pkgs/athena-bccr: initial commit

2025-08-06 14:46:59 -06:00 · 2025-08-06 14:46:59 -06:00 · e72efe6b59
commit e72efe6b59
parent a69723cf87
8 changed files with 425 additions and 2 deletions
--- a/pkgs/athena-bccr/0001-Remove-CheckUpdatePlugin-from-default-list.patch
+++ b/pkgs/athena-bccr/0001-Remove-CheckUpdatePlugin-from-default-list.patch
@ -0,0 +1,25 @@
+From 5e7eb46f46af6a29a2aea19db722ebc28baede25 Mon Sep 17 00:00:00 2001
+From: Alejandro Soto <alejandro@34project.org>
+Date: Sat, 21 Jun 2025 22:37:19 -0600
+Subject: [PATCH] Remove CheckUpdatePlugin from default list
+
+---
+ src/main/java/cr/libre/firmador/Settings.java | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/main/java/cr/libre/firmador/Settings.java b/src/main/java/cr/libre/firmador/Settings.java
+index e5ddf01..a028d6e 100644
+--- a/src/main/java/cr/libre/firmador/Settings.java
+++ b/src/main/java/cr/libre/firmador/Settings.java
+@@ -81,7 +81,7 @@ public class Settings {
+ 
+     public Settings() {
+         activePlugins.add("cr.libre.firmador.plugins.DummyPlugin");
+-        activePlugins.add("cr.libre.firmador.plugins.CheckUpdatePlugin");
+        // activePlugins.add("cr.libre.firmador.plugins.CheckUpdatePlugin");
+         availablePlugins.add("cr.libre.firmador.plugins.DummyPlugin");
+         availablePlugins.add("cr.libre.firmador.plugins.CheckUpdatePlugin");
+     }
+-- 
+2.49.0
+
--- a/pkgs/athena-bccr/LaunchGaudi.java
+++ b/pkgs/athena-bccr/LaunchGaudi.java
@ -0,0 +1,12 @@
+// Los del BCCR no se molestaron en ponerle un main al Agente Gaudi porque el
+// actualizador (que a su vez sí tiene main) carga el jar en memoria y crea una
+// instancia de Inicializador usando reflexión. El actualizador no es relevante
+// en Nix. En todo caso, dicho actualizador es sumamente frágil y me daría
+// demasiada pereza arreglarlo, así que en su lugar usamos este stub para
+// launchear Gaudi.
+
+public class LaunchGaudi {
+	public static void main(String[] args) {
+		new InicializadorCliente.Inicializador("");
+	}
+}
--- a/pkgs/athena-bccr/default.nix
+++ b/pkgs/athena-bccr/default.nix
@ -0,0 +1,30 @@
+{
+  callPackage,
+  lib,
+}: let
+  latest = "deb64-rev26";
+
+  releases = lib.mapAttrs (name: release: release // {name = name;}) (import ./releases.nix);
+
+  overrideUnwrapped = default: new: let
+    args = default // new;
+    unwrappedPkgs = lib.filterAttrs (name: _: ! lib.elem name ["override" "overrideDerivation"]) (callPackage ./unwrapped.nix args);
+  in
+    lib.fix (unwrapped: lib.mapAttrs (_: pkg: callPackage pkg unwrapped) unwrappedPkgs)
+    // {
+      override = overrideUnwrapped args;
+    };
+
+  pkgsForRelease = release: let
+    ase-pkcs11 = unwrapped.ase-idprotect.lib;
+    libasep11 = "${ase-pkcs11}/lib/x64-athena/libASEP11.so";
+    unwrapped = overrideUnwrapped {inherit release;} {};
+  in {
+    inherit ase-pkcs11 libasep11;
+    inherit (unwrapped) ase-idprotect bccr-cacerts;
+
+    gaudi = callPackage ./gaudi-env.nix {inherit unwrapped;};
+    firmador = callPackage ./firmador.nix {inherit libasep11;};
+  };
+in
+  lib.mapAttrs (_: pkgsForRelease) (releases // {latest = releases.${latest};})
--- a/pkgs/athena-bccr/firmador.nix
+++ b/pkgs/athena-bccr/firmador.nix
@ -0,0 +1,57 @@
+{
+  fetchgit,
+  lib,
+  makeWrapper,
+  maven,
+  openjdk,
+  wrapGAppsHook,
+  libasep11 ? null,
+}: let
+  jdk = openjdk.override {
+    enableJavaFX = true;
+  };
+
+  version = "1.9.8";
+in
+  maven.buildMavenPackage {
+    pname = "firmador";
+    inherit version;
+
+    src = fetchgit {
+      url = "https://codeberg.org/firmador/firmador";
+      rev = version;
+      hash = "sha256-xdiVPjihRADPK4nG+WQHWsDzVYLCeN6ouQ6SDtjf1qQ=";
+    };
+
+    patches = [
+      ./0001-Remove-CheckUpdatePlugin-from-default-list.patch
