Can't compile because crypto-mac = "^0.7" is missing

[EcoloSweet]

Apparently, the crypto-mac crate version 0.7 is now missing from crates.io and it prevents from compiling any project depending on zkgroup.

The real dependency is poksho but it doesn't seem maintained nor secure (as said in their readme)

Do you have any idea on what to do?

Here is my cargo command output :

user@linux [~/signal/test] $ cargo build
    Blocking waiting for file lock on package cache
    Updating crates.io index
    Updating git repository `https://github.com/whisperfish/libsignal-service-rs`
    Updating git repository `https://github.com/signalapp/libsignal-client`
    Updating git repository `https://github.com/signalapp/zkgroup`
    Updating git repository `https://github.com/signalapp/curve25519-dalek.git`
    Updating git repository `https://github.com/signalapp/curve25519-dalek.git`
    Updating git repository `https://github.com/signalapp/poksho.git`
error: failed to select a version for the requirement `crypto-mac = "^0.7"`
candidate versions found which didn't match: 0.11.1, 0.11.0, 0.10.1, ...
location searched: crates.io index
required by package `hmac v0.7.1`
    ... which is depended on by `poksho v0.7.0 (https://github.com/signalapp/poksho.git?tag=v0.7.0#8bb8c61c)`
    ... which is depended on by `zkgroup v0.7.3 (https://github.com/signalapp/zkgroup?tag=v0.7.3#197c382e)`
    ... which is depended on by `libsignal-service v0.1.0 (https://github.com/whisperfish/libsignal-service-rs#7d6fce5f)`
    ... which is depended on by `libsignal-service-hyper v0.1.0 (https://github.com/whisperfish/libsignal-service-rs#7d6fce5f)`
    ... which is depended on by `presage v0.1.0 (/home/user/signal/presage)`
    ... which is depended on by `test v0.1.0 (/home/user/signal/test)`

[jrose-signal]

Thank you for reporting this. Guess we need an update for poksho that bumps dependencies.

[EcoloSweet]

I made this fork and updated dependencies and code so it works again : https://github.com/EcoloSweet/poksho

Build is ok.

Tests are ok but they aren't many so I doubt it is enough ...

To use it, add this in your Cargo.toml file :

[patch.'https://github.com/signalapp/poksho.git']
poksho = { git = "https://github.com/EcoloSweet/poksho"}

[EcoloSweet]

Sorry I closed the issue by error.

Please close it if you think this is a good workaround. Maybe before closing we should wait for reviews of my code and maybe an accepted pull request in poksho...

[rubdos]

Please close it if you think this is a good workaround. Maybe before closing we should wait for reviews of my code and maybe an accepted pull request in poksho...

Poksho is a crate from Signal; I suggest you make a pull request and link it here if you're comfortable with signing the Signal CLA.
Thanks for reporting!

[rubdos]

I suggest you make a pull request and link it here if you're comfortable with signing the Signal CLA.

I went ahead and made a PR myself, I hope that's okay for you!

[jrose-signal]

Oops, didn't expect this to be auto-closed, but there'll be a 0.7.5 tag shortly!

[jrose-signal]

Looks like

• zkgroup still uses sha2:0.8, because sha2:0.8 still uses digest:0.8
• our fork of curve25519-dalek 2.0 still uses digest:0.8

Updating the use of curve25519-dalek is something I'd want to be more careful about, if something we already plan to do to merge zkgroup into libsignal-client. There's nothing that breaks if we use sha2:0.8 in zkgroup and sha2:0.9 in poksho, but it's not ideal.

Meanwhile…it looks like crypto-mac 0.7 has been restored, so I think for now I'm not going to do anything else. I did merge @rubdos' PR in the poksho repo and tagged it as 0.7.1, so it's easier to manually update with a patch as @EcoloSweet did with their own fork if this issue returns.

[rubdos]

Oops, didn't expect this to be auto-closed, but there'll be a 0.7.5 tag shortly!

Sorry for that, my bad. Shouldn't have done that, because obviously zkgroup wasn't patched with a bump.

Updating the use of curve25519-dalek is something I'd want to be more careful about

Actually, I'm curious now about what happens in the Signal fork of 25519-dalek that isn't upstream. Is there any documentation on that, and any effort to backport Signal's needs onto upstream?

[jrose-signal]

Actually, I'm curious now about what happens in the Signal fork of 25519-dalek that isn't upstream. Is there any documentation on that, and any effort to backport Signal's needs onto upstream?

There aren't too many new APIs (you can just look at them) but they do go below the abstraction barrier. There were some thoughts about upstreaming but it hasn't been made a priority yet, since it's more than "just one new API" or something.