Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pynitrokey is not working with openssl 3.0.10: Error detecting the version of libcrypto #431

Closed
SebastianHuettersen opened this issue Aug 28, 2023 · 9 comments

Comments

@SebastianHuettersen
Copy link

SebastianHuettersen commented Aug 28, 2023

Currently, pynitrokey does not work if the system uses an openssl version where a version part consists of more than one number, such as openssl 3.0.10 used by Debian 13 Trixie.

In this case pynitrokey aborts with the following error:

Critical error:
An unhandled exception occurred
	Exception encountered: LibraryNotFoundError('Error detecting the version of libcrypto')

The error is in the used library oscrypto where the regex to extract the version string has a fuzziness.
An issue has already been raised here, but a new release that fixes this problem is still missing at the moment:

Workaround:
Modify the regex in the file oscrypto/_openssl/_libcrypto_cffi.py:41 from

'\\b(\\d\\.\\d\\.\\d[a-z]*)\\b'

to

'\\b(\\d+\\.\\d+\\.\\d+[a-z]*)\\b'
@SebastianHuettersen SebastianHuettersen changed the title pynitrokey is not working with openssl 3.0.10 pynitrokey is not working with openssl 3.0.10: Error detecting the version of libcrypto Aug 29, 2023
@4SH-gaupee
Copy link

Hi, did you do any other step beside changing the regex ? I've tried on my venv and I still get the error

@robin-nitrokey
Copy link
Member

@4SH-gaupee You should be able to install the fixed oscrypto version inside the virtual environment with:

$ pip install "oscrypto @ git+https://github.com/wbond/oscrypto.git@1547f535001ba568b239b8797465536759c742a3"

@daringer
Copy link
Collaborator

daringer commented Sep 25, 2023

For this to be permanently fixed we have to wait for a release of: https://pypi.org/project/oscrypto/ (hopefully 1.3.1) also requested it here: wbond/oscrypto#78. The dependency that is using it is spsdk (yay!) which pins it to <1.4 so lets hope for a 1.3.1 otherwise I don't see how we could solve that

@karami-omid
Copy link

@robin-nitrokey
Thank you so much. It works for me whin run the command! (oscrypto)

@DexterNemrod
Copy link

As a workaround it is possible to run the app or nitropy (which is the cli-basis for the app) on older distros in distrobox.
I tried it with Debian 11
All I had to do was to install pip
Install pynitrokey via pip
Download an move the udev-rules to /lib/udev/rules.d/

sudo apt install pip
pip install pynitrokey
wget https://raw.githubusercontent.com/Nitrokey/libnitrokey/master/data/41-nitrokey.rules
sudo mv 41-nitrokey.rules /lib/udev/rules.d/

And restart the container

@UndeadDevel
Copy link

Would it be possible to apply a similar workaround to the released binaries as was applied to the pypy package (that can be installed with pipx)? This is relevant in connection with #495.

@robin-nitrokey
Copy link
Member

AFAIK there is no workaround for the pypi package. You have to manually apply the fix described above. To fix the problem both for the pypi package and the binary we would have to fork and release oscrypto. I’d rather avoid that, but maybe we have to consider that option if there is no upstream release.

@daringer
Copy link
Collaborator

just for the sake of documentation, the issue should be solvable for a pipx installation like that:

pipx inject --pip-args="--upgrade --force" pynitrokey "oscrypto @ git+https://github.com/wbond/oscrypto.git@1547f535001ba568b239b8797465536759c742a3"

@robin-nitrokey
Copy link
Member

Since pynitrokey 0.5.0, we no longer depend on oscrypto.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants