Paths

Table of Contentst

Differential D53807

java/autofirma: [new port]. Digital signature application
Needs ReviewPublic
Actions

Authored by fernape on Tue, Nov 18, 4:47 PM.

Details

Reviewers

None

Group Reviewers

Ports Committers

Summary

Autofirma is a java application used to sign digital documents.
It is the official application of the Spanish Government and as such it is
required to perform many online tasks with the Administration.

Test Plan

After installation you can execute autofirma. That one is a GUI app that allows you to digitally sign files. Unfortunately it is Spanish only.

Going to https://www.sededgsfp.gob.es/es/Paginas/TestAutofirma.aspx allows to test for the "webapp" version of the same application.

Diff Detail

Repository

R11 FreeBSD ports repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 68713
Build 65596: arc lint + arc unit

Event Timeline

fernape requested review of this revision.Tue, Nov 18, 4:47 PM

fernape created this revision.

Harbormaster completed remote builds in B68713: Diff 166691.Tue, Nov 18, 4:47 PM

fernape edited the test plan for this revision. (Show Details)Tue, Nov 18, 4:49 PM

fernape added a reviewer: Ports Committers.

Not sure if it belongs in the java category, though... Perhaps security instead?

java/autofirma/Makefile
16	Should this be `JAVA_VERSION= 24+`?

Addressing feedback

Harbormaster completed remote builds in B68750: Diff 166808.Wed, Nov 19, 9:33 PM

In D53807#1229368, @haraldei wrote:

Not sure if it belongs in the java category, though... Perhaps security instead?

Yeah, you're right. Dropping java as category.

java/autofirma/Makefile
16	Unfortunately, the port does not work with openjdk25. Version 24 is the highest one where it works. There is some thing with a constructor being now private, but didn't dig into it very much. I tried to build from sources but there where other problems (compilation aborted due to some empty MANIFEST IIRC).

fernape marked an inline comment as done.Wed, Nov 19, 9:35 PM

michaelo added a subscriber: michaelo.Wed, Nov 19, 9:39 PM

michaelo added inline comments.

java/autofirma/Makefile
42	Aren't thy included in Oracle's cert bundle delivery? In almost all cases it does not really differ from NSS?
java/autofirma/files/autofirma.in
7	LOCALBASE?

In D53807#1229879, @fernape wrote:

In D53807#1229368, @haraldei wrote:

Not sure if it belongs in the java category, though... Perhaps security instead?

Yeah, you're right. Dropping java as category.

I would probably also move it to the security subdirectory.

java/autofirma/Makefile
16	Ok, that makes sense. Just checking :)

Address feedback.

Move to security/
Use %%LOCALBASE%% in script

Harbormaster completed remote builds in B68772: Diff 166873.Thu, Nov 20, 9:52 PM

fernape marked an inline comment as done.Thu, Nov 20, 9:57 PM

fernape added inline comments.

java/autofirma/Makefile
42	Which bundle is that? I'm creating a jks key store because AFAIK openjdk24 does not read PEM format. openjdk25 does, but the port will need some work upstream to work with that.

michaelo added inline comments.Fri, Nov 21, 7:19 AM

java/autofirma/Makefile
42	Java comes with a bundle (`cacerts`) included. Bet it just works out of the box.

Address feedback:

Use openjdk cert bundle

Harbormaster completed remote builds in B68782: Diff 166895.Fri, Nov 21, 3:02 PM

Aha! Thanks for that info!

I checked still works and now the port is much simpler.

michaelo added inline comments.Fri, Nov 21, 3:05 PM

security/autofirma/files/autofirma.in
4 ↗	(On Diff #166895)	No, use `%%JAVA_HOME%%/bin/java` as well.
6 ↗	(On Diff #166895)	Why? Don't provide it at all and Java will do the rest.

Out of curiousity, since I see Mozilla and NSS here, does the library internally use NSS for something? Does it perform System#loadLibrary()? If yes, you might want to depend on NSS as well. Maybe you should investigate...

michaelo added inline comments.Fri, Nov 21, 3:41 PM

security/autofirma/Makefile
15 ↗	(On Diff #166895)	Where do you use zip?

This port made me curious, though I don't live in Spain:

Why the hell did they pack a deb package in a ZIP file, clowns
The data.tar has some interesting things you like have missed:
- Autofirma.js is for Firefox which will autoinject into prefs.js, it is user.js for Autofirma. You didn't handle this at all. It contains also a path which needs to be fixed for LOCALBASE
- What happened to autofirmaConfigurador.jar?
- Autofirma.png is located next to the JAR, will it be found in a different location?
- You did not patch afirma.desktop
- es.gob.afirma.metainfo.xml isn't required? ...and it clearly states that is depends on libnss3-tools

autofirma.jar contains directories linux/windows/osx (sic!) with a binary-bundled certutil, I bet this is libnss3-tools and maybe need to provide certutil.
Manual says "Versión completa de Java 8 o superior. Se recomienda el uso de Java 17.", why 24 then?

The code is here: https://github.com/ctt-gob-es/clienteafirma, you may need to patch the stuff: https://github.com/ctt-gob-es/clienteafirma/blob/5f877c0cdad198e0ca8354a569f2f53064b325c1/afirma-core/src/main/java/es/gob/afirma/core/misc/Platform.java and https://github.com/ctt-gob-es/clienteafirma/blob/master/afirma-keystores-mozilla/src/main/java/es/gob/afirma/keystores/mozilla/MozillaKeyStoreUtilities.java#L62.

¡What firma pain!