feat: initial commit

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
2025-07-20 15:13:56 +02:00 · 2024-02-05 16:19:15 +01:00 · 2024-02-05 16:19:15 +01:00 · 1054e3dbe4
commit 1054e3dbe4
parent 6fe41c9723
51 changed files with 3521 additions and 1 deletions
--- a/.github/workflows/nix.yml
+++ b/.github/workflows/nix.yml
@ -0,0 +1,49 @@
+name: nix
+
+on:
+  pull_request:
+    branches: [ "main" ]
+  push:
+    branches: [ "main" ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: cachix/install-nix-action@6a9a9e84a173d90b3ffb42c5ddaf9ea033fad011 # v23
+      with:
+        extra_nix_config: |
+          access-tokens = github.com=${{ github.token }}
+    - run: nix flake check -L --show-trace --keep-going
+
+  fmt:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: cachix/install-nix-action@6a9a9e84a173d90b3ffb42c5ddaf9ea033fad011 # v23
+      with:
+        extra_nix_config: |
+          access-tokens = github.com=${{ github.token }}
+    - run: nix fmt
+
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: cachix/install-nix-action@6a9a9e84a173d90b3ffb42c5ddaf9ea033fad011 # v23
+      with:
+        extra_nix_config: |
+          access-tokens = github.com=${{ github.token }}
+    - uses: cachix/cachix-action@v12
+      continue-on-error: true
+      with:
+        name: nixsgx
+        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+
+    - name: Build
+      run: nix build -L
--- a/.github/workflows/secrets_scanner.yaml
+++ b/.github/workflows/secrets_scanner.yaml
@ -0,0 +1,18 @@
+name: Leaked Secrets Scan
+on: [pull_request]
+jobs:
+  TruffleHog:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        with:
+          fetch-depth: 0
+      - name: TruffleHog OSS
+        uses: trufflesecurity/trufflehog@4db20e29f8568502b8d69ca2be6ce47a533925d3 # v3.63.3
+        with:
+          path: ./
+          base: ${{ github.event.repository.default_branch }}
+          head: HEAD
+          extra_args: --debug --only-verified
+
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,6 @@
+# Intellij CLion
+/.idea
+
+/.envrc
+/.direnv
+/result
--- a/20
+++ b/20
@ -0,0 +1,20 @@
+Copyright (c) 2024 Matter Labs and the Nixpkgs/NixOS contributors
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
--- a/README.md
+++ b/README.md
@ -1,2 +1,13 @@
 # nixsgx
-Reproducible Nix packages for TEEs
+
+This repository contains a Nix flake with up2date packages for the Intel SGX SDK and gramine.
+
+Hopefully most of the packages will be upstreamed to nixpkgs at some point.
+
+All package builds should be reproducible and therefore can be used to build reproducible enclave images.
+
+## Usage
+
+See: https://github.com/haraldh/docker-era-fee-withdrawer
+
+
--- a/flake.lock
+++ b/flake.lock
@ -0,0 +1,117 @@
+{
+  "nodes": {
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1650374568,
+        "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "b4a34015c698c7793d592d66adbab377907a2be8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1694529238,
+        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils-plus": {
+      "inputs": {
+        "flake-utils": "flake-utils"
+      },
+      "locked": {
+        "lastModified": 1696331477,
+        "narHash": "sha256-YkbRa/1wQWdWkVJ01JvV+75KIdM37UErqKgTf0L54Fk=",
+        "owner": "gytis-ivaskevicius",
+        "repo": "flake-utils-plus",
+        "rev": "bfc53579db89de750b25b0c5e7af299e0c06d7d3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "gytis-ivaskevicius",
+        "repo": "flake-utils-plus",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1707091808,
+        "narHash": "sha256-LahKBAfGbY836gtpVNnWwBTIzN7yf/uYM/S0g393r0Y=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "9f2ee8c91ac42da3ae6c6a1d21555f283458247e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-23.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs",
+        "snowfall-lib": "snowfall-lib"
+      }
+    },
+    "snowfall-lib": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "flake-utils-plus": "flake-utils-plus",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1696432959,
+        "narHash": "sha256-oJQZv2MYyJaVyVJY5IeevzqpGvMGKu5pZcCCJvb+xjc=",
+        "owner": "snowfallorg",
+        "repo": "lib",
+        "rev": "92803a029b5314d4436a8d9311d8707b71d9f0b6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "snowfallorg",
+        "repo": "lib",
+        "type": "github"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,34 @@
+{
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
+
+    snowfall-lib = {
+      url = "github:snowfallorg/lib";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  description = "SGX packages for nixos";
+
+  outputs = inputs:
+    inputs.snowfall-lib.mkFlake {
+      inherit inputs;
+      src = ./.;
+
+      package-namespace = "nixsgx";
+
+      snowfall = {
+        namespace = "nixsgx";
+      };
+
+      alias = {
+        packages = {
+          default = "all";
+        };
+      };
+
+      outputs-builder = channels: {
+        formatter = channels.nixpkgs.nixpkgs-fmt;
+      };
+    };
+}
--- a/packages/all/default.nix
+++ b/packages/all/default.nix
@ -0,0 +1,40 @@
+{ lib
+, buildEnv
+, stdenv
+, symlinkJoin
+, nixsgx
+}:
+let
+  container = stdenv.mkDerivation {
+    name = "container";
+
+    src = with nixsgx; [
+      docker-gramine-azure
+      docker-gramine-dcap
+    ];
+
+    unpackPhase = "true";
+
+    installPhase = ''
+      set -x
+      mkdir -p $out
+      cp -vr $src $out
+    '';
+  };
+in
+symlinkJoin {
+  name = "all";
+  paths = with nixsgx;[
+    azure-dcap-client
+    container
+    gramine
+    libuv
+    nodejs
+    protobufc
+    restart-aesmd
+    sgx-dcap
+    sgx-psw
+    sgx-sdk
+    sgx-ssl
+  ];
+}
--- a/packages/azure-dcap-client/Azure-DCAP-Client.patch
+++ b/packages/azure-dcap-client/Azure-DCAP-Client.patch
@ -0,0 +1,38 @@
+diff --git a/src/dcap_provider.cpp b/src/dcap_provider.cpp
+index af09546..40f8883 100644
+--- a/src/dcap_provider.cpp
+++ b/src/dcap_provider.cpp
+@@ -1348,7 +1348,7 @@ static std::string build_tcb_info_url(
+         tcb_info_url << base_url;
+     }
+     else
+-        tcb_info_url << get_base_url();
+        tcb_info_url << "https://api.trustedservices.intel.com/sgx/certification";
+ 
+     if (!version.empty())
+     {
+@@ -1441,7 +1441,7 @@ static std::string build_enclave_id_url(
+         qe_id_url << base_url;
+     }
+     else
+-        qe_id_url << get_base_url();
+        qe_id_url << "https://api.trustedservices.intel.com/sgx/certification/";
+ 
+     // Select the correct issuer header name
+     if (!version.empty())
+@@ -1536,6 +1536,7 @@ static quote3_error_t get_collateral(
+                 "Successfully fetched %s from URL: '%s'.",
+                 friendly_name.c_str(),
+                 url.c_str());
+/*
+             std::string cache_control;
+             auto get_cache_header_operation = get_unescape_header(*curl_operation, headers::CACHE_CONTROL, &cache_control);
+             retval = convert_to_intel_error(get_cache_header_operation);
+@@ -1549,6 +1550,7 @@ static quote3_error_t get_collateral(
+                     local_cache_add(issuer_chain_cache_name, expiry, issuer_chain.size(), issuer_chain.c_str());
+                 }
+             }
+*/
+         }
+ 
+         return retval;
--- a/packages/azure-dcap-client/default.nix
+++ b/packages/azure-dcap-client/default.nix
@ -0,0 +1,88 @@
+{ stdenv
+, fetchFromGitHub
+, lib
+, curl
+, nlohmann_json
+, openssl
+, pkg-config
+, linkFarmFromDrvs
+, callPackage
+}:
+let
+  # Although those headers are also included in the source of `sgx-psw`, the `azure-dcap-client` build needs specific versions
+  filterSparse = list: ''
+    cp -r "$out"/. .
+    find "$out" -mindepth 1 -delete
+    cp ${lib.concatStringsSep " " list} "$out/"
+  '';
+  headers = linkFarmFromDrvs "azure-dcpa-client-intel-headers" [
+    (fetchFromGitHub rec {
+      name = "${repo}-headers";
+      owner = "intel";
+      repo = "linux-sgx";
+      # See: <src/Linux/configure> for the revision `azure-dcap-client` uses.
+      rev = "1ccf25b64abd1c2eff05ead9d14b410b3c9ae7be";
+      hash = "sha256-WJRoS6+NBVJrFmHABEEDpDhW+zbWFUl65AycCkRavfs=";
+      sparseCheckout = [
+        "common/inc/sgx_report.h"
+        "common/inc/sgx_key.h"
+        "common/inc/sgx_attributes.h"
+      ];
+      postFetch = filterSparse sparseCheckout;
+    })
+  ];
+in
+stdenv.mkDerivation rec {
+  pname = "azure-dcap-client";
+  version = "1.12.3";
+
+  src = fetchFromGitHub {
+    owner = "microsoft";
+    repo = pname;
+    rev = version;
+    hash = "sha256-zTDaICsSPXctgFRCZBiZwXV9dLk2pFL9kp5a8FkiTZA=";
+  };
+
+  patches = [
+    ./missing-includes.patch
+    ./Azure-DCAP-Client.patch
+  ];
+
+  nativeBuildInputs = [
+    pkg-config
+  ];
+
+  buildInputs = [
+    curl
+    nlohmann_json
+    openssl
+  ];
+
+  postPatch = ''
+    mkdir -p src/Linux/ext/intel
+    find -L '${headers}' -type f -exec ln -s {} src/Linux/ext/intel \;
+
+    substitute src/Linux/Makefile{.in,} \
+      --replace '##CURLINC##' '${curl.dev}/include/curl/' \
+      --replace '$(TEST_SUITE): $(PROVIDER_LIB) $(TEST_SUITE_OBJ)' '$(TEST_SUITE): $(TEST_SUITE_OBJ)'
+  '';
+
+  env.NIX_CFLAGS_COMPILE = "-Wno-deprecated-declarations";
+
+  makeFlags = [
+    "-C src/Linux"
+    "prefix=$(out)"
+  ];
+
+  # Online test suite; run with
+  # $(nix-build -A sgx-azure-dcap-client.tests.suite)/bin/tests
+  passthru.tests.suite = callPackage ./test-suite.nix { };
+
+  meta = with lib; {
+    description = "Interfaces between SGX SDKs and the Azure Attestation SGX Certification Cache";
+    homepage = "https://github.com/microsoft/azure-dcap-client";
+    maintainers = with maintainers; [ phlip9 trundle veehaitch ];
+    platforms = [ "x86_64-linux" ];
+    license = [ licenses.mit ];
+  };
+}
--- a/packages/azure-dcap-client/missing-includes.patch
+++ b/packages/azure-dcap-client/missing-includes.patch
@ -0,0 +1,12 @@
+diff --git a/src/Linux/local_cache.cpp b/src/Linux/local_cache.cpp
+index fe48b90..aa91cb8 100644
+--- a/src/Linux/local_cache.cpp
+++ b/src/Linux/local_cache.cpp
+@@ -6,6 +6,7 @@
+ #include <algorithm>
+ #include <cstring>
+ #include <mutex>
+#include <stdexcept>
+ 
+ #include <fcntl.h>
+ #include <ftw.h>
--- a/packages/azure-dcap-client/test-suite.nix
+++ b/packages/azure-dcap-client/test-suite.nix
@ -0,0 +1,32 @@
+{ lib
+, sgx-azure-dcap-client
+, gtest
+, makeWrapper
+}:
+sgx-azure-dcap-client.overrideAttrs (old: {
+  nativeBuildInputs = old.nativeBuildInputs ++ [
+    makeWrapper
+    gtest
+  ];
+
+  patches = [
+    ./tests-missing-includes.patch
+  ];
+
+  buildFlags = [
+    "tests"
+  ];
+
+  installPhase = ''
+    runHook preInstall
+
+    install -D ./src/Linux/tests "$out/bin/tests"
+
+    runHook postInstall
+  '';
+
+  postFixup = ''
+    wrapProgram "$out/bin/tests" \
+      --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-azure-dcap-client ]}"
+  '';
+})
--- a/packages/azure-dcap-client/tests-missing-includes.patch
+++ b/packages/azure-dcap-client/tests-missing-includes.patch
@ -0,0 +1,12 @@
+diff --git a/src/UnitTest/test_local_cache.cpp b/src/UnitTest/test_local_cache.cpp
+index 5fbc31b..6b8d52e 100644
+--- a/src/UnitTest/test_local_cache.cpp
+++ b/src/UnitTest/test_local_cache.cpp
+@@ -5,6 +5,7 @@
+ #include <gtest/gtest.h>
+ 
+ #undef NDEBUG // ensure that asserts are never compiled out
+#include <array>
+ #include <cassert>
+ #include <cstdio>
+ #include <cstring>
--- a/packages/docker-gramine-azure/default.nix
+++ b/packages/docker-gramine-azure/default.nix
@ -0,0 +1,28 @@
+{ lib
+, buildEnv
+, busybox
+, python3
+, dockerTools
+, nixsgx
+}:
+dockerTools.buildLayeredImage {
+  name = "gramine-azure";
+  tag = "latest";
+
+  contents = buildEnv {
+    name = "image-root";
+    paths = [
+      busybox
+      nixsgx.azure-dcap-client
+      nixsgx.sgx-psw
+      nixsgx.sgx-dcap.quote_verify
+      nixsgx.gramine
+    ];
+
+    pathsToLink = [ "/bin" "/lib" "/etc" ];
+    postBuild = ''
+      	mkdir -p $out/var
+      	ln -s /run $out/var/run
+    '';
+  };
+}
--- a/packages/docker-gramine-dcap/default.nix
+++ b/packages/docker-gramine-dcap/default.nix
@ -0,0 +1,27 @@
+{ lib
+, buildEnv
+, dockerTools
+, nixsgx
+, busybox
+, ...
+}:
+dockerTools.buildLayeredImage {
+  name = "gramine-dcap";
+  tag = "latest";
+
+  contents = buildEnv {
+    name = "image-root";
+    paths = [
+      busybox
+      nixsgx.sgx-psw
+      nixsgx.gramine
+      nixsgx.sgx-dcap.default_qpl
+      nixsgx.restart-aesmd
+    ];
+    pathsToLink = [ "/bin" "/lib" "/etc" ];
+    postBuild = ''
+      	mkdir -p $out/var
+      	ln -s /run $out/var/run
+    '';
+  };
+}
--- a/packages/gramine/default.nix
+++ b/packages/gramine/default.nix
@ -0,0 +1,159 @@
+{ pkgs
+, lib
+, nixsgx
+, fetchurl
+, bash
+, meson
+, nasm
+, ninja
+, cmake
+, pkg-config
+, autoconf
+, gawk
+, bison
+, patchelf
+, which
+, ...
+}:
+let
+  gcc-wrap = fetchurl {
+    url = "https://ftp.gnu.org/gnu/gcc/gcc-10.2.0/gcc-10.2.0.tar.gz";
+    hash = "sha256-J+h53MxjnNewzAjtV1wWaUkleVKbU8n/J7C5YmX6hn0=";
+  };
+  tomlc99-wrap = fetchurl {
+    url = "https://github.com/cktan/tomlc99/archive/208203af46bdbdb29ba199660ed78d09c220b6c5.tar.gz";
+    hash = "sha256-cxORP94awLCjGjTk/I4QSMDLGwgT59okpEtMw8gPDok=";
+  };
+  cjson-wrap = fetchurl {
+    url = "https://github.com/DaveGamble/cJSON/archive/v1.7.12.tar.gz";
+    hash = "sha256-dgaHZlq0Glz/nECxBTwZVyvNqt7xGU5cuhteb4JGhuc=";
+  };
+  curl-wrap = fetchurl {
+    url = "https://curl.se/download/curl-8.4.0.tar.gz";
+    hash = "sha256-gW5BgJwEP/KF6MDwanWh+iUCEbv7LcCgN+7vOfGp5Cc=";
+  };
+  mbedtls-wrap = fetchurl {
+    url = "https://github.com/ARMmbed/mbedtls/archive/mbedtls-3.5.0.tar.gz";
+    hash = "sha256-AjEfyL0DLYn/mu5TXd21VFgQjcDUxSgGOPxhGup8Xko=";
+  };
+  uthash-wrap = fetchurl {
+    url = "https://github.com/troydhanson/uthash/archive/v2.1.0.tar.gz";
+    hash = "sha256-FSzNjmTQ9JU3cjLjlk0Gx+yLuMP70yF/ilcCYU+aZp4=";
+  };
+  glibc-wrap = fetchurl {
+    url = "https://ftp.gnu.org/gnu/glibc/glibc-2.38.tar.gz";
+    hash = "sha256-FuUeBFXiiPAzgLQ25B1ZJ8YJRavYbQyYUrhL5X3W7V4=";
+  };
+
+  python = pkgs.python3;
+
+  my-python-packages = ps: with ps; [
+    click
+    jinja2
+    pyelftools
+    tomli
+    tomli-w
+    cryptography
+  ];
+in
+python.pkgs.buildPythonPackage {
+  pname = "gramine";
+  version = "1.6";
+
+  src = pkgs.fetchFromGitHub {
+    owner = "gramineproject";
+    repo = "gramine";
+    rev = "v1.6";
+    hash = "sha256-LX7/XqxS8z0PomBDqe53sTTYgaXVmP23GSTJMpXRorM=";
+    fetchSubmodules = true;
+  };
+
+  outputs = [ "out" "dev" ];
+
+  # Unpack subproject sources
+  postUnpack = ''(
+    cd "$sourceRoot/subprojects"
+    tar -zxf ${gcc-wrap}
+    cp -av packagefiles/gcc-10.2.0/. gcc-10.2.0
+    tar -zxf ${tomlc99-wrap}
+    cp -av packagefiles/tomlc99/. tomlc99-208203af46bdbdb29ba199660ed78d09c220b6c5
+    tar -zxf ${cjson-wrap}
+    cp -av packagefiles/cJSON/. cJSON-1.7.12
+    tar -zxf ${curl-wrap}
+    cp -av packagefiles/curl-8.4.0/. curl-8.4.0
+    mkdir mbedtls-mbedtls-3.5.0
+    tar -zxf ${mbedtls-wrap} -C mbedtls-mbedtls-3.5.0
+    cp -av packagefiles/mbedtls/. mbedtls-mbedtls-3.5.0
+    tar -zxf ${uthash-wrap}
+    cp -av packagefiles/uthash/. uthash-2.1.0
+    mkdir glibc-2.38-1
+    tar -zxf ${glibc-wrap} -C glibc-2.38-1
+    cp -av packagefiles/glibc-2.38/. glibc-2.38-1
+    sed -i -e 's#set -e#set -ex#g' glibc-2.38-1/compile.sh
+  )'';
+
+  postPatch = ''
+    patchShebangs --build $(find . -name '*.sh')
+    patchShebangs --build $(find . -name '*.py')
+    patchShebangs --build $(find . -name 'configure')
+  '';
+
+  mesonFlags = [
+    "--buildtype=release"
+    "-Ddirect=enabled"
+    "-Dsgx=enabled"
+    "-Dsgx_driver=upstream"
+  ];
+
+  postFixup = ''
+    set -e
+    rm $out/lib/*.a
+    rm $out/lib/*/*/*/*.a
+    patchelf --remove-rpath $out/lib/gramine/sgx/libpal.so
+    patchelf --remove-rpath $out/lib/gramine/direct/loader
+    patchelf --remove-rpath $out/lib/gramine/libsysdb.so
+    patchelf --remove-rpath $out/lib/gramine/runtime/glibc/ld.so
+    patchelf --remove-rpath $out/lib/gramine/runtime/glibc/libc.so
+    patchelf --remove-rpath $out/lib/gramine/runtime/glibc/ld-linux-x86-64.so.2
+  '';
+
+  format = "other";
+
+  nativeBuildInputs = [
+    python
+    meson
+    nasm
+    ninja
+    cmake
+    pkg-config
+    nixsgx.sgx-sdk
+    nixsgx.protobufc
+    nixsgx.protobufc.dev
+    nixsgx.sgx-dcap.dev
+    nixsgx.sgx-dcap.quote_verify
+    autoconf
+    gawk
+    bison
+    patchelf
+    which
+  ];
+
+  buildInputs = [
+    nixsgx.protobufc.dev
+    nixsgx.protobufc.lib
+    bash
+  ];
+
+  propagatedBuildInputs = [
+    (python.withPackages my-python-packages)
+  ];
+
+  #doCheck = false;
+
+  meta = with lib; {
+    description = "A lightweight usermode guest OS designed to run a single Linux application";
+    homepage = "https://gramine.readthedocs.io/";
+    platforms = [ "x86_64-linux" ];
+    license = with licenses; [ lgpl3 ];
+  };
+}
--- a/packages/libuv/default.nix
+++ b/packages/libuv/default.nix
@ -0,0 +1,10 @@
+{ lib
+, libuv
+}:
+libuv.overrideAttrs (prevAttrs: {
+    separateDebugInfo = false;
+    patches = (prevAttrs.patches or [ ]) ++ [
+      ./no-getifaddr.patch
+      ./no-eventfd.patch
+    ];
+  })
--- a/packages/libuv/no-eventfd.patch
+++ b/packages/libuv/no-eventfd.patch
@ -0,0 +1,36 @@
+diff --git a/src/unix/async.c b/src/unix/async.c
+index 0ff2669e..2bb87863 100644
+--- a/src/unix/async.c
+++ b/src/unix/async.c
+@@ -35,6 +35,13 @@
+ #include <sched.h>  /* sched_yield() */
+ 
+ #ifdef __linux__
+#define HAVE_EVENT_FD
+#endif
+
+// No eventfd for gramine
+#undef HAVE_EVENT_FD
+
+#ifdef HAVE_EVENT_FD
+ #include <sys/eventfd.h>
+ #endif
+ 
+@@ -188,7 +195,7 @@ static void uv__async_send(uv_loop_t* loop) {
+   len = 1;
+   fd = loop->async_wfd;
+ 
+-#if defined(__linux__)
+#if defined(HAVE_EVENT_FD)
+   if (fd == -1) {
+     static const uint64_t val = 1;
+     buf = &val;
+@@ -219,7 +226,7 @@ static int uv__async_start(uv_loop_t* loop) {
+   if (loop->async_io_watcher.fd != -1)
+     return 0;
+ 
+-#ifdef __linux__
+#ifdef HAVE_EVENT_FD
+   err = eventfd(0, EFD_CLOEXEC | EFD_NONBLOCK);
+   if (err < 0)
+     return UV__ERR(errno);
--- a/packages/libuv/no-getifaddr.patch
+++ b/packages/libuv/no-getifaddr.patch
@ -0,0 +1,55 @@
+diff --git a/src/unix/linux.c b/src/unix/linux.c
+index 48b9c2c4..4ae67296 100644
+--- a/src/unix/linux.c
+++ b/src/unix/linux.c
+@@ -114,7 +114,7 @@
+ # endif
+ #endif /* __NR_getrandom */
+ 
+-#define HAVE_IFADDRS_H 1
+#undef HAVE_IFADDRS_H
+ 
+ # if defined(__ANDROID_API__) && __ANDROID_API__ < 24
+ # undef HAVE_IFADDRS_H
+diff --git a/test/test-list.h b/test/test-list.h
+index 78ff9c2d..c05ab80b 100644
+--- a/test/test-list.h
+++ b/test/test-list.h
+@@ -483,7 +483,7 @@ TEST_DECLARE   (poll_nested_kqueue)
+ TEST_DECLARE   (poll_multiple_handles)
+ 
+ TEST_DECLARE   (ip4_addr)
+-TEST_DECLARE   (ip6_addr_link_local)
+// NO_TEST_DECLARE   (ip6_addr_link_local)
+ TEST_DECLARE   (ip_name)
+ 
+ TEST_DECLARE   (poll_close_doesnt_corrupt_stack)
+@@ -1157,7 +1157,7 @@ TASK_LIST_START
+   TEST_ENTRY  (thread_affinity)
+   TEST_ENTRY  (dlerror)
+   TEST_ENTRY  (ip4_addr)
+-  TEST_ENTRY  (ip6_addr_link_local)
+//  NO_TEST_ENTRY  (ip6_addr_link_local)
+   TEST_ENTRY  (ip_name)
+ 
+   TEST_ENTRY  (queue_foreach_delete)
+diff --git a/test/test-platform-output.c b/test/test-platform-output.c
+index 5839f52d..8ba16d1f 100644
+--- a/test/test-platform-output.c
+++ b/test/test-platform-output.c
+@@ -112,6 +112,7 @@ TEST_IMPL(platform_output) {
+ #endif
+   uv_free_cpu_info(cpus, count);
+ 
+#if 0
+   err = uv_interface_addresses(&interfaces, &count);
+   ASSERT(err == 0);
+ 
+@@ -147,6 +148,7 @@ TEST_IMPL(platform_output) {
+     }
+   }
+   uv_free_interface_addresses(interfaces, count);
+#endif
+ 
+   err = uv_os_get_passwd(&pwd);
+   ASSERT_EQ(err, 0);
--- a/packages/nodejs/bypass-darwin-xcrun-node16.patch
+++ b/packages/nodejs/bypass-darwin-xcrun-node16.patch
@ -0,0 +1,41 @@
+Avoids needing xcrun or xcodebuild in PATH for native package builds
+
+diff --git a/deps/npm/node_modules/node-gyp/gyp/pylib/gyp/xcode_emulation.py b/deps/npm/node_modules/node-gyp/gyp/pylib/gyp/xcode_emulation.py
+index a75d8ee..476440d 100644
+--- a/deps/npm/node_modules/node-gyp/gyp/pylib/gyp/xcode_emulation.py
+++ b/deps/npm/node_modules/node-gyp/gyp/pylib/gyp/xcode_emulation.py
+@@ -522,7 +522,13 @@ class XcodeSettings:
+         # Since the CLT has no SDK paths anyway, returning None is the
+         # most sensible route and should still do the right thing.
