Decided to dive deep and recompile OpenVPN with another OpenSSL version (1.1.1t). Because the default one is crashing and segfaulting (https://forum.artixlinux.org/index.php/topic,5068.0.html) my OpenVPN for some unknown reason. And I know that version 1.1.1t works OK (from another distro).
So, I'm trying to simply:
git clone https://gitea.artixlinux.org/packagesO/openvpn.git
cd openvpn/trunk/
makepkg --nobuild --syncdeps --rmdeps
And I get this:
==> Verifying source file signatures with gpg...
openvpn git repo ... FAILED (unknown public key 1D829EFECA562812)
==> ERROR: One or more PGP signatures could not be verified!
Why? An error in your PKGBUILD or what?
So, I'm like with two problems already: cannot recompile OpenVPN and cannot find a way to specify another version of OpenSSL instead of the default one (see the link above please).
How about:
gpg --recv-keys 1D829EFECA562812
The one way to guarantee that "openssl 1.1.1" is only used would be to build "openvpn" in a chroot after modifying the dependency for "openssl" to be "openssl=1.1.1"
Please see Building in a clean chroot (https://wiki.archlinux.org/title/DeveloperWiki:Building_in_a_clean_chroot) for more information.
Thanks. Do I have to just edit the PKGBUILD or dive deep into the sources like configure.ac ? I'm new to this but learn pretty fast.
Tried to add this line to the PKGBUILD:
build() {
mkdir "${srcdir}"/build
cd "${srcdir}"/build
"${srcdir}"/openvpn/configure \
--prefix=/usr \
--sbindir=/usr/bin \
--enable-pkcs11 \
--enable-plugins \
--disable-systemd \
--enable-x509-alt-username \
OPENSSL_CFLAGS="-I/usr/include/openssl-1.1/openssl"
make
}And I get this:
configure: error: openssl check failed
==> ERROR: A failure occurred in build().
Aborting...
What am I doing wrong?
Wrong place. It needs to go in 'depends='
https://wiki.archlinux.org/title/PKGBUILD#depends
This is what I recommended to be changed in the PKGBUILD before building in a clean chroot with only version 1.1.1 of openssl install inside it..
depends=('openssl' 'lzo' 'lz4' 'pkcs11-helper' 'libpkcs11-helper.so')
Change the openssl value to:
depends=('openssl-1.1' 'lzo' 'lz4' 'pkcs11-helper' 'libpkcs11-helper.so')
The Arch chroot wiki documentation I linked to uses arch-chroot for the procedure.
Artix has a similar version call artix-chroot which provides the same functionality.
Any Arch dev tools mentioned in Arch's wiki can usually be changed to Artix's version just swapping the arch name to artix.
Be sure to have Artix's versions of Arch's devtools installed.
# pacman -Syu artools-base artools-pkg
If you want Artix's way to build an ISO then also add "artools-iso".
One can check the names of the scripts by running "pacman -Ql artools-base" and "pacman -Ql artools-pkg".
One can try playing around with environmental exports, setting and custom library linking paths but it is full of trail and errors, a frustrating approach.
The source code does not make it easy to select a specific openssl version during the compile and linking.
Thus the clean chroot method with only the 1.1.1 version of openssl installed provides the building environment that will allow openvpn will compile and link easily without too much fuss.
Thank you very much for your time. Ok, will try it now.
I see a command:
$ arch-nspawn $CHROOT/root pacman -Syu
What is Artix's version of it?
And this:
$ makechrootpkg -c -r $CHROOT
?
Artix appears to have a script for this which appears to be exactly what one wants to build in a clean chroot.
The Arch wiki appears to be not the best source now, sorry about that.
$ pacman -Ql artools-pkg
artools-pkg /usr/bin/mkchrootpkg
Usage: mkchrootpkg [options] -r <chrootdir> [--] [makepkg args]
Run this script in a PKGBUILD dir to build a package inside a
clean chroot. Arguments passed to this script after the
end-of-options marker (--) will be passed to makepkg.
The chroot dir consists of the following directories:
<chrootdir>/{root, copy} but only "root" is required
by default. The working copy will be created as needed
The chroot 'root' directory must be created via the following
command:
mkchroot <chrootdir>/root base-devel
This script reads {SRC,SRCPKG,PKG,LOG}DEST, MAKEFLAGS and PACKAGER
from makepkg.conf(5), if those variables are not part of the
environment.
Default makepkg args: --syncdeps --noconfirm --log --holdver --skipinteg
Flags:
-h This help
-c Clean the chroot before building
-d <dir> Bind directory into build chroot as read-write
-D <dir> Bind directory into build chroot as read-only
-u Update the working copy of the chroot before building
This is useful for rebuilds without dirtying the pristine
chroot
-r <dir> The chroot dir to use
-I <pkg> Install a package into the working copy of the chroot
-l <copy> The directory to use as the working copy of the chroot
Useful for maintaining multiple copies
Default: sol
-n Run namcap on the package
-C Run checkpkg on the package
-N Disable check() function
-T Build in a temporary directory
-U Run makepkg as a specified user
The last time I looked at the artools-pkg scripts was quite a while ago and I missed this one.
The chroot method will not work for this after playing with it for most of the day.
Sorry for recommending this method.
Openssl is a key library linked to many core packages.
When one installs base-devel, system/openssl 3.0.8-1 is also installed.
Thus the only way to get a clean environment without openssl 3.0.8 is to build the complete tool-chain using openssl-1.1.
Following the Linux From Scratch (https://wiki.linuxfromscratch.org/lfs/wiki/read) type of source building maybe the easiest way to get openvpn that uses the openssl-1.1 as a
static library compiled in.
The resulting binary could then be used to run the company VPN no matter the placement with the correct permissions.
I have also tried using the configuration switches but the linking fails:
OPENSSL_CFLAGS="-I/usr/include/openssl-1.1/openssl -Wl,--enable-new-dtags,-rpath=/usr/lib/openssl-1.1/ -L/usr/lib/openssl-1.1/" \
"${srcdir}"/openvpn/configure \
--prefix=/opt/openvpn-ssl-1.1 \
--sbindir=/usr/bin \
--enable-pkcs11 \
--enable-plugins \
--disable-systemd \
--enable-x509-alt-username
Sad. Anyway, thank you VERY much for your efforts and time. I'm really sorry I made you dig all this that deep for me... Thanks a ton.
There is a package in the AUR which can provide clues on how to do this:
openvpn-openssl-1.0
One of the key lines that adapts it is this:
export PKG_CONFIG_PATH=/usr/lib/openssl-1.0/pkgconfig
There is an openssl-1.1 in the repos, pkgconfig points the build system at the required lib versions when you have installed that alongside the regular openssl which most of the system uses.
As the Arch and AUR packages have systemd dependencies this PKGBUILD would need to be compared to the Artix one and adapted likewise. It might also be needed to build a particular version of OpenVPN to be compatible with the older openssl, I have no idea if this is the case though.
Yes, trying it out now. But I get this. Dunno why:
==> Verifying source file signatures with gpg...
openvpn git repo ... SIGNATURE NOT FOUND
==> ERROR: One or more PGP signatures could not be verified!
I certainly did not write my answer in invisible ink in this regard.
https://forum.artixlinux.org/index.php/topic,5069.msg32434.html#msg32434
No, no. I've done that. Idk why it complains like this.
Sorry, guys. Looks like I've managed to compile it. Thanks, everyone! I made typos in PKGBUILD and messed with gpg lines there.
RESOLVED