONS]... -h, --help Print help and exit --full-help Print help, including hidden options, and exit -V, --version Print version and exit -v, --verbose[=INT] Print more information (default=`0') -r, --reader=STRING Only use a matching reader (default=`Yubikey') -k, --key[=STRING] Management key to use, if no value is specified key will be asked for (default=`010203040506070801020304050607080102030405060708') -a, --action=ENUM Action to take (possible values="version", "generate", "set-mgm-key", "reset", "pin-retries", "import-key", "import-certificate", "set-chuid", "request-certificate", "verify-pin", "change-pin", "change-puk", "unblock-pin", "selfsign-certificate", "delete-certificate", "read-certificate", "status", "test-signature", "test-decipher", "list-readers", "set-ccc", "write-object", "read-object", "attest") Multiple actions may be given at once and will be executed in order for example --action=verify-pin --action=request-certificate -s, --slot=ENUM What key slot to operate on (possible values="9a", "9c", "9d", "9e", "82", "83", "84", "85", "86", "87", "88", "89", "8a", "8b", "8c", "8d", "8e", "8f", "90", "91", "92", "93", "94", "95", "f9") 9a is for PIV Authentication 9c is for Digital Signature (PIN always checked) 9d is for Key Management 9e is for Card Authentication (PIN never checked) 82-95 is for Retired Key Management f9 is for Attestation -A, --algorithm=ENUM What algorithm to use (possible values="RSA1024", "RSA2048", "ECCP256", "ECCP384" default=`RSA2048') -H, --hash=ENUM Hash to use for signatures (possible values="SHA1", "SHA256", "SHA384", "SHA512" default=`SHA256') -n, --new-key=STRING New management key to use for action set-mgm-key, if omitted key will be asked for --pin-retries=INT Number of retries before the pin code is blocked --puk-retries=INT Number of retries before the puk code is blocked -i, --input=STRING Filename to use as input, - for stdin (default=`-') -o, --output=STRING Filename to use as output, - for stdout (default=`-') -K, --key-format=ENUM Format of the key being read/written (possible values="PEM", "PKCS12", "GZIP", "DER", "SSH" default=`PEM') -p, --password=STRING Password for decryption of private key file, if omitted password will be asked for -S, --subject=STRING The subject to use for certificate request The subject must be written as: /CN=host.example.com/OU=test/O=example.com/ --serial=INT Serial number of the self-signed certificate --valid-days=INT Time (in days) until the self-signed certificate expires (default=`365') -P, --pin=STRING Pin/puk code for verification, if omitted pin/puk will be asked for -N, --new-pin=STRING New pin/puk code for changing, if omitted pin/puk will be asked for --pin-policy=ENUM Set pin policy for action generate or import-key. Only available on YubiKey 4 (possible values="never", "once", "always") --touch-policy=ENUM Set touch policy for action generate, import-key or set-mgm-key. Only available on YubiKey 4 (possible values="never", "always", "cached") --id=INT Id of object for write/read object -f, --format=ENUM Format of data for write/read object (possible values="hex", "base64", "binary" default=`hex') --attestation Add attestation cross-signature (default=off)
comment:4 Changed 4 years ago by bK4gYuRo
Another data point: I upgraded cmake to cmake @3.19.1_2+universal today before trying to rebuild yubico-piv-tool for the new version of libressl
comment:5 Changed 4 years ago by mf2k (Frank Schima)
Cc: | lbschenkel removed |
---|---|
Owner: | set to lbschenkel |
Status: | new → assigned |
comment:6 Changed 4 years ago by bK4gYuRo
According to /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/yubico-piv-tool-2.1.1/CMakeLists.txt: set(GENERATE_MAN_PAGES OFF), it should not generate man pages, but the cache has the opposite value: /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/yubico-piv-tool-2.1.1/CMakeCache.txt:GENERATE_MAN_PAGES:BOOL=ON
Also, options file sets it to on: /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/yubico-piv-tool-2.1.1/cmake/options.cmake:option(GENERATE_MAN_PAGES "Generate man pages for the command line tool" ON)
Options file has quite old timestamp:
$ ls -l /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/yubico-piv-tool-2.1.1/cmake/options.cmake -rw-r--r-- 1 macports wheel 3851 Jul 20 02:37 /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/yubico-piv-tool-2.1.1/cmake/options.cmake
I just don't know how I managed to build yubico-piv-tool without man pages back in October:
$ port content yubico-piv-tool Port yubico-piv-tool contains: /opt/local/bin/yubico-piv-tool /opt/local/include/ykpiv/ykpiv-config.h /opt/local/include/ykpiv/ykpiv.h /opt/local/lib/libykcs11.1.dylib /opt/local/lib/libykcs11.2.1.1.dylib /opt/local/lib/libykcs11.a /opt/local/lib/libykcs11.dylib /opt/local/lib/libykpiv.1.dylib /opt/local/lib/libykpiv.2.1.1.dylib /opt/local/lib/libykpiv.a /opt/local/lib/libykpiv.dylib /opt/local/lib/pkcs11/libykcs11.so /opt/local/lib/pkgconfig/ykcs11.pc /opt/local/lib/pkgconfig/ykpiv.pc /opt/local/share/p11-kit/modules/yubico-piv-tool.module $ ls -l /opt/local/bin/yubico-piv-tool -rwxr-xr-x 1 root admin 86880 Oct 10 07:25 /opt/local/bin/yubico-piv-tool
comment:7 Changed 4 years ago by bK4gYuRo
I am just guessing, could configure command have had -DCMAKE_GENERATE_MAN_PAGES=OFF in the previous version of macports?