+         try:
+-            return GetStdoutQuiet(["xcrun", "--sdk", sdk, infoitem])
+            #return GetStdoutQuiet(["xcrun", "--sdk", sdk, infoitem])
+            return {
+                "--show-sdk-platform-path": "/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform",
+                "--show-sdk-path": "/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.sdk",
+                "--show-sdk-build-version": "19A547",
+                "--show-sdk-version": "10.15"
+            }[infoitem]
+         except GypError:
+             pass
+ 
+@@ -1499,7 +1505,8 @@ def XcodeVersion():
+     version = ""
+     build = ""
+     try:
+-        version_list = GetStdoutQuiet(["xcodebuild", "-version"]).splitlines()
+        #version_list = GetStdoutQuiet(["xcodebuild", "-version"]).splitlines()
+        version_list = []
+         # In some circumstances xcodebuild exits 0 but doesn't return
+         # the right results; for example, a user on 10.7 or 10.8 with
+         # a bogus path set via xcode-select
+@@ -1510,7 +1517,8 @@ def XcodeVersion():
+         version = version_list[0].split()[-1]  # Last word on first line
+         build = version_list[-1].split()[-1]  # Last word on last line
+     except GypError:  # Xcode not installed so look for XCode Command Line Tools
+-        version = CLTVersion()  # macOS Catalina returns 11.0.0.0.1.1567737322
+        #version = CLTVersion()  # macOS Catalina returns 11.0.0.0.1.1567737322
+        version = "11.0.0.0.1.1567737322"
+         if not version:
+             raise GypError("No Xcode or CLT version detected!")
+     # Be careful to convert "4.2.3" to "0423" and "11.0.0" to "1100":
--- a/packages/nodejs/bypass-xcodebuild.diff
+++ b/packages/nodejs/bypass-xcodebuild.diff
@ -0,0 +1,28 @@
+diff -Naur node-v12.18.4/deps/npm/node_modules/node-gyp/gyp/pylib/gyp/xcode_emulation.py node-v12.18.4-new/deps/npm/node_modules/node-gyp/gyp/pylib/gyp/xcode_emulation.py
+--- node-v12.18.4/deps/npm/node_modules/node-gyp/gyp/pylib/gyp/xcode_emulation.py	2020-09-15 09:08:46.000000000 +0200
+++ node-v12.18.4-new/deps/npm/node_modules/node-gyp/gyp/pylib/gyp/xcode_emulation.py	2020-12-03 16:55:43.781860687 +0100
+@@ -436,7 +436,14 @@
+     # Since the CLT has no SDK paths anyway, returning None is the
+     # most sensible route and should still do the right thing.
+     try:
+-      return GetStdoutQuiet(['xcodebuild', '-version', '-sdk', sdk, infoitem])
+      # Return fake data that xcodebuild would normally return
+
+      xcodedata = {
+        "Path": "/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.sdk",
+        "ProductBuildVersion": "19A547",
+        "ProductVersion": "10.15"
+      }
+      return xcodedata[infoitem]
+     except GypError:
+       pass
+ 
+@@ -1271,7 +1278,7 @@
+   version = ""
+   build = ""
+   try:
+-    version_list = GetStdoutQuiet(['xcodebuild', '-version']).splitlines()
+    version_list = []
+     # In some circumstances xcodebuild exits 0 but doesn't return
+     # the right results; for example, a user on 10.7 or 10.8 with
+     # a bogus path set via xcode-select
--- a/packages/nodejs/corepack.nix
+++ b/packages/nodejs/corepack.nix
@ -0,0 +1,26 @@
+{ lib, stdenv, nodejs }:
+
+stdenv.mkDerivation {
+  pname = "corepack-nodejs";
+  inherit (nodejs) version;
+
+  nativeBuildInputs = [ nodejs ];
+
+  dontUnpack = true;
+
+  installPhase = ''
+    mkdir -p $out/bin
+    corepack enable --install-directory $out/bin
+    # Enabling npm caused some crashes - leaving out for now
+    # corepack enable --install-directory $out/bin npm
+  '';
+
+  meta = {
+    description = "Wrappers for npm, pnpm and Yarn via Node.js Corepack";
+    homepage = "https://nodejs.org/api/corepack.html";
+    changelog = "https://github.com/nodejs/node/releases/tag/v${nodejs.version}";
+    license = lib.licenses.mit;
+    maintainers = with lib.maintainers; [ wmertens ];
+    platforms = lib.platforms.linux ++ lib.platforms.darwin;
+  };
+}
--- a/packages/nodejs/default.nix
+++ b/packages/nodejs/default.nix
@ -0,0 +1,33 @@
+{ callPackage, lib, overrideCC, pkgs, buildPackages, fetchpatch, openssl, python3, nixsgx, enableNpm ? false }:
+
+let
+  # Clang 16+ cannot build Node v18 due to -Wenum-constexpr-conversion errors.
+  # Use an older version of clang with the current libc++ for compatibility (e.g., with icu).
+  ensureCompatibleCC = packages:
+    if packages.stdenv.cc.isClang && lib.versionAtLeast (lib.getVersion packages.stdenv.cc.cc) "16"
+      then overrideCC packages.llvmPackages_15.stdenv (packages.llvmPackages_15.stdenv.cc.override {
+        inherit (packages.llvmPackages) libcxx;
+        extraPackages = [ packages.llvmPackages.libcxxabi ];
+      })
+      else packages.stdenv;
+
+  buildNodejs = callPackage ./nodejs.nix {
+    inherit openssl;
+    stdenv = ensureCompatibleCC pkgs;
+    buildPackages = buildPackages // { stdenv = ensureCompatibleCC buildPackages; };
+    python = python3;
+    libuv = nixsgx.libuv;
+  };
+in
+buildNodejs {
+  inherit enableNpm;
+  version = "18.18.2";
+  sha256 = "sha256-ckni8K+UPsOFmVBPSyor0x+5OHhykbbMymyLrfAeO1Y=";
+  patches = [
+    ./disable-darwin-v8-system-instrumentation.patch
+    ./bypass-darwin-xcrun-node16.patch
+    ./revert-arm64-pointer-auth.patch
+    ./node-npm-build-npm-package-logic.patch
+    ./trap-handler-backport.patch
+  ];
+}
--- a/packages/nodejs/disable-darwin-v8-system-instrumentation-node19.patch
+++ b/packages/nodejs/disable-darwin-v8-system-instrumentation-node19.patch
@ -0,0 +1,16 @@
+Disable v8 system instrumentation on Darwin
+
+On Darwin, the v8 system instrumentation requires the header "os/signpost.h"
+which is available since apple_sdk 11+. See: https://github.com/nodejs/node/issues/39584
+
+--- old/tools/v8_gypfiles/features.gypi
+++ new/tools/v8_gypfiles/features.gypi
+@@ -62,7 +62,7 @@
+       }, {
+         'is_component_build': 0,
+       }],
+-      ['OS == "win" or OS == "mac"', {
+      ['OS == "win"', {
+         # Sets -DENABLE_SYSTEM_INSTRUMENTATION. Enables OS-dependent event tracing
+         'v8_enable_system_instrumentation': 1,
+       }, {
--- a/packages/nodejs/disable-darwin-v8-system-instrumentation.patch
+++ b/packages/nodejs/disable-darwin-v8-system-instrumentation.patch
@ -0,0 +1,16 @@
+Disable v8 system instrumentation on Darwin
+
+On Darwin, the v8 system instrumentation requires the header "os/signpost.h"
+which is available since apple_sdk 11+. See: https://github.com/nodejs/node/issues/39584
+
+--- old/tools/v8_gypfiles/features.gypi
+++ new/tools/v8_gypfiles/features.gypi
+@@ -62,7 +62,7 @@
+       }, {
+         'is_component_build': 0,
+       }],
+-      ['OS == "win" or OS == "mac"', {
+      ['OS == "win"', {
+         # Sets -DSYSTEM_INSTRUMENTATION. Enables OS-dependent event tracing
+         'v8_enable_system_instrumentation': 1,
+       }, {
--- a/packages/nodejs/fix-npm-patch-paths.sh
+++ b/packages/nodejs/fix-npm-patch-paths.sh
@ -0,0 +1,7 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p gnused
+
+sed -i "s| a/node_modules| a/deps/npm/node_modules|" node-npm-build-npm-package-logic.patch
+sed -i "s| b/node_modules| b/deps/npm/node_modules|" node-npm-build-npm-package-logic.patch
+sed -i "s| a/workspaces| a/deps/npm/node_modules/@npmcli|" node-npm-build-npm-package-logic.patch
+sed -i "s| b/workspaces| b/deps/npm/node_modules/@npmcli|" node-npm-build-npm-package-logic.patch
--- a/packages/nodejs/node-npm-build-npm-package-logic-node16.patch
+++ b/packages/nodejs/node-npm-build-npm-package-logic-node16.patch
@ -0,0 +1,95 @@
+This patch is based off of npm tag v8.19.4.
+
+This introduces fixes for 4 issues:
+
+1. When node-gyp is included as a dependency in a project, any scripts that run it will not use the copy included in Node. This is problematic because we patch node-gyp to work without xcbuild on Darwin, leading to these packages failing to build with a sandbox on Darwin.
+2. When a Git dependency contains install scripts, it has to be built just like any other package. Thus, we need to patch shebangs appropriately, just like in npmConfigHook.
+3. We get useless warnings that clog up logs when using a v1 lockfile, so we silence them.
+4. npm looks at a hidden lockfile to determine if files have binaries to link into `node_modules/.bin`. When using a v1 lockfile offline, this lockfile does not contain enough info, leading to binaries for packages such as Webpack not being available to scripts. We used to work around this by making npm ignore the hidden lockfile by creating a file, but now we just disable the code path entirely.
+
+To update:
+1. Run `git diff` from an npm checkout
+2. Run `fix-npm-patch-paths.sh`
+3. Include/update this frontmatter, please!
+
+diff --git a/deps/npm/node_modules/@npmcli/run-script/lib/set-path.js b/deps/npm/node_modules/@npmcli/run-script/lib/set-path.js
+index c59c270d9..98785192f 100644
+--- a/deps/npm/node_modules/@npmcli/run-script/lib/set-path.js
+++ b/deps/npm/node_modules/@npmcli/run-script/lib/set-path.js
+@@ -12,7 +12,10 @@ const setPATH = (projectPath, binPaths, env) => {
+     .reduce((set, p) => set.concat(p.filter(concatted => !set.includes(concatted))), [])
+     .join(delimiter)
+ 
+-  const pathArr = []
+  // Ensure when using buildNpmPackage hooks that Node.js'
+  // bundled copy of node-gyp is used, instead of any copy
+  // pulled in as a dependency.
+  const pathArr = process.env['NIX_NODEJS_BUILDNPMPACKAGE'] ? [nodeGypPath, PATH] : [];
+   if (binPaths) {
+     pathArr.push(...binPaths)
+   }
+@@ -26,7 +29,8 @@ const setPATH = (projectPath, binPaths, env) => {
+     pp = p
+     p = dirname(p)
+   } while (p !== pp)
+-  pathArr.push(nodeGypPath, PATH)
+  if (!process.env['NIX_NODEJS_BUILDNPMPACKAGE']) { pathArr.push(nodeGypPath, PATH) }
+
+ 
+   const pathVal = pathArr.join(delimiter)
+ 
+diff --git a/deps/npm/node_modules/pacote/lib/git.js b/deps/npm/node_modules/pacote/lib/git.js
+index c4819b4fd..7efbeef05 100644
+--- a/deps/npm/node_modules/pacote/lib/git.js
+++ b/deps/npm/node_modules/pacote/lib/git.js
+@@ -186,6 +186,24 @@ class GitFetcher extends Fetcher {
+       }
+       noPrepare.push(this.resolved)
+ 
+      if (process.env['NIX_NODEJS_BUILDNPMPACKAGE']) {
+        const spawn = require('@npmcli/promise-spawn')
+
+        const npmWithNixFlags = (args, cmd) => spawn('bash', ['-c', 'npm ' + args + ` $npm${cmd}Flags "$\{npm${cmd}FlagsArray[@]}" $npmFlags "$\{npmFlagsArray[@]}"`], { cwd: dir, env: { ...process.env, _PACOTE_NO_PREPARE_: noPrepare.join('\n') } }, { message: `\`npm ${args}\` failed` })
+        const patchShebangs = () => spawn('bash', ['-c', 'source $stdenv/setup; patchShebangs node_modules'], { cwd: dir })
+
+        // the DirFetcher will do its own preparation to run the prepare scripts
+        // All we have to do is put the deps in place so that it can succeed.
+        //
+        // We ignore this.npmConfig to maintain an environment that's as close
+        // to the rest of the build as possible.
+        return spawn('bash', ['-c', '$prefetchNpmDeps --fixup-lockfile package-lock.json'], { cwd: dir })
+        .then(() => npmWithNixFlags('ci --ignore-scripts', 'Install'))
+        .then(patchShebangs)
+        .then(() => npmWithNixFlags('rebuild', 'Rebuild'))
+        .then(patchShebangs)
+      }
+
+       // the DirFetcher will do its own preparation to run the prepare scripts
+       // All we have to do is put the deps in place so that it can succeed.
+       return npm(
+diff --git a/deps/npm/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js b/deps/npm/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js
+index e9a8720d7..b29ad0185 100644
+--- a/deps/npm/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js
+++ b/deps/npm/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js
+@@ -744,7 +744,7 @@ This is a one-time fix-up, please be patient...
+           node.package = { ...mani, _id: `${mani.name}@${mani.version}` }
+         } catch (er) {
+           const warning = `Could not fetch metadata for ${name}@${id}`
+-          log.warn(heading, warning, er)
+          if (!process.env['NIX_NODEJS_BUILDNPMPACKAGE']) { log.warn(heading, warning, er) }
+         }
+         this.finishTracker(t)
+       })
+diff --git a/deps/npm/node_modules/@npmcli/arborist/lib/arborist/load-actual.js b/deps/npm/node_modules/@npmcli/arborist/lib/arborist/load-actual.js
+index 7ab65f5b0..12f563a50 100644
+--- a/deps/npm/node_modules/@npmcli/arborist/lib/arborist/load-actual.js
+++ b/deps/npm/node_modules/@npmcli/arborist/lib/arborist/load-actual.js
+@@ -143,7 +143,7 @@ module.exports = cls => class ActualLoader extends cls {
+     this[_actualTree].assertRootOverrides()
+ 
+     // if forceActual is set, don't even try the hidden lockfile
+-    if (!forceActual) {
+    if (!forceActual && !process.env['NIX_NODEJS_BUILDNPMPACKAGE']) {
+       // Note: hidden lockfile will be rejected if it's not the latest thing
+       // in the folder, or if any of the entries in the hidden lockfile are
+       // missing.
--- a/packages/nodejs/node-npm-build-npm-package-logic.patch
+++ b/packages/nodejs/node-npm-build-npm-package-logic.patch
@ -0,0 +1,95 @@
+This patch is based off of npm tag v9.1.5.
+
+This introduces fixes for 4 issues:
+
+1. When node-gyp is included as a dependency in a project, any scripts that run it will not use the copy included in Node. This is problematic because we patch node-gyp to work without xcbuild on Darwin, leading to these packages failing to build with a sandbox on Darwin.
+2. When a Git dependency contains install scripts, it has to be built just like any other package. Thus, we need to patch shebangs appropriately, just like in npmConfigHook.
+3. We get useless warnings that clog up logs when using a v1 lockfile, so we silence them.
+4. npm looks at a hidden lockfile to determine if files have binaries to link into `node_modules/.bin`. When using a v1 lockfile offline, this lockfile does not contain enough info, leading to binaries for packages such as Webpack not being available to scripts. We used to work around this by making npm ignore the hidden lockfile by creating a file, but now we just disable the code path entirely.
+
+To update:
+1. Run `git diff` from an npm checkout
+2. Run `fix-npm-patch-paths.sh`
+3. Include/update this frontmatter, please!
+
+diff --git a/deps/npm/node_modules/@npmcli/run-script/lib/set-path.js b/deps/npm/node_modules/@npmcli/run-script/lib/set-path.js
+index c59c270d9..98785192f 100644
+--- a/deps/npm/node_modules/@npmcli/run-script/lib/set-path.js
+++ b/deps/npm/node_modules/@npmcli/run-script/lib/set-path.js
+@@ -12,7 +12,10 @@ const setPATH = (projectPath, binPaths, env) => {
+     .reduce((set, p) => set.concat(p.filter(concatted => !set.includes(concatted))), [])
+     .join(delimiter)
+ 
+-  const pathArr = []
+  // Ensure when using buildNpmPackage hooks that Node.js'
+  // bundled copy of node-gyp is used, instead of any copy
+  // pulled in as a dependency.
+  const pathArr = process.env['NIX_NODEJS_BUILDNPMPACKAGE'] ? [nodeGypPath, PATH] : [];
+   if (binPaths) {
+     pathArr.push(...binPaths)
+   }
+@@ -26,7 +29,8 @@ const setPATH = (projectPath, binPaths, env) => {
+     pp = p
+     p = dirname(p)
+   } while (p !== pp)
+-  pathArr.push(nodeGypPath, PATH)
+  if (!process.env['NIX_NODEJS_BUILDNPMPACKAGE']) { pathArr.push(nodeGypPath, PATH) }
+
+ 
+   const pathVal = pathArr.join(delimiter)
+ 
+diff --git a/deps/npm/node_modules/pacote/lib/git.js b/deps/npm/node_modules/pacote/lib/git.js
+index 1fa8b1f96..a026bb50d 100644
+--- a/deps/npm/node_modules/pacote/lib/git.js
+++ b/deps/npm/node_modules/pacote/lib/git.js
+@@ -188,6 +188,24 @@ class GitFetcher extends Fetcher {
+       }
+       noPrepare.push(this.resolved)
+ 
+      if (process.env['NIX_NODEJS_BUILDNPMPACKAGE']) {
+        const spawn = require('@npmcli/promise-spawn')
+
+        const npmWithNixFlags = (args, cmd) => spawn('bash', ['-c', 'npm ' + args + ` $npm${cmd}Flags "$\{npm${cmd}FlagsArray[@]}" $npmFlags "$\{npmFlagsArray[@]}"`], { cwd: dir, env: { ...process.env, _PACOTE_NO_PREPARE_: noPrepare.join('\n') } }, { message: `\`npm ${args}\` failed` })
+        const patchShebangs = () => spawn('bash', ['-c', 'source $stdenv/setup; patchShebangs node_modules'], { cwd: dir })
+
+        // the DirFetcher will do its own preparation to run the prepare scripts
+        // All we have to do is put the deps in place so that it can succeed.
+        //
+        // We ignore this.npmConfig to maintain an environment that's as close
+        // to the rest of the build as possible.
+        return spawn('bash', ['-c', '$prefetchNpmDeps --fixup-lockfile package-lock.json'], { cwd: dir })
+        .then(() => npmWithNixFlags('ci --ignore-scripts', 'Install'))
+        .then(patchShebangs)
+        .then(() => npmWithNixFlags('rebuild', 'Rebuild'))
+        .then(patchShebangs)
+      }
+
+       // the DirFetcher will do its own preparation to run the prepare scripts
+       // All we have to do is put the deps in place so that it can succeed.
+       return npm(
+diff --git a/deps/npm/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js b/deps/npm/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js
+index 2ea66ac33..25e671318 100644
+--- a/deps/npm/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js
+++ b/deps/npm/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js
+@@ -740,7 +740,7 @@ This is a one-time fix-up, please be patient...
+           node.package = { ...mani, _id: `${mani.name}@${mani.version}` }
+         } catch (er) {
+           const warning = `Could not fetch metadata for ${name}@${id}`
+-          log.warn(heading, warning, er)
+          if (!process.env['NIX_NODEJS_BUILDNPMPACKAGE']) { log.warn(heading, warning, er) }
+         }
+         this.finishTracker(t)
+       })
+diff --git a/deps/npm/node_modules/@npmcli/arborist/lib/arborist/load-actual.js b/deps/npm/node_modules/@npmcli/arborist/lib/arborist/load-actual.js
+index 6c3f917c6..ec21d2cc4 100644
+--- a/deps/npm/node_modules/@npmcli/arborist/lib/arborist/load-actual.js
+++ b/deps/npm/node_modules/@npmcli/arborist/lib/arborist/load-actual.js
+@@ -147,7 +147,7 @@ module.exports = cls => class ActualLoader extends cls {
+       this[_actualTree].assertRootOverrides()
+ 
+       // if forceActual is set, don't even try the hidden lockfile
+-      if (!forceActual) {
+      if (!forceActual && !process.env['NIX_NODEJS_BUILDNPMPACKAGE']) {
+         // Note: hidden lockfile will be rejected if it's not the latest thing
+         // in the folder, or if any of the entries in the hidden lockfile are
+         // missing.
--- a/packages/nodejs/nodejs-release-keys.asc
+++ b/packages/nodejs/nodejs-release-keys.asc
@ -0,0 +1,776 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBFKKodABCADiE7Ex8GXnQNgipqbTADO5+BfufYFeq9YLEKkuOUfnjAZ8Wzle
+4eLL4rdfFSuwuUO0rkSFOpNjkjKqxfRo0RkmlMxdHwT2auf/yrfX4EyhyKDn1Vh8
+MP2JecXQN3FVa1yR8AMGfT0zOP138MNp21tNp3Dy9r/ds6ZhttrnR+mrKnhKMmTj
+1J+MX/LKw3o9ERIz0O8dxw75pA27npX1EcSCM1Vcq1bam7xD6d3cfQtfQsidXkQ/
+nFpD7BQFU+nemYaa6Vkuy4VJ11AMLNvzoWc2iHofD0kO60am3z6x8t63m+BUSU5I
+r7B5GNbatekJqu/Qn1qrCjyuXcExEsGnCJl/ABEBAAG0ElJvZCBWYWdnIDxyQHZh
+LmdnPokBOAQTAQIAIgUCUoqh0AIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA
+CgkQwnN5L32DVF2cywf/Vws0J68vxn+ngUzq/wcWlQANfwMFUcD/8eM0N1B3OMXQ
+9+GSlsuEUvh6/oxYxn4EPIgdqsV25SB/fAUz4uN50qvc0ft+wTgh20pnMP0qLf7/
+adb/dBf/NTV4TWzHaUDAkwPXqPd4He7AI5/PZeaMGmJPJmeR8ZM0ZrvLsNTmYV6N
+byWcqYvbbRSNSn4ypb/QbYjFQZB2QKrC1LAW9jpdNnfQViYeZDmoSRaCTOv7SeSy
+TkzOhMFRZDP9NmUvnl3chWNdmBoLls3/lO1Kpuc8h+nXkgU1hUyvsPjs8zBaqUDI
+oMudExnECyEUHlZvVLlfpocznOPqlBhxjR0Q9VRYYokCHAQQAQIABgUCWL7qpAAK
+CRCVUaCxpuKXzorJEACb96lsYyavUJOsFd6w8pgOENJjxZF64JR0Dx1rSsC4VgUa
+m5zVVasJ29oAnzpeCQzt0sazTgLYrzxA4RY/guI7FBmI3p1nwhUCprG5QMuE1iZ+
+PXVvkTNnNWDlpGGSkDyiC0ER3kWVlECaJhDmSDHxVNl+IwXgd6Jmx47RHYv64rON
+FERHfMjzCUi5uLs+zoIU2V8sy3j7Hv10+/zUGBSy3wSaUlmNK+7wkI9WS3BkcQ/1
+6Afet+De5XSVdDJu2TwhESEyXHFgXv9UQAbj5e8/fG8S/kPalQKnzQxp4eYtgC7a
+cq1LGOX5BS0eFdwCnyNkZUhuHkjSYqg6GjEhmgEhUmow9FzaAD2JO8lXMYXtiXTX
+U3VeY92b7gEt76HdefuAhPFRo2DppSQB2Qh1d6+WRWjxfIcVZcMjby3cDzBYZvfj
+Jhzxv+3qSlzeYeDSLZUkyARRshLcd1LvlZiHntveiMuvehemVLcQ2XtCJh6mCfFJ
+HwkRloAswSW1XiDEaybcc/Cok5aPjk/sozVCH1g9lyeQTIQ7QCYQzA2TrfCLOvL0
+9pguTGRFC22ikZzgPD9dC5vo1MvjRczT2g3gDxqrjvt35v3+ZlQ4ZJ+U2G9Ew+XF
+Jn9bo4ZXxffj6jPnFiELZfSwIGP9EUaPXMXh/lov8IMfr37cQsE360A82RRAd4kC
+IgQTAQgADAUCVw1LygWDB4YfgAAKCRDnO8ZBzBH0yHMND/46YV031EzwZL67h+ZC
+SWka9SR+o1XHVWvjLGOcSOeBnD+8C170Q30NYVMEgSwtF8kY0M5k6GlEpIKNuOYq
+NphXkNfn00ysqJ1G8WIGmGnsA/g/4LYSGt4ttL8roW582Ps3ITAYR/OVgHBccssL
+6QdylghWW6wKYs5yoOn51pr0Ff0WyARfQxiaFNtwrZseSRrFlgCgX0+Hrfin1iHz
+l8m/I8BIywM+fW+kk6ixitkFPszvT+9sgLj5viUl7+pJzLIs3GwODkLVCWCetLfO
+XP7XDrcBQpU6OExpaC4ua4tVhfiaTJkYFB43Za0rP8egx8u7tBs9WC6rU3wygsLJ
+uD9sdahFHY4c52eBRdIvAQow1oEj3WW3JIN72TiSOFbCMiFNR1t1nezaokef89pN
+LMlJnzJ6BeKWmiSMsmOcT3Uq8cmmQpmbF3N0cZyOy2MMrnBtm0iIwY4NJ/YlLbAj
+1f4urrAWkFInzWCdE/L6VO93WwD7sHLOcq8fKWv/2/QY7kGP8Cbut59ie6wUr53S
+IEM7B21/zdcrI2ND7R9Bdo0h867NgIuve6EN/W08QbCsTAu8ukdtKOISprqBXQ7y
+7CEUGRFlHbiLfhyaNs1IHtSDVpt6Rq/U5X35Zk3MSsL44ZuTqS7HE/QMjQy8oQ2U
+tJyhZrnOkqHjT+g/kz1bKZ+JPbQXUm9kIFZhZ2cgPHJvZEB2YWdnLm9yZz6JATgE
+EwECACIFAlKKo5ACGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEMJzeS99
+g1RdocEIAJCkX71Kddk6B1HD9V80dpTVvm+YMup2qca6LqLtsiYE/O/XZHRZZ1WJ
+RdxTGqGLKLkHgea0PUaxrcUxSzibDFJqEcRBz90ojaVu2jXb8Wbr9PkNcV0ABivy
+PCpx0IFUxKj3+94akK9DOzwLpAf2QMSm0JlQhdql8K0JCRyk9ehkBCxcssVKocgZ
+TCRur475lYNDU4SiQoJJ7iFirf1SvNAoeXwXiqDAR2q/k5VrANmfzKvmQ4UMciEx
+vQaxc+q7LsBI0/EzFtWCnhPabEzhY8lzqsxlfdEbFXWFO1V6206FBYuymTE6IDxg
+trhVg6FZgmWSrxnWWasJSZxv2iWhwgKJAhwEEAECAAYFAli+6qQACgkQlVGgsabi
+l843ZRAAsPXN0qd5njBzcSMOTSwYVOX5/1NNWI4ac0kbtdgh9bvcWxL1OtR0nkiA
+6evmTtC7HuMSKtviMtpHwIHp1TVu4nuosFUJaLRkxv43U7ReQSk8nxFWBcucLIaL
+8/V89YmLH6LAWEr6zaP2KoRwDLJr5mfpU8GLaBVittGzxN9llkmPRA12uS7HHgRq
+i1D8bcZVj4EHoB4Lj5U0L/GpqgU/UitUR32fmmfvzQFMWVRMfJHP389Y2lRbcqC/
+rZXa2USH5WC+oDejhRq50S3B/v1jB8jtYtWZXmYQCk98KCUB+4ck8uSLYZGtZpt4
+lb2ZSFb3IhGAzJR5DBgZI6YrfwnBfOxdt0VWv/pU0PzNGbl/iLRWFI1aIOcIsWkV
+0+XDegde8kTdhvrlbE+Dst8sBdIKN+4BJxkGVlugKFnlLcTPiMAsz1W3b0wT3PgA
+zSYgf32KUCtxSgJO7rkKOf1vzcuH8L/MYH6X3CV9Zm4ZXXbTSyMp04LCJZMO3K/L
+4lc+sYs/KFJCl5mt7zCXs56ta522TFgg+4JV7ZyI+74ZPA+MJB647cdHiNYMIh3r
+FUiz4PJRQCu3NdeyCktChASFKag2AMIKEKeow5z+e3EE6zRy7ErBBLb9T/14BBPn
+5FRSv0A3iiQVw77i30Ds1YuROX7sWsN74sgJfytLiy9vdT3Jiz+JAiIEEwEIAAwF
+AlcNS7sFgweGH4AACgkQ5zvGQcwR9MiizBAA5IaFWe3L1TckdaIu+z/OlxEsL8jF
+NJVCXdjUoOUk4PKf2BpMbWXM9N+JrZw3kjyWX//S6Dl5Do/tO9JTMX0btwIfhZUk
+uvx7H4Oh38UKwkDl207DF9JMDeU6/h/rsWjAmzVLxMhdbEGIDQlhjYgsZbJjC5be
+ZDuYfDKOye65HUa++O6h5EOBd2qLRl/pGJHLlAiGPLtwY3jewEZlCrlO958aTkPl
+AHxh+ltRWLd2zYF0xnBaWvpFOVArjDNkTSuyYYNtBa6OmKPZ4BkPQb5Av9b9GCwJ
+2dxdlUf7GexBHlANRbAcw0kXmCJOYLxxOx8jQRnQ8TLiL9Rds4c+XlloJfYsD/Rx
+vIvUAKMqFEXmMlBnO9VJeiw4r0F7pNH6VYp7bnz1NiW3Mimk0Kjz2TTOVpfR+kht
+hMFO+oCpJShsfqq9WWX2+MM/dC11oIGfr/kGqK6DSkIbflkqFnBEVuM+uUe0OeDV
+IWrEF5O22+pGeC0Yezrzp4x+3lL8ObsFKGWwxTdmbpIcR4zT+Er3dPAdLBFcm/Le
+0Odjv1sj/LLOC6FKg7qKG7raglkQSMEF8DAtWkE2H1P2ywvky8HArk5OM0LXcxub
+Mo849kZrLhGblt8+zp32fafsQEIsNAzoqCR50XSHJhMb0zmPmvXCAfsk1wWKlgFg
+M7vo0zXSYLg8ifa5AQ0EUoqh0AEIANGUbt///24seQv1o9hgAWJ6i7sjC79jCH1m
+tPlLjAsUcGg+16fTwAlII1Z2ffXYKs9MvcGBNVdxkR8S1g+aYM/ds3hY2CglHe7z
+N+/pkYr5I1jchmCE6LQDbGA/yIfiufMkUFB1Pry34P+G3mcnENfeETns/26yCSJ9
+plysIggJiPKS3ihrPnp8qjCEByzBn70HRkliS4nnjws1aSG67aWUn0RdELrK7Mgm
+EWRacrMu308pgdn7XQ/hUUPcsOAqiI9tc0xeG2FXEg2WS7aklqAw7yjEpJK7qid0
+ntEbKy3Erlu29ZxzH/kphNJH5eQFgXJ0guhG/Sm4ljt45nn7H+8AEQEAAYkBHwQY
+AQIACQUCUoqh0AIbDAAKCRDCc3kvfYNUXVfxCAC1ajXnKPFswIU2RgJETuY1GgUH
+NL8oU3bp5oGhocKPcDPQL8rLZkAhTfKYkRoc6hLS5wcgz8FSEEz5oMesBWCXSZBS
+8xTW0vgncbrTUVnVmCAz88qeQ7SA9RVmgnpgKnVAv46azZQkB+x1FR2scSEf7uoo
+Go5zxB7LvSwRX+bgyct5TRcs37lLLaaGlgsy7yrcZYqqUXjEOGrZ78KMNDifK+X0
+XYoGY+p4sCfl4Uf46qANa4shQMZjKaWGZpiqs673aIg0MoZPCyTTO6Atfsv2Li8E
+ossDZpvJuroJFZw5zvIEy7AiDAcCZjMj8FLoLzom0A1FNxCvgzOraMITOobsmQIN
+BFM7JpoBEACmf7uB5P5QJ8X38ARQn+dr+/O+6/wzkKzUcoFvRArwZTcpdEO/0C12
+kNSpK2UkVMh4sorYwA8W0yv3spZJWU3TiIfCVryxqZaAWEIU+dwsQ0P6EAUythjd
+QEs81bG6aN0dUqE26fWjGL/mU7BPtAwfzg6lty2cwZJP5zaNCl/PjRUeTKC2oNas
+3M5dWoOqWq6HLPqnTEPHPlZ/mhkOfLOnJA6r669sQcml5R+Lhwd8wdJp+ANiDLW6
+61MmaiA4VqjEXwsXKK0KISWftEgd9WGBsHH8rn4KdKj9u6EtnDlA3vaPmADZmf7R
+VSMRoMkdiswFqEIMQuhTVbqS69vyhtByQs1fhriYrPy3OMeSMjJ/zNDCnHTBuKxo
+NHgMcznVu1tjz+ggso7Whd0IiXEaHXhF5ASWnJJa+xLxXQRQV2X1RXEK0bAySX5B
+NmxJRVY+ixpO5TVhQhzzzL9Ivz4z0odlvt5VJJIHHFIAWkgXRNAo0wgDzfe+jHO
+E7nz9uzYsqDBV25Zo22oMZURTBN87WZ1TFpDiORvvjR8QXJIBIUvMHAhG/ZlEkVo
+poNaznUOplnr/ToDpA1RDrdxeUAQ1i99EeBtXRREFgByFvETnVCkX/pvQA1yFrhG
+FgqCYBpN4IK0UcUx1MuwPBrfZxbL/cy+FhmJqutB6ufaJzatMQHu5QARAQABtClr
+ZXliYXNlLmlvL2Zpc2hyb2NrIDxmaXNocm9ja0BrZXliYXNlLmlvPokBHAQQAQIA
+BgUCVu4HLwAKCRDCc3kvfYNUXW4MB/9dLmaZaaPUPrEaUQfN6UngTKRNLOJj22FW
+2S+e7ALUcA808o80BaK/9dk6mmQCD8L8INRzsNOyBGfN3KL/hV0Zg7BtX2R5ed5p
+0S1CmJzsutV6AAsXJvu73bOCy0QosnpsJDRx51k/4+1jUt6PkTMy4YxbVDDBRQTG
+DApi2EeX5kwaw1jNiubsfOPtBbyuZbXS0IBKQREFwXtbwUmEc9amw2QopNj8N8Oh
+eXbmc6AjiZUdDjOj3tZ9oflc3t6lDVH5EypuKZbcR6fOf4AlrXnuE3uHYMW57D/h
+QL5/BMIe1fmK0HYEwg4BaLqCu9lgsYTYJtcTHHfisRDMs7F9Wxw7iQIcBBABAgAG
+BQJYvupKAAoJEJVRoLGm4pfOzKsQAMVG0EblgGmcLA+VKZkuHtOgasrBBJXkxDnG
+B5Xepg+1hOduxkO1rR5tGvejlWhcX8S17o1hdnl2LFdyzHwBU+i3BYYDkUFOWkO/
+mkUvB3SPyHuNMRxZtNne3aZ08Sl/3yxIJFiEvg9ZPS3NDS9G/jxcGzP4b9FHE170
+34BxSorHQxER7upkow1eO7dhjTCRVeDggMqWPYUjPGLDypiZHfkeItHvjTYaueQ9
+oUzFzRPLOBaGVl+aIlojkIWWv010Dk54/uisEBbFuVoX9b76dBx1INEVLEb66MvC
+BLhqsDH16fyj0tQEaTjSSdkJNul6n9DH2idjEkIf/+sZ11B7rW3FxuodtCB+se3Z
+c4xWWtuvahTV+UwNiPC10pOUZbEnqeo69VpETSVK5h3jQ7HsLiTIgAVgwEUjPpLD
+GsFbJ9VB9m/OYNmN8gtk67OVTu5IjHY06eifrHzBNXNf7A+udJgs+PSxfFd3jOuP
+uaR80cU3gbhbzu5LzDWo37Zj9o1MPmSENKEGnW576RKZ6lJYWkpD7XJlwYs9mPse
+LScqT2z09G4N0R/cgxGo1UCSuzWxc7eTFG8Q4kEBul7KjA2t3jxyzALbbcGDbnqS
+Ufvsr5jQQdwh0LU/xDL2sAm8Z+4yrU4mqQFicWHDCOQPUF/C0GCMbKfbqqCC56Vs
+sToI7UaTiQIiBBMBCAAMBQJXDUv7BYMHhh+AAAoJEOc7xkHMEfTIBaUP/jguidAV
+f1iW4N/Hk059nISZM0RbjxXJh6PbEgroTzyEEJljV4c8Yv21/wMXiCklNmVhVgcc
+OoEqZMwDAz2vu4uDwDk/z41rM6lkFNVdMvBx92de+WjYYsdIBQYfklRY3LeImrkV
+vHW9YW/yyqjh/wqVKpfMTuUUufaXgr+hbB9u5UMGY2dgq+3bTj/MqgDHa6sazam2
+uU0C95CCW/rY0GzX6azVEJkEacSlue5sX2/y2UCpCI2oCc5w1NUASSYpiBrTajnE
+loDYpgt00deEonGrhTZ4zCRdHSBaaAZbzZ5KQ7AYfRnk6C8Iawlhhm4TirQb2bXq
+Oj20E2ly7tpzeo1F0ZdOQQXuolfp7Gf5UQOitMqdUeTQQ0HelWqfOoGPBkbXcOwJ
+Kz7ptfESnBD1JjNVXtBIxyG9rCeqwJxNcTt+bWrXaqfybJFUldYwKmdITnsbjlj4
+3ArxOUm/wfxgg3uVcshZ1g6etU3t+57rTQHT32VdPSKKW2AfzZS7um6+LypnIch2
+ve16PzM22HUWpounMmKc43BNa729+3R64EJ1/0qftiFuYoF+IAIkePcLc8qxJxJ/
+TJbsmSpThLz65645wbGD/b7Bnbb80ewBFMwivtwc58WSi+0oWhbuGUSAzCZfN/7I
+hcPbWtQjN0W4Fc6KCmAiIyTML8Z1CJs83k+LiQI9BBMBCgAnAhsvBQkSzAMABQsJ
+CAcDBRUKCQgLBRYCAwEAAh4BAheABQJXBCGnAAoJEAn+RHNOt5kOLQEP+QHDbHiZ
+FTkJNwmx+3+WV9VeJanGXSjccM/yA/lS14PcD5ic3rm0ttI3xa8FmzePZyH17hQB
+R7eawYSrWNErJr3ODd+P8rgXy2PVr3nUdQP+jIgCcbLiGgcFaTtYnAiBXNVzZHrS
+xVKyzxECHQAtnkarIzMmVTpm985nwcSEUdj87cqFRwS4LIBDme8q+0lI+WMR0QaG
+18wO/70/7jnw1vP8J4Qn6W9dt1GTTBpTnIw+PF552YRQy4V+WSPVcijOp5/8+sdI
+DD+g11TtJLpoMsJtqNJS8XCal0LONqN7noXGc15BU9Y8LnhEvs7aG/7R1CEOeR75
+ifWnuUIrKj75xg96TPHhwzKKyuhoc2UYf4hhMgDaZhY6YrZ2LAie7CQneh9uWZn9
+Ku93UMWB01f/LyVnDrr0scvZG5g0T70h6woYuf3hIoUokma/cck4svcrv19gQ+UA
+gw7PbxbL32oaX5TShLh6j13O6UNqwYZbDslnuyp2TJy72TM0m1ESCZqF5BKZXvrB
+vvRwIkD5Oi+Y7EJBuT9ZCu3rPyTNoRfxKKAcNV3lSkQx32tucu3IYwYS3twi9y7/
+uC0fU8UQw4wDATi91vq6t8+nFMBfuZC4ZklG8ztSbF/G259WpsSuQsprFge3KKBU
+oIEde3zdEC5i7U/Tv84ON1iEoTyalDnfPDjoiQI9BBMBCgAnBQJTOyaaAhsvBQkS
+zAMABQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEAn+RHNOt5kOgmwP/i9jLD0h
+yEyusmJaIo26TW7wlN4gc1rk43AU4WXrlar2nCbW3wd5Mq5sqZPCqmOhGxXdCVP0
+Y1bXSunSQnmGWaWRxo/H+rhWYOSwICGnc3JAjSnSHndgHPBkqyw1qGivI92xghT7
+WPAn/aBDH/VgQ0LuDPeJReDFc0KFCpnxBql/eBVS5/D25LYyNhFaZcCZJItNzieP
+dJfhGdml9NoC92AP2qHTO6UgrmPJKlxDOWIEs8ITwClZp9Y5jWnSY1xhQYPfoa2M
+87WbDJRZ9XMrhUyGuqdoADdsnSIKIr+So2QOM3dPsQ/Fq6tkK9tTBlT2n9wHgmuc
+uTuT3n27GkFIF5Npz1/TnsGM8WzIsBmfOaUh8DVcurhW0ovmq+drLV15FillcV4r
+hAMBLKYquj35BjoxXaX39NKjKe7+Ngh4gUZVeQPeQtQq0jZ4rEd26x5Pj0DH3Jkz
+OaphQjS4K1Im9fZ5EL+mJ89AMKGSmMNAGnivIt84CUd6i4sT2a1YxUkq8HKQJpgr
+nPMkWpsXpq0+xnr/43CC6vnalEUjrKsT63ToHOQGRxK7RLBbUioBVy0tWKKr3ujp
+W9iPefELT8Refw5PIXHXedb8cpr0jmblQ77DM0mXXljQuTjxE9VaakHA+RwBYy0Z
+zdMMKKTcUXcHOJJgZ22RTA+07RO5c7NLkC2ziQJABBMBCgAqAhsvBQkSzAMABQsJ
+CAcDBRUKCQgLBRYCAwEAAh4BAheABQJXBCF2AhkBAAoJEAn+RHNOt5kOABMP/2Df
+9RUECEKAoxnUQvDpdki0UTEJvgjdQVDonztdpGw7kaquH7KLQBxacIU0J3KDr5Da
+60RyKL1InGugbLRIt/iMbLn+ENPsIGOHAJNmIBXvChwUGFzGmSRKxZG921DJmI89
+qjtFbK0nSy3m5AUpPAmj3UD+JXGGc5QIxmhOZLcPcY9YGv0oQA51ukiycgy8s4uZ
+7SuT+VYk9wMA3EoDlMbh6nwJjaiz9eunlqMF2aB25Ri6SxtXLNJDhuTzEJSVZQTO
+k068wBR6271Y5gC6K9+DPqBQeVXoKrFzCFfGmaMAkiK25WFfwqJJKvejkWNi0FwE
+tlBKOc3KzCG3rV+0FYu/4rzNL5j9EQuMZIsu+drCz76/hA4j/sWOz1wqwRMf0197
+/EqnRVXHPnDIa9h5WbCGTKFbVaXth0bP0EXgCZ1IxFsZh7JjtVSUHYDSfZc61npe
+zXshg1JKEk9f4XIW4PoVpjrIKWFMJ0ILsE7GQA/MlW2gK4CpEMAxH8EuXQPXEHA0
+yJ1pKdpVfO35ChqYdVBIp/oNkAbYp+hwUe44/TJsWN7ARVioH9JK+EHef+QskZl0
+796cQLNW9I5txkOpSQ7cSbEF4SEaCGS/gHVtFo8xCEhVBt2ElBHeQ4Y7B4Zbv62e
+yM44mcJTTxP2SoZ/dwyFMUEbJ6PA8HScDLbFZL74tC5KZXJlbWlhaCBTZW5rcGll
+bCA8ZmlzaHJvY2sxMjNAcm9ja2V0bWFpbC5jb20+iQIcBBABAgAGBQJYvupKAAoJ
+EJVRoLGm4pfOpIQP/36ItdPwRczrB8eH3ifzqXCJXoeOZ8a1Ys/XWtzGp2j7+wwO
+PwL/t5YY8oxbZarQr3QX2RRCIiz2Ftjfea3/AN0J+AgFs+0t4zEuBkVX17SUrp5T
+Gc8EeyH39KHX2B42VgFmZyQPQMxbg/yTnhH6qUeUuteiZ+mFBhap/od+ORHfZzk4
+19ybLpOYPZPjSYw+XKgv+mLt+59h2Tt8fCy1mZUYuQOGb+YJ64Hi4IQAtLdL3x8d
+dhhG6pAsXDU5ezb8obHpySQkBqVUOcUWSYPU6p92nM0klXA5QvYuynxl8LRUy1Mx
+FL74o7aisQ3CKzIxXFkoAeorYWAAzBVDOIOiI3aEFMxHu0FQIebfI3ln0mCwSCKE
+IlrTWdeBFfJ1m9gTmbrA9ljnkMXaTcDWNszCjB9btcxV0nRqQGyEZ9wBFMwrLVy9
+cNiJ2qophrha5OmAN2lwVlKUTwTM7zisgpAPs60Z4OPsKUQ0wTjqLp6Xmv2xiTdX
+ezBEQPIBGRRcUSwO8dvKt0zRZqYBChIsgWxyTK2a5eeiTpqD4g0W8rSwf7i1GZUl
+ZR4PqgeEAuRw8ERz0o9lMuYYLBqnyMnoar+MPF/tewiKgQsiaVwBGsy/UFLP6fEA
+BE0cjueF3AtZscR5WU7oT1Qn8DzoVC54GG5QfGmV9bgRmeyon4ksMFl/6SDciQIi
+BBMBCAAMBQJXDUv7BYMHhh+AAAoJEOc7xkHMEfTI5dYQALdHmZ+NlBsDOrGCY/kn
+qdsDreLnmHWjoK3cMrU5jkO7PgpZybjlyx7fI0A/q5HP20ZSg6BuqEn2wmLPHW34
+Xpdcr14XXjU2fZkRDFV2X4XM30to+MViQLDxcy32qguuC6HhoZBbGGgUHZ9kJQOY
+bBb6BerpEsF+5/1kUeLuHDy5BBLHWmU+qt78Qqrp1mOWE06abKpkrdkIR91FVgmQ
+a7ILIPjXWfLq/AukgZgv/Pqxq7b8wbSAKn15t7v4NjCtMHYVSfNPyRotO08H7cME
+6KxdnIbyVBwoCx0K8CAl3vq2654Z5hy+Y7Cj+ecxXxld8RHpZqzIUaqGaG6bf2gW
+uuRpFcOqDUKT7DhHK6Pg+TkyaVoh+K0ORk1B49EPY2v29WGe2TlrUJhgmecVLdi0
+ylvHF9FkBsyqxMFFm7Ph4xqa1O6Okyng3KLX/A/Il5qlI90dRCiVUMY8zZd9B1Qm
+q2Es15bDdI13YG/9K61eoO94kD6af8w+PAPmTWok7nxr/YlZ8hgo5o8cApyDHOnI
+iKF+Kk1NUeZqLjI5Ht0dzcCyE1+Kjqh8EGQFAN4AijT2ERApj1ipRqs/KxDpoUkJ
+jkJ5V3gfIKfsTZDYLVh5aqm46A2pg8jd8rhF1dZCl8XjUYylSZCrl0bLZkV2/sFS
+Y1w5mrUJlwzd5Fp7PhWWbKR4iQI9BBMBCgAnBQJXBCFqAhsvBQkSzAMABQsJCAcD
+BRUKCQgLBRYCAwEAAh4BAheAAAoJEAn+RHNOt5kOMjkP+gL22iXwbP4B4WVRScj5
+FFjT0lm3/5nP8Mg+RYL63E66ZLcVH76B63s8le0u7IGtUpj8U4DX6EJx0ihJqROp
+o3cZrBKj0OYUz8yUDFk4BnvhqpTmACiBaVBNSlQHdTMT4PR+j3BuWpzOiwthPjYg
+tDd7Dm51hsJYg7kuFJWDYPdnP+BqwWksHx75TSLiFWzUXmFRaAvLFUIxu+9/fptd
+ITHKAOBkJRAInAd/NcAiJBjDFTYjqqztST6xv5cJgtDSpR1Nd+dw5A+y+cfcN1vm
+3prZgpKbj5F40q9kDqE5GHJB3gEMh9PF+SPdPeudkafLPU7tQ5x6yo/82NyH1Vvz
+mPJ9S5fBK5NWvhs2WIvtnU+3DiCbDX+m1lVDJzusuBAJKvR4Qku+CT2OcjONpNpv
+09MwOro075fgKmFrtssOexDPp82k28qrA14HjuRH3I0Af4KfGhU3cL4DE1GB0nib
+QSjPGp516eiQtU2YTZUDrONNfquNIbKAVmHsW8+JCXS3Mxn4ShWv4+rG3bcVMKAC
+hi0bm+/U8lFiIEmB3d+Oa5CFV483pAofbyPbC665t9rS9ihLJDI6684qnK+FmLYO
+xuhPT1U4WL9E/+09VpnafrL+vrHXNNhLf/V+uJ+DvqI744j6d3zBlxl7Re5nOGV7
+j3jsizc0PAyTfQy1SOvc+1r/iQJABBMBCgAqAhsvBQkSzAMABQsJCAcDBRUKCQgL
+BRYCAwEAAh4BAheABQJXBCGnAhkBAAoJEAn+RHNOt5kON3AP/2RfLbVPFTNaNktN
+RRBzO3AdX9F5WvvyTuISP1yPXTyirrdTyzr/mYzc9/hj3Cl0aXGmhtTMqyw2RkG4
+Xvy/Sz8XlDxDb7+6H+DnNrJvAPaspCL0Nt8xQNKqnfJaQzpWOH9BMuO2DbBSYcdH
+gbWtrj7WRVJHMrvkMb+ZxFQBoXGGK1qYRy/APqYLWEA7iwahlkfF9hLsqKxq0QQF
+kn/j3C4vir5GX2D5sE6DMTOwbk/WjbR5B7ClsLrcsJOjRQS/VR7bAfmSz5SbQaLG
+ODshpWmm02cVBSYFrFy3rI5c1XWsRPUyVMgeV4Xet3IqPIeF2V+fUAa4pAZ/Kum1
+D+2+ww04s5ClLxIDDDzQtNMs51Rysp4e+512i3PlFHThpzOdyecTUuJ4rzdlkFab
+xF+GgWb3e2RbWO7cuqsreMNKJZb1B6qLBgpzKkgdhUyh3oWvm5VCGwxyrmI/fgt
+PCfhV6W5MrZon9KJ4Bjac6YqurfEJNJNY977N7pe6+bDpCMIVTAzI5Ts0ghcticQ
+vMONTPqtEkQ8tBpGglJ5AxdyeRqC1SFinLwcRt+BjB1rgMA0/Jq2/E7ztMdKcWDH
+vdX334gTEaNZnlWcHcVh0vEoQAQCKrslnfvHktxbFvkDTC2LpSasjWkelObbVfxz
+qpGa21qQV9ZfDn1tpdG/vfz6FTxDuQINBFM7JpoBEAC8b4+YhGkK7yqWzWXMk3oJ
+HWN8wYU8GkbURn52jg1yuYS4cJOH9C3T/iKAMsUYGIjIJD384FQX+V/vOJEWo32b
+O0L44LHhQtZSxO27Zpm4dp4jGVK0vQTN7w0ov8Eve708nRK+9uHO0S8Y6/6Ex1iB
+EfU+4s8vOLMg6jW+D5rfU/y/O6iFbZDJWXDrVLmEM5yViQNR8/EpD67T9+8wBRcE
+Bxwa6zeezh3Y9p4GOqK5JLwx8LDrr/mPfgOpLlq8l+yJHSHVz5ZoJLwY8TE4+K+I
+7WqtNcuEnDqSHrOocihIwFycY5Rp9Ta+PkjQPssymMfAIQhaBx45SZGwTybp4GB7
+j2oQ11dUYQtCBV+8eB8UQQoo5EocZfuSEvFU9kvdmFCt4Q8tebveGm+MHu4FQEox
+pplg4ei2F891R38ldG3VlDbjMJJ2oaknvHWsglZZWj0QztCrTC2+7eDq28s9/zKg
+4FxDsG+LcFhg4qkABkQZp3s33vWkxWN5Vgm8tvXn3mcibBt07jZhRPjBXSjHJRO3
+HYxJGvWm2++Jc1CuQKjvhDR0IzTD+XBHYg4ajmYcpIsGXGQGNOHTWfoi/0AJYYCq
+nAm+1kqUHsub2DNccUzZY88n3LSelEMZLYiO1S+yGtbte2LCO0zmIQF4JOyWFkfO
+mAEO/Q9QYdTL344e3H0uVQARAQABiQREBBgBCgAPBQJTOyaaAhsuBQkSzAMAAikJ
+EAn+RHNOt5kOwV0gBBkBCgAGBQJTOyaaAAoJEEX17r2BPa6OgjMP/1lduIq+zHYM
+EWBfdBeOsxZPVc9zt2/XHghbblvsJarQ4blasMiAkJu5R+nnu2DsL5gUvPmOekrk
+e3y6/Ioe2SBtLS0i41pKsObpfmoLF5GG3JAoqOgpKcr4WPgZ5Kj+FZDeMnQIIPFA
+0XXcDrpiD/IPbtqlrTV/0YtoRQiISNtcvpeAudADAJwROTEcFY+WbVdPs/U4SMui
+ixZFZSLvbatrHnm71Hi5zLeZPtjcMMhuGcnl8GBSD/jFz0XaJfImqtiZHnH1nPjk
+KcXV7afBZJRJ0dCVyM9uJZmsIqE4OCXDcyTTCZY/V+A0mDxNcfHZl200grdIAmhU
+Z74McRpPAvyj0fLdmt3XJ74NaF4rooRibOf/5kwWNoSSThKbpxfdmFrzfPvBS1P6
+MtGKfJ/bCq7BUZ1wnDwxSQ2G/X1U9sW2b5XOJX59uI6KZy4qyrp4XWNSJdKiw4qH
+qy1z/6H4nk/TQLQ5LL4q7vD0FndpN7eK6DIZYoekC1AC3iXTsKFTIqh09uhpIxeI
+j5c/lyjQpm3sWCEoLsGfW20kOPvQiBuo266IPCFoeEZgHHD3RGmB1c7f7Bu2DsHY
+5SYGYvNMlU1Yju+ozMi9onLRkLBKE1IJhPUVmTST8Cw6LF7kZuGGLujwMKgBkLWc
+z7EdivTjrXc2U+znZupWTxzlM76i02APtQ0QAJB3IZr6yWl0cwtWt25tq0FUlqsf
+dZ3S9QfcFrkiv02NISmKKNGhB59sfXBJRXT8C1BjYvA7OG58UYrnE2s5U+g9Nspc
+3V9TAKS2xoQYOu/ZGmv9OJi6o6wATbpR58rvK8ppv2cRVsE+rohBGXylISqbFsoP
+3MFukjr7ZYsxb4+ck9bPl/aDc/F20Wl95V6rSjbb4vqx0YcfxC5Cr/qh3t9IHW28
+fHM9ey7Dsy9QtGgaeqHZ/ffoPMyiEFt+zauIj4iTrru44XhGss1F8NVFvk+INxMC
+4cZoO0mNSkGWsb1Y1mXCOj2TdaFRYU+FrhkqJEga9OH4LjAmYl5HnW7jU6VCMQXg
+wlOBmIZZlKdMpu/3jYW9dCkrPkOC3o1oYNzERc6PmiE/xVaUtl6XwfydyiWM0RxP
+bL5JTcLyjerTHO/qNOVlH+mLXkTGRniZ/tVB0+QvBSvCnXQcxG3ynEIGNOe8QHAx
+UvKrV+jnPdzO/cuJZbxEFi1MFn+wW/bFFxqt91V4ZjmvtkpGGWQmPovzH3peKTsP
+lv0blKIgSLpdfdk4hqJXiYN8NpUW4gic92tTQGDWOoFZBkOqMS99EdggNCl3cCHF
+u/nonTa2Xqzb2AxPl1hEUTs6FonQIKmGwfrqpw+9YiazJDc51UnsBTd+4VEVUiBD
+CiiFOkooIgZMny7WmQINBFZypZgBEADeIdm42LaylSWw5CosOAte2m6S9DgAGEBr
+g/yHSFTZWz341EZrlq1fghIC9nHh09wVlJNOOo3orB9tYoJ3LArB0MQb7Ha7dcnf
+n98O1od0T4QTlEroEeJaOfuElLD+5b9HVYqhdRtMIFiUTfSTbEXbQcvZhaLf3M8a
+I1G+poPRYNVRx30pX9PM5N8DDmW8Q/xYg3T1uHuYUmd6HlzBiESNE2WWcJoxoKuQ
+R2Lk4Wkt+qYnxdHH0vYIsk9mN0yDySpPEv+kzrAU/UuZ9Ve0GhlLsVLL3yHFUjLQ
+Ox1gV/ofrV/v0vcWM3+rRovU1cFPUUv75mzA/TJ8aseAbboAY84RyF0b4jQLOmiT
+HWdDMSZwDVR05r82JqynI0GGfXRgztNpnnebiYk5QLAqvUzzdfRMyrU0SSl6VDCX
+UQAEz3CyODwJ8GGk6PaTQ9/9vmt3OY4leEEf3SrSwH+l4E8Z59gCvAUx/ao1pIac
+PdCd/kdx1mPVcwxTjiPDMp8sIeBSdLt9Lo8jt5m/92nKoH9SnE6L4snJVvB21mfw
+RxRj1cWmeZ1+BAC7+5WfcJRM6xhr7XXeEmZO+QQYjLzKS1t+zIsv1modQMl/f2ci
+Si1RTO82mIEaCfRBXVEpewsRV+nikjsAJ9FOV+kr4NAUIg6zg9QRiHtTulm3P/c7
+iRKFnbdehQARAQABtB1FdmFuIEx1Y2FzIDxldmFubHVjYXNAbWUuY29tPokBHAQQ
+AQIABgUCVu4HGAAKCRDCc3kvfYNUXfVmB/9pxeCKnQlj56TKRyKwp1vg1UyWnse+
+OF546ILttRf7/6GE5BfmOQZ6S6SnvEr3l7+2QGlV3mPEydKpxwpn4hCWgjwosDNJ
+tBxbNLwypMkAGNxkb554Fuj7jU9qg90oX/EqEQpj2nrM1/pjsaDHOF1wH7M7k2fX
+sWMCjoC7o6EzS9OzuNlyAlb50t9eUB1ZoaqS3LHaMwoGb/Ou1emZbd2k5Z5zzp+j
+cZXHlxPCJ2OCLOtlrnQMW6QrAMF1Me5c3hOy34GhlzkIWJUv7dQk+GGM7/YRIDmY
+sSSpyllMU/oSGN8uAwVxfqWi9RAoNqHP68uRKhAJDtsARh1wS91kg65RiQEcBBAB
+CAAGBQJXyhfIAAoJEImmV2CeyUCYHYoIAImOHk6YWRJYvC1mq1qnctJuhXoZOt3j
+aeF9gIzc9qyPAxf0tChn1g4pmhmBbgZmoIjxHuB1BqgcV1Y2P/1tW8mHJdJNbhy/
+ndQl36EgMYzVEt2mbuj01BE/eW12h10KYC1Ul3rXLrhUy/Ig5KUT5aGIrDawx3kx
+xDXafsjS7R9hBhwz6M3LujgBvvsyGgN2Crh/h/hERYZ5ckXNlixbjez2cB2DZQFB
+vE4eKqBGRAj/Ij2JQljHKt/FczBBhXDCVTW7SSeGi9wPlpgj6w6NsTSiKRCi85s3
+BtVAH7zIy0YxxmECUEeqRQ91gQTcg9YqFdhIJY9/ze7xMQKTRWqR2JeJAhwEEAEC
+AAYFAli+6tAACgkQlVGgsabil87JwQ/+JT/RooAGS4d5Bg3TyZQOSfw3v4iHyV+V
+P1U2lyf4s9/xUiAMw1d6JH1Evu2K5EcS9biC7JcnRNWOGlnxTzShBm9dP+itpeLx