+    ];
+
+    mvnHash = "sha256-h1zoStTgaE7toWWKq0Y0ahOORyltChwjmaMYjLgs1VE=";
+
+    nativeBuildInputs = [
+      makeWrapper
+      wrapGAppsHook
+    ];
+
+    postPatch = lib.optionalString (libasep11 != null) ''
+      sed -i 's@/usr/lib/x64-athena/libASEP11.so@${libasep11}@g' src/main/java/cr/libre/firmador/CRSigner.java
+    '';
+
+    installPhase = ''
+      runHook preInstall
+
+      mkdir -p $out/bin $out/share/java
+      install -Dm644 target/firmador.jar $out/share/java
+
+      makeWrapper ${jdk}/bin/java $out/bin/firmador \
+        --add-flags "-jar $out/share/java/firmador.jar"
+
+      runHook postInstall
+    '';
+
+    meta = {
+      homepage = "https://firmador.libre.cr";
+      license = lib.licenses.gpl3Plus;
+    };
+  }
--- a/pkgs/athena-bccr/gaudi-env.nix
+++ b/pkgs/athena-bccr/gaudi-env.nix
@ -0,0 +1,62 @@
+{
+  buildFHSEnv,
+  curl,
+  lib,
+  writeShellScriptBin,
+  gaudiHash ? null,
+  unwrapped,
+}: let
+  unwrappedWithGaudi = unwrapped.override {inherit gaudiHash;};
+in
+  buildFHSEnv {
+    name = "gaudi";
+
+    targetPkgs = pkgs: [
+      unwrappedWithGaudi.ase-idprotect.lib
+      unwrappedWithGaudi.gaudi
+
+      (writeShellScriptBin "launch-gaudi" ''
+        set -o errexit
+        set -o pipefail
+        set -o nounset
+
+        PATH="${lib.makeBinPath [curl]}:$PATH"
+
+        echo "$0: testing for incompatible releases..." >&2
+
+        jar_name=bccr-firma-fva-clienteMultiplataforma.jar
+        url="https://www.firmadigital.go.cr/Bccr.Firma.Fva.Actualizador.ClienteFirmadorJava//recursosLiberica17/actualizador/$jar_name"
+        ca_file="${unwrappedWithGaudi.bccr-cacerts}/root-ca.pem"
+        url_hash=$(curl -sS --cacert "$ca_file" "$url" | sha256sum | cut -d' ' -f1)
+        jar_path="${unwrappedWithGaudi.gaudi}/share/java/$jar_name"
+        jar_hash=$(sha256sum "$jar_path" | cut -d' ' -f1)
+
+        if [ "$url_hash" != "$jar_hash" ]; then
+          last_modified=$(curl -sS --head --cacert "$ca_file" "$url" | grep -i '^last-modified:' | head -1)
+
+          echo "$0: sha256 mismatch for $jar_path due to server-side update" >&2
+          echo "$0:   expected:      $url_hash" >&2
+          echo "$0:   actual:        $jar_hash" >&2
+          echo "$0:   $last_modified" >&2
+          echo "$0: run the following to download the new client JAR, then update your derivation:" >&2
+          echo "$0: \$ ${unwrappedWithGaudi.update-gaudi}" >&2
+
+          exit 1
+        fi
+
+        cache_path_1="''${XDG_CACHE_HOME:-$HOME/.cache}/Agente-GAUDI"
+        cache_path_2="''${XDG_CACHE_HOME:-$HOME/.cache}/Firmador-BCCR"
+
+        for cache_path in "$cache_path_1" "$cache_path_2"; do
+          mkdir -p "$cache_path"
+          ln -sf -- ${unwrappedWithGaudi.gaudi}/share/java/bccr-firma-fva-clienteMultiplataforma.jar "$cache_path"
+        done
+
+        cp -f --no-preserve=mode -t "$cache_path_1" -- "${unwrappedWithGaudi.gaudi}/share/java/config.properties"
+
+        exec gaudi
+      '')
+    ];
+
+    runScript = "launch-gaudi";
+  }
--- a/pkgs/athena-bccr/releases.nix
+++ b/pkgs/athena-bccr/releases.nix
@ -0,0 +1,12 @@
+{
+  "deb64-rev26" = {
+    # nix hash convert --hash-algo sha256 --from base16 --to sri $(sha256sum sfd_ClientesLinux_DEB64_Rev26.zip | cut -d' ' -f1)
+    hash = "sha256-ZPWP9TqJQ5coJAPzUSiaXKVItBWlqFM4smCjOf+gqQM=";
+    basename = "sfd_ClientesLinux_DEB64_Rev26";
+
+    srcPaths = {
+      gaudi = "Firma Digital/Agente GAUDI/agente-gaudi_20.0_amd64.deb";
+      idprotect = "Firma Digital/PinTool/IDProtect PINTool 7.24.02/DEB/idprotectclient_7.24.02-0_amd64.deb";
+    };
+  };
+}
--- a/pkgs/athena-bccr/unwrapped.nix
+++ b/pkgs/athena-bccr/unwrapped.nix
@ -0,0 +1,226 @@
+{
+  lib,
+  requireFile,
+  release,
+  gaudiHash ? null,
+  ...
