I was trying to figure out why FIPS mode was failing to activate, and after a discussion on the upstream mailing list, I noted that we are stripping the FIPS libraries and not regenerating the .chk files afterwards. This causes the FIPS validation to fail outright. app-crypt/hmaccalc requires FIPS mode to operate. Find attached a patch that: - includes more of the utilities. - add the fips libraries to PRELINK_PATH_MASK. - does NOT install the chk files generated during build. - generates the chk files as part of postinst. - removes dangling/stale chk files as part of postrm.
Created attachment 235225 [details, diff] nss-3.12.6-r1-postinst-chk-fixup.patch
Robin please feel free to land.
committed as nss-3.12.6-r2 in ~arch.