+hAEoWjRBYATgWn48PpiUIejWzlkp8ulNR8s3cf7Pj9osXHx4ml8I+bOfESKffilB
+a05iaJusPraZvdxkGzI3oPmFY0wMKWq0YPWDosik499ceBZvLku8a49GFPDB0yoe
+0QJnYpx7J+Gp84tXO9YiOB2hAZUiLBlEJ7DAxxiFCrzWxhKNVuh5kz9/aJnL2slY
+AuifQ3fwIBJvV0fgzwuAgQf0nX14zhlRXnKS04nKfJVcDaZ8FsMliYndvNBImQFY
+Xey7HNEZyutEnS1p1BZJRDEc/vp9jBfKyQNU8EO6WZ5gy36CRf1cd8zf3QB/7FlR
+WlDxvqrrfrjSwEm/cyA8IEoBbAhUssMMloV1pxtb9mGZZk/QXt6eZTcNTBVZjNQY
+VNwnuKPfNfgX3JQ92pwqg+pb23BPi4NRxXBAzupLpcwG1lTC5cG4PLdJtut1LJSu
+p+0Fbm0/AesHCXDSpHz/vgmlcAX8feaEzq3TDsj0ZOD/Fn9EN9127WebR41XYQk+
+Xj4V70VWy6esS5ECLioir9rIba0KhJlGBKh+AFnMM1nKiv7mzjNfssOuwKC7kSka
+VY9/qqUvFiJAiIEEwEIAAwFAlcNTBIFgweGH4AACgkQ5zvGQcwR9MitRRAAyWkY
+hvT5ctDMhxj6KgQVn2Vf+j5d49Zqu5e0piNMDtjoeudTeFFDhEHZPiP04vRre3+d
+rPdgUbm7UpFOSh82cIODf/1NhLiSjKL4BKS7UF+boD9vcRbnb9VDzsMnaxyfZ68n
+0lAm1hu2GD/At+bfOKFbdvTkDlk6byikMEKAeLROC1+07aQbtscnpJTDqEyi39gN
+65SXheghpmDZUrjt3LGlSgeEPncKhL6Dqb5CitEnX02Bs9LG/f9yk4PaiqSkkGsP
+3AXLrCRAEloq3+8JhlZI643uz2SYsQPv4PTrCuYhPua3+/nL5ONxJ04vhDwckVb/
+hupEdg0hpbWmen0149YcdkGdqnNrL8W2lDFETO1zN0vKO09L0wJ8aSshts6/sU1g
+vqDjogPhyL99XMdeaZn1b2czq3J6jTRaKV4fSub54Msm9UbggHhxZrO2LByTPzEk
+bCbK4tAwpQm/sZa0/V3ORHGZd1KuwtAn3fkQwNDsrFZl8YdgZk/TAgGR7Iq6DkYp
+UG5mtFjOrjRNEmgXDFESJsMmOMlhL/uZJfE0g5qlRkOFfqci5sc9ovy5F2OmrtSG
+g7ZTFsG8eF9Cdlem+6iwLVeccHHOjCPRiVfJEIe3VrhZVpMV/MUWjnc3ikzrw+T9
+ryio7Y3Zv7VTM9D75nHDD9CBtBjWw9EParmqWS6JAj0EEwEKACcFAlZypZgCGwMF
+CQeGH4AFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQtjtTWkwgbKmCbg//VXdM
+k2GkmI9QVg7rAfBqMIVbIj4hxTvm+yz3DTutJjzlPHpiQsiA0ezGU8xrohz2s8Ve
+M2ICtSBGdWtuDOPN4vudwarno+56nIdwBlZSgPaJDxTU7CTrdEJG7j0xs7VPvmUn
+4lJzaWO4TANH+a2VaB4NQSDkr/Y87fxI+Dz0SqIjAe39MEnkJGMl6I6tYpXGQ2CL
+pPYpencQ/Ji4HOR6CXAiyIbgVIag5RDB/9cjg6qKJwyTFEoSajmRPtV6esyesAXj
+AviBhnn6fFMiL7prU/PZdia0uY/ugyz0QuyCqKPWXHSsHV/3q1+L33ntrqKwy/7u
+uKDdaLWBHmXc+e9a6vmIqU5cqgPuJL5s8ZelbM9IW1TrJLbSzk640JGfsLuuHeFa
+XM6Jnr7KmXBE6yMMvtJZ4JDsbEHYdPOZDv14If2m0Yw5Fne28VpHTGr5n2NKHmh4
+tfzVlogWZ/DzNxBYTSDVYAoy3X8A/oByeEhWQl1plXMSHpaPZGdGcIeui1Yg4RwH
+xNnv6a/rUN+4VuUo9y4GFJUypBS+IkpXIm+hCi+wTZpkbZgw6XZ+kJOQmV490yKo
+xp6cFMoHDcZrNb79mbR6q9nT5p1SU/JM60IUB2hN8ky8nk468D5xQN9OATmhJpHQ
+mwFVfUJOlHxlex39qydECOk86S6LVTdkHJWButiJAkAEEwEKACoCGwMFCQeGH4AF
+CwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlZyph4CGQEACgkQtjtTWkwgbKnJPRAA
+qjncEbZ3/19r6nbDsYrD48b7X2+IxQtY9Pa7FnF5jqFURcaYa4l+2PhGtfqcAEnj
+B0elD9YC6WyEjFSqAcQ6dJ/derE8R+Sj3quaPcXInkQKDbm88UHRAK8ApHeeOS7+
+CtUpWEzVlGcRAhwpBxHKVANyQTmM3db5CU0u9waMdNszqw19hU19DWn9qXbjRxbE
+Nm+6dVo91yBDdGA7x0plginapUEX8WC/u6mpHdde9CC6pj2aYyLVPoy5C+3e1lzY
+CPBI/99DgcoDZ7XYFGYngeNDoM7r8nttJQh4wExdtm2w+4MnNXrQCGQoLQhYiwqK
+ayUztMApMt8HrI0UxJ8+Z/FZc/11i5ZQhDrum94liVSoB1FD+wD9xFCE0+eLAbgx
+JxxO/Ns4W2mBo3DyUAloNISkxHR580GotAmoEhJcK5vns9pCvztUekA3aPT/8ca6
+YZej6Ce5x44L4FfJLqB/zpZTdxOEmeEzhFNGvdPUASpqIpMkk7ZS/7q+ePuL+6S5
+yhaE9tSQ+UqPiVHoeolyRwyHdsns+AoGRoekrbEmbGwyencabrfkkzMqAzmblrjo
+wR8d2Yt7UjJDsz2khn71Y90j6IJ7hneLT1PaxggfX7TFv9fc7OE8/BtI+/JaJj18
+oFIiimequgSNJ/aTeOQ59pdVBhfUTfhWXQDZAsMNdkC0IUV2YW4gTHVjYXMgPGV2
+YW5sdWNhc0BrZXliYXNlLmlvPokBHAQQAQIABgUCVu4HGAAKCRDCc3kvfYNUXeF0
+CACDdJ1DfgFZGy0j6krl7GF78r6RKjixOOZHBVaVKl+K3sWqbFQxCfVGWJDaxRBO
+ACngV8pPdp7Kj3vbWE3lENaaPushB2++8PdkHSAvJohwRLNbhuRmDck/dUy/nw3r
+9lFKp2eRr4fkHRdnWelsfxqD5Eye7Id9bOaeIF7XfIcKbK9HRmfs2ZJVWX6tQGVK
+LcC6mYk2iIRTnzKBGJ1Jf9fGj+JnBhH31ct4SpNHTq0+85Bo7biG9l6jIrbl14V9
+cfIV0ZHGnIrKC4E7r/l0cYX4UPgl92A6J6DqtGi8AWXodtPnQTdZm6kq7zMCX7iN
+qkednlohGP5JhwKFvlzhn+OZiQEcBBABCAAGBQJXyhfOAAoJEImmV2CeyUCYd3QH
+/AtbL+UtD9Tqcay9nHTeM1aXP/edzjjui2+5nE8+fIWxrFRL4X7Qs9Xps0KQnrY3
+n0b7OMxk2cJgI6Bl5gVu83Oz7Pljpp1+W22BXS5a0pU1VNjjsXqW08ICRDnqBzIH
+hsoPsUcLPD5v1+cW9O/SO3ucg28sonE7fuVraLc5T3hgxe3AQFYOBsGwypNjO1VV
+fWl+PTuyZlHW5+IH1Hv0omIaauEnr81ONu3KGf+ckQW3Qt6D/Nu/DeplA/NANhT6
+tlRybWNxFDn3pLfMM0Xn/EoNZAnyd8GArE9j6aRAvVN7pWqr5AbSlhC9Um3/64nc
+gTomS+iy4H06o7qODEXlBT2JAhwEEAECAAYFAli+6tAACgkQlVGgsabil87mdQ/+
+NPKWzfFwdQVHmQVcm1jFvnQA5VNLGs0pYXwhNYXF0V78FODZi1N7P5Eag4+VvBzE
+tMuBfYUwq6ZLxsqlyGXMaHsPdtdJ2S5UBByP7UQzJmEjraUUgpaO210mekrCGSUl
+I3quCEiC0+ytaM9bvBh2EeNfupSIknXZ/0aTs+jYMTmttNU9QuFdgEVR21Vx9WC3
+0qLdiDnuBBENddGCfDWXGw+n7JulWNQhsxxqbsynRQV4rK9fCGfgLIIf5Mb0VI9p
+hDlKqNtVRQt1S6npE5SU7Ilqgj5SGE6j9ClCh3FOGxxqGhpF6fwk4tl67wmdC7/
+JR7zPAb+JtTY/ayRl0QsuqvOMFuAUEG+LE23IhLGpD8VwWdx9hYFn60C2Q/bC2WU
+pdS/ZWhkCuA1Gdi+DvLMmSIv5V+o0N2bM7Wv6JwrXIbjg//+aYN1hlTvlj2rOmp+
+5iICTLkVUvFgnJeVhES4sVchUnOpLQkTn4JsMGpqX1++UDsUb1cdLW3Br6E1jFm+
+EO8yOJJ7Xu10qvVOdhk+H1AhWFTKngsPxp+M92NPFp+ZtkXkZJX+pLzW1YYHL2OJ
+JJYxjvo0RhGNuZAzsNGOo6MP0guy0SCf9Z8vLyQxz7GcUlJb0I9xe5oclcw8KiGp
+zq5iziLImz8PBQ72FvYTft5GVm6NcEZ9c7o2KudBzkeJAiIEEwEIAAwFAlcNTBIF
+gweGH4AACgkQ5zvGQcwR9MiKAxAAlcAV4pEvw0Sj2fBJLEVblqwE+ACLR/reTP+e
+sFOCv08zr1EDNPKM3PVqP4jZrPhANa02GmzZEdslgn/PasCmgqxmnHCquyf2gkkT
+uPPgdbweYQ6wiR9PWvedNMQhgHySYSO7n4Rxd83isfoUAiwe66FH7r8+T4Z6pOS6
+XJocE88eIvh3zghBcaeg70ME0goq6TDhrpGfKhExvMXotyx3iOiqx/vUbmDTvp0g
+kQtWcBfX07cyGzgIR0NSqeKFK7F6USUc257uKRCGiaXMwIwFyN7eb+KsdA7+emNG
+ChwdIQHOjfEiq7c8LyUGY5Z1ZMMbi2F0WuWQlhpBmKCK29HXCOffkH/NIyMf8VAb
+bi56b73y2kwH5KKFb48XpIxMcV0abPCJCsbcgAUmDytTHbLBuPM8VbHWP5uIhto8
+Ff68zb75iv6F2nYHDZUJ1EGLWb8tZWacoxd/+Wx9TEAc0S/o25gOG4c1ZwF94b8M
+2jsOT2Df1JMcrrQsoIf+mN9wLS1kGbj6tyfKF+k1oWpDmaBQEVgF2vrxMJ/w7wPO
+JuHV5CRDRxQPZNbCwo6B8PXyY8oL6vLg0bDP7OLSZL9rF3u7wGShezgz42yCWeii
+ErOwBKprp+9zxA2Oahrimgi7Cl9Lhvm4Mti0zHKAXV6O/EIpZX63QAqjJkiNj1FM
+uYWsBNuJAj0EEwEKACcFAlZyphUCGwMFCQeGH4AFCwkIBwMFFQoJCAsFFgIDAQAC
+HgECF4AACgkQtjtTWkwgbKkB0g/9GcjCZXIIdEMWfqImVGQif5UN+fo2JWWiu7ZU
+URomUadJm5dpiT74u9AtvbVIkIk9TUJT88OYA4FJUparbEKiD1ZUN1Rks3fiCCoY
+ElZAUxgWaVMWtiYMetI7sU/GLj9SX/xSa88g5X6CQswkunj7hoReHZ0PWU69Y9fa
+1XFpR4ynby2kvoXVEcQdTMXuG/4STWhN9Y8gMiXrlbyne9VQ4b5UmLeIVLL9Xf9H
+/Fsj7rHiqstA+IGXFBDyddpdqpHPsLNjTG5GH1ertcbm2mJUeC8uvp+tkUFCIKfH
+ZQsMukULwX7mYRlBSmlrr27Q78RtJ/alV0jopeoU2dA24d8/655fBCQBk6NA0gfU
+eLgIcmEbiIfVMD0UuOCC/86