+}: let
+  inherit (release) srcPaths;
+
+  src = requireFile {
+    url = "https://soportefirmadigital.com";
+    name = "${release.basename}.zip";
+
+    inherit (release) hash;
+  };
+
+  gaudiUpdateSrc = {update-gaudi}:
+    requireFile {
+      url = "${update-gaudi}";
+      name = "gaudi-update-${release.name}.zip";
+
+      hash = gaudiHash;
+    };
+
+  moduleFromDeb = name: args @ {
+    stdenv,
+    dpkg,
+    unzip,
+    srcPath,
+    ...
+  }:
+    stdenv.mkDerivation ({
+        pname = "${name}-unwrapped";
+        version = release.name;
+
+        inherit src;
+
+        nativeBuildInputs = [dpkg unzip] ++ (args.nativeBuildInputs or []);
+
+        postUnpack = ''
+          dpkg -x ${lib.escapeShellArg "${release.basename}/${srcPath}"} ${lib.escapeShellArg release.basename}
+        '';
+      }
+      // lib.removeAttrs args ["stdenv" "dpkg" "unzip" "srcPath" "nativeBuildInputs"]);
+in {
+  ase-idprotect = {
+    autoPatchelfHook,
+    dpkg,
+    fontconfig,
+    freetype,
+    pcsclite,
+    stdenv,
+    unzip,
+    xorg,
+    zlib,
+    ...
+  }:
+    moduleFromDeb "ase-idprotect" {
+      inherit dpkg stdenv unzip;
+      srcPath = srcPaths.idprotect;
+
+      buildInputs = [
+        fontconfig
+        freetype
+        pcsclite
+        stdenv.cc.cc.lib
+        xorg.libX11
+        xorg.libXext
+        zlib
+      ];
+
+      nativeBuildInputs = [
+        autoPatchelfHook
+      ];
+
+      outputs = ["out" "lib"];
+
+      installPhase = ''
+        runHook preInstall
+
+        install -m755 -d $out/bin $lib/{etc,lib/x64-athena}
+        install -m755 usr/bin/IDProtect{_Manager,PINTool} $out/bin/
+        install -m755 usr/lib/x64-athena/* $lib/lib/x64-athena
+        cp -r etc/Athena $lib/etc/Athena
+
+        runHook postInstall
+      '';
+
+      preFixup = ''
+        patchelf --set-rpath $lib/lib/x64-athena $out/bin/*
+      '';
+    };
+
+  gaudi = {
+    autoPatchelfHook,
+    dpkg,
+    makeWrapper,
+    openjdk,
+    pkgs,
+    stdenv,
+    unzip,
+    writeShellScriptBin,
+    update-gaudi,
+    ...
