swtpm: fix build on darwin

[willcohen]

Description of changes

Fix build on darwin. Note that because netstat still uses openssl-1.0.2u on darwin, building this requires NIXPKGS_ALLOW_INSECURE=1. See #101229 and #150880.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 22.05 Release Notes (or backporting 21.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[willcohen]

@baloo

[Luflosi]

I fixed all failing tests. For some reason I didn't need to touch python at all. Here is the full diff, which could replace this PR:

index 648165d8262..fae491d00db 100644
--- a/pkgs/tools/security/swtpm/default.nix
+++ b/pkgs/tools/security/swtpm/default.nix
@@ -37,14 +37,18 @@ stdenv.mkDerivation rec {
 
   buildInputs = [
     libtpms
-    openssl libtasn1 libseccomp
-    fuse glib json-glib
+    openssl libtasn1
+    glib json-glib
     gnutls
+  ] ++ lib.optionals stdenv.isLinux [
+    fuse
+    libseccomp
   ];
 
   configureFlags = [
-    "--with-cuse"
     "--localstatedir=/var"
+  ] ++ lib.optionals stdenv.isLinux [
+    "--with-cuse"
   ];
 
   postPatch = ''
@@ -56,9 +60,31 @@ stdenv.mkDerivation rec {
 
     # Use the correct path to the certtool binary
     # instead of relying on it being in the environment
-    substituteInPlace src/swtpm_localca/swtpm_localca.c --replace \
+    substituteInPlace src/swtpm_localca/swtpm_localca.c \
+      --replace \
+        '# define CERTTOOL_NAME "gnutls-certtool"' \
+        '# define CERTTOOL_NAME "${gnutls}/bin/certtool"' \
+      --replace \
         '# define CERTTOOL_NAME "certtool"' \
         '# define CERTTOOL_NAME "${gnutls}/bin/certtool"'
+
+    substituteInPlace tests/common --replace \
+        'CERTTOOL=gnutls-certtool;;' \
+        'CERTTOOL=certtool;;'
+
+    # Fix error on macOS:
+    # stat: invalid option -- '%'
+    # This is caused by the stat program not being the BSD version,
+    # as is expected by the test
+    substituteInPlace tests/common --replace \
+        'if [[ "$(uname -s)" =~ (Linux|CYGWIN_NT-) ]]; then' \
+        'if [[ "$(uname -s)" =~ (Linux|Darwin|CYGWIN_NT-) ]]; then'
+
+    # Otherwise certtool seems to pick up the system language on macOS,
+    # which might cause a test to fail
+    substituteInPlace tests/test_swtpm_setup_create_cert --replace \
+        '$CERTTOOL' \
+        'LC_ALL=C.UTF-8 $CERTTOOL'
   '';
 
   doCheck = true;

I did not test on Linux, please do.
Any idea why you need to change the python dependency but I don't? Are you running on Apple silicon? Do you have the sandbox enabled?

[baloo]

swtpm> ============================================================================
swtpm> Testsuite summary for swtpm 0.7.1
swtpm> ============================================================================
swtpm> # TOTAL: 68
swtpm> # PASS:  56
swtpm> # SKIP:  12
swtpm> # XFAIL: 0
swtpm> # FAIL:  0
swtpm> # XPASS: 0
swtpm> # ERROR: 0
swtpm> ============================================================================

👍

[baloo]

@Luflosi

@willcohen needed python because it's only provided if you run tests (which he disabled on macos). Since you're running tests, python is provided.

I still believe it makes sense to bring python in nativeBuildInputs as it fixes cross compilation too (this is checked by autoconf, as will showed).

[Luflosi]

Ok, then 👍 on moving python to nativeBuildInputs.

[willcohen]

Lovely. Will revise. Many thanks!

[willcohen]

Result of nixpkgs-review pr 163569 run on x86_64-darwin 1

Edit: right, because of openssl.

[willcohen]

Result of nixpkgs-review pr 163569 run on x86_64-linux 1

2 packages built:

• quickemu
• swtpm

[willcohen]

@alyssais does this look good to merge? Not directly related to 9p for Darwin, but still useful for QEMU

[baloo]

thanks to both of you!

[Luflosi]

LGTM

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-already-reviewed/2617/461

[willcohen]

Thanks @SuperSandro2000!