:info:configure Executing: cd "/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-too l/yubico-piv-tool/work/yubico-piv-tool-2.1.1" && /opt/local/bin/cmake -DCMAKE_INSTALL_PREFIX='/opt/local' -DCMAKE_BUILD_TYPE=Release -DCMAKE_BUILD_WITH_INSTALL_RPATH=ON -DCMAKE_C_COMPILER="$CC" -DCMAKE_COLOR_MAKEFILE=ON -DCMAKE_CXX_COMPILER="$CXX" -DCMAKE_FIND_FRAMEWORK=LAST -DCMAKE_INSTALL_NAME_DIR=/opt/local/lib -DCMAKE_INSTALL_RPAT H=/opt/local/lib -DCMAKE_MAKE_PROGRAM=/usr/bin/make -DCMAKE_MODULE_PATH=/opt/local/share/cmake/Modules -DCMAKE_SYSTEM_PREFIX_PATH="/opt/local;/opt/local;/usr" -DCMAKE_V ERBOSE_MAKEFILE=ON -DCMAKE_POLICY_DEFAULT_CMP0025=NEW -Wno-dev -DCMAKE_C_FLAGS_RELEASE="-DNDEBUG" -DCMAKE_CXX_FLAGS_RELEASE="-DNDEBUG" -DCMAKE_OSX_ARCHITECTURES="x86_64 " -DCMAKE_OSX_DEPLOYMENT_TARGET="10.13" -DCMAKE_OSX_SYSROOT="/" /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarbal ls_ports_security_yubico-piv-tool/yubico-piv-tool/work/yubico-piv-tool-2.1.1
comment:8 Changed 4 years ago by kencu (Ken)
This:
$ ./yubico-piv-tool --help dyld: Library not loaded: /opt/local/lib/libykpiv.1.dylib Referenced from: /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/Yubico-yubico-piv-tool-6752c30/tool/./yubico-piv-tool Reason: image not found
could be caused by the cmake PortGroup setting this option:
-DCMAKE_BUILD_WITH_INSTALL_RPATH=ON
Every once in a while we come across a port that won't work right with this, and this might be one of them. To override this, in the Portfile we put:
configure.args-replace -DCMAKE_BUILD_WITH_INSTALL_RPATH=ON -DCMAKE_BUILD_WITH_INSTALL_RPATH=OFF
comment:9 Changed 4 years ago by kencu (Ken)
or don't build the manpages maybe, and never run the failing tool at all, sure.
comment:10 Changed 4 years ago by drebes (Roberto Jung Drebes)
Cc: | drebes added |
---|
comment:11 Changed 4 years ago by drebes (Roberto Jung Drebes)
I was having the same issue and can confirm that adding
configure.args-append -DCMAKE_BUILD_WITH_INSTALL_RPATH=OFF
to the end of yubico-piv-tool/Portfile
made the port successfully build for me.
comment:12 Changed 4 years ago by lbschenkel (Leonardo Brondani Schenkel)
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
comment:13 Changed 4 years ago by ryandesign (Ryan Carsten Schmidt)
Replying to bK4gYuRo:
Shouldn't build process use something like this to point to the library in a temporary location:
$ DYLD_FALLBACK_LIBRARY_PATH=/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_yubico-piv-tool/yubico-piv-tool/work/Yubico-yubico-piv-tool-6752c30/lib ./yubico-piv-tool --help
The correct environment variable for this scenario is DYLD_LIBRARY_PATH
not DYLD_FALLBACK_LIBRARY_PATH
.
Maybe libressl upgrade is not related to the problem. I guess port version 2.6.4 has something to do with it. The library in question is built, but it is in this location before port is installed:
yubico-piv-tool looks for it in /opt/local/lib, but it is not there yet.
I am not sure how it worked before.