+  }: let
+    jdk = openjdk.override {
+      enableJavaFX = true;
+      openjfx_jdk = pkgs."openjfx${lib.head (lib.splitString "." openjdk.version)}".override {withWebKit = true;};
+    };
+
+    fakeSudo = writeShellScriptBin "sudo" "";
+    gaudiUpdate = gaudiUpdateSrc {inherit update-gaudi;};
+  in
+    moduleFromDeb "gaudi" {
+      inherit dpkg stdenv unzip;
+      srcPath = srcPaths.gaudi;
+
+      nativeBuildInputs = [
+        autoPatchelfHook
+        jdk
+        makeWrapper
+      ];
+
+      preBuild = lib.optionalString (gaudiHash != null) ''
+        unzip -o ${gaudiUpdate} -d opt/Agente-GAUDI/lib/app
+      '';
+
+      buildPhase = ''
+        runHook preBuild
+
+        install -m755 -d $out/{bin,opt/Firmador-BCCR/lib}
+        cp -r opt/Agente-GAUDI/lib/app $out/opt/Firmador-BCCR/lib/app
+
+        # Preserves the original filename and avoids <hash>-LaunchGaudi.java
+        ln -s ${./LaunchGaudi.java} LaunchGaudi.java
+
+        javac \
+          -cp opt/Agente-GAUDI/lib/app/bccr-firma-fva-clienteMultiplataforma.jar \
+          -d $out/opt/Firmador-BCCR/lib/app \
+          LaunchGaudi.java
+
+        runHook postBuild
+      '';
+
+      installPhase = ''
+        runHook preInstall
+
+        install -m755 -d $out/{share,opt/Firmador-BCCR/lib/runtime/lib}
+        install -m755 -D opt/Agente-GAUDI/bin/Agente-GAUDI $out/opt/Firmador-BCCR/bin/Agente-GAUDI
+        install -m755 -D opt/Agente-GAUDI/lib/libapplauncher.so $out/opt/Firmador-BCCR/lib/libapplauncher.so
+
+        ln -s ../opt/Firmador-BCCR/lib/app $out/share/java
+        ln -s Firmador-BCCR $out/opt/Agente-GAUDI
+        ln -s ${jdk}/lib/openjdk/lib/libjli.so $out/opt/Firmador-BCCR/lib/runtime/lib/libjli.so
+
+        makeWrapper ${jdk}/bin/java $out/bin/gaudi \
+          --prefix PATH : ${fakeSudo}/bin \
+          --add-flags "-cp $out/share/java:$out/share/java/bccr-firma-fva-clienteMultiplataforma.jar" \
+          --add-flags "-Djavax.net.ssl.trustStore=$out/opt/Firmador-BCCR/lib/app/bccr.cacerts" \
+          --add-flags "LaunchGaudi"
+
+        runHook postInstall
+      '';
+    };
+
+  bccr-cacerts = {
+    openssl,
+    stdenv,
+    unzip,
+    ...
+  }:
+    stdenv.mkDerivation {
+      pname = "bccr-cacerts";
+      version = release.name;
+
+      inherit src;
+
+      nativeBuildInputs = [
+        openssl
+        unzip
+      ];
+
+      installPhase = ''
+        cp -r Firma\ Digital/Certificados $out
+        openssl x509 -in $out/CA\ RAIZ\ NACIONAL\ -\ COSTA\ RICA\ v2.crt -out $out/root-ca.pem -text
+      '';
+    };
+
+  update-gaudi = {
+    wget,
+    writeShellScript,
+    zip,
+    bccr-cacerts,
+    ...
+  }:
+    writeShellScript "update-gaudi" ''
+      set -o errexit
+      set -o pipefail
+      set -o nounset
+
+      temp_dir="$(mktemp -d)"
+      trap 'cd / && rm -rf -- "$temp_dir"' EXIT
+      cd "$temp_dir"
+
+      PATH="${lib.makeBinPath [wget zip]}:$PATH"
+      ca_cert="${bccr-cacerts}/root-ca.pem"
+      base_url="https://www.firmadigital.go.cr/Bccr.Firma.Fva.Actualizador.ClienteFirmadorJava//recursosLiberica17/actualizador"
+
+      wget --ca-certificate="$ca_cert" "$base_url/bccr.cacerts"
+      wget --ca-certificate="$ca_cert" "$base_url/config.properties"
+      wget --ca-certificate="$ca_cert" "$base_url/bccr-firma-fva-clienteMultiplataforma.jar"
+      wget --ca-certificate="$ca_cert" "$base_url/ServicioActualizadorClienteBCCR.jar"
+
+      # https://gist.github.com/stokito/c588b8d6a6a0aee211393d68eea678f2
+      TZ=UTC find . -exec touch --no-dereference -a -m -t 198002010000.00 {} +
+      zip_path="$PWD/gaudi-update-${release.name}.zip"
+      TZ=UTC zip -q --move --recurse-paths --symlinks -X "$zip_path" .
+      TZ=UTC touch -a -m -t 198002010000.00 "$zip_path"
+
+      set -x
+      nix-store --add-fixed sha256 "$zip_path"
+      set +x
+
+      echo -e "\ngaudiHash: $(nix-hash --to-sri --type sha256 $(sha256sum "$zip_path" | cut -d' ' -f1))"
+    '';
+}
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -2,9 +2,8 @@ final: prev:
 with prev.lib; let
  inherit (final) callPackage;
 in {
-  lib = callPackage ./lib {};
-
  override = {};

+  athena-bccr = callPackage ./athena-bccr {};
  spliit = callPackage ./spliit {};
 }