Arch Linux User Repository

YubiKeys work using the OpenSC PKCS#11 module, no need to install or use this package.

One just need to follow the instructions from ArchWiki and the YubiKey PIV module will just work.

@fuhry great! I'm mostly leaning towards skipping tests altogether for this package. If you make a PKGBUILD with that properly configured send it over.

@travisghansen My fork is updated with patches that fix the use-after-free warnings in tests: https://github.com/fuhry/yubico-piv-tool.aur

I will also submit this patch upstream to Yubico.

For AUR packages, it doesn't really matter if the package runs tests or not – but if it does include tests, then it should actually run them through the check() {} function (but not in build(), so that users who have check enabled in their makepkg.conf options would get tests, but others could still opt out). Similarly, you can include test dependencies in checkdepends=() so they won't be pulled in for non-check builds.

But if the tests aren't being run at all, then there's no point in compiling them.

So I guess as a middle ground in this case you could have build() {} compile everything with -DSKIP_TESTS, but have check() {} compile everything again with the tests included – and actually run them. (Although I'm not sure if rebuilding in check() is "normal", but if it works, it works.)

I don't actually know what the policy is revolving around that. If that's the status quo then a patch/diff would certainly be welcome.

Just build with -DSKIP_TESTS and remove the test dependencies as we don't use the unit tests for anything.

Doesn't build for me at the moment:

[ 79%] Building C object ykcs11/tests/CMakeFiles/test_ykcs11.dir/ykcs11_tests_util.c.o
yubico-piv-tool-2.3.0/ykcs11/tests/ykcs11_tests_util.c: In function ‘test_rsa_decrypt’:
yubico-piv-tool-2.3.0/ykcs11/tests/ykcs11_tests_util.c:64:23: error: pointer ‘dec’ may be used after ‘free’ [-Werror=use-after-free]
   64 | #define asrt(c, e, m) _asrt(__FILE__, __LINE__, c, e, m);
      |                       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
yubico-piv-tool-2.3.0/ykcs11/tests/ykcs11_tests_util.c:1233:7: note: in expansion of macro ‘asrt’
 1233 |       asrt(funcs->C_DecryptUpdate(session, enc, 100, dec, &dec_len), CKR_OK, "DECRYPT UPDATE");
      |       ^~~~
yubico-piv-tool-2.3.0/ykcs11/tests/ykcs11_tests_util.c:1227:7: note: call to ‘free’ here
 1227 |       free(dec);
      |       ^~~~~~~~~
yubico-piv-tool-2.3.0/ykcs11/tests/ykcs11_tests_util.c:64:23: error: pointer ‘dec’ may be used after ‘free’ [-Werror=use-after-free]
   64 | #define asrt(c, e, m) _asrt(__FILE__, __LINE__, c, e, m);
      |                       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
yubico-piv-tool-2.3.0/ykcs11/tests/ykcs11_tests_util.c:1235:7: note: in expansion of macro ‘asrt’
 1235 |       asrt(funcs->C_DecryptUpdate(session, enc+100, 8, dec, &dec_len), CKR_OK, "DECRYPT UPDATE");
      |       ^~~~
yubico-piv-tool-2.3.0/ykcs11/tests/ykcs11_tests_util.c:1227:7: note: call to ‘free’ here
 1227 |       free(dec);
      |       ^~~~~~~~~
yubico-piv-tool-2.3.0/ykcs11/tests/ykcs11_tests_util.c:64:23: error: pointer ‘dec’ may be used after ‘free’ [-Werror=use-after-free]
   64 | #define asrt(c, e, m) _asrt(__FILE__, __LINE__, c, e, m);
      |                       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
yubico-piv-tool-2.3.0/ykcs11/tests/ykcs11_tests_util.c:1237:7: note: in expansion of macro ‘asrt’
 1237 |       asrt(funcs->C_DecryptUpdate(session, enc+108, 20, dec, &dec_len), CKR_OK, "DECRYPT UPDATE");
      |       ^~~~
yubico-piv-tool-2.3.0/ykcs11/tests/ykcs11_tests_util.c:1227:7: note: call to ‘free’ here
 1227 |       free(dec);
      |       ^~~~~~~~~
cc1: all warnings being treated as errors
make[2]: *** [ykcs11/tests/CMakeFiles/test_ykcs11.dir/build.make:90: ykcs11/tests/CMakeFiles/test_ykcs11.dir/ykcs11_tests_util.c.o] Error 1
make[2]: Leaving directory 'build'
make[1]: *** [CMakeFiles/Makefile2:380: ykcs11/tests/CMakeFiles/test_ykcs11.dir/all] Error 2
make[1]: Leaving directory 'build'
make: *** [Makefile:146: all] Error 2

patch added

This package fails to build for me, the error is:

yubico-piv-tool/src/yubico-piv-tool-2.3.0/ykcs11/tests/ykcs11_tests_util.c: In function ‘test_digest_func’:
yubico-piv-tool/src/yubico-piv-tool-2.3.0/ykcs11/tests/ykcs11_tests_util.c:71:3: error: ‘hdata_len’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
   71 |   fprintf(stderr, "%s.%d: <%s> check failed with value %lu (0x%lx), expected %lu (0x%lx)\n",
      |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   72 |           file, line, msg, check, check, expected, expected);
      |           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
yubico-piv-tool/src/yubico-piv-tool-2.3.0/ykcs11/tests/ykcs11_tests_util.c:284:15: note: ‘hdata_len’ was declared here
  284 |   CK_ULONG    hdata_len;
      |               ^~~~~~~~~
cc1: all warnings being treated as errors

I was able to fix this by adding this patch (which is also currently reflected in upstream's master branch):

--- a/ykcs11/tests/ykcs11_tests_util.c
+++ b/ykcs11/tests/ykcs11_tests_util.c
@@ -281,7 +281,7 @@ void test_digest_func(CK_FUNCTION_LIST_PTR funcs, CK_SESSION_HANDLE session, CK_
   CK_BYTE     digest_update[128] = {0};
   CK_ULONG    digest_update_len;
   CK_BYTE     hdata[128] = {0};
-  CK_ULONG    hdata_len;
+  CK_ULONG    hdata_len = 0;

   CK_MECHANISM mech = {mech_type, NULL, 0};

The package is signed with an expired eky.

gpg --verify yubico-piv-tool-2.2.0.tar.gz.sig gpg: assuming signed data in 'yubico-piv-tool-2.2.0.tar.gz' gpg: Signature made Thu 17 Dec 2020 06:08:49 AM MST gpg: using RSA key 70D7145F2F35C4745501829A1B21578FC4686BFE gpg: Good signature from "Aveen Ismail aveen.ismail@yubico.com" [expired] gpg: Note: This key has expired! Primary key fingerprint: 1D73 08B0 055F 5AEF 3694 4A8F 27A9 C24D 9588 EA0F Subkey fingerprint: 70D7 145F 2F35 C474 5501 829A 1B21 578F C468 6BFE

The key is in the list for the package...it appears to just be expired. The package installs just fine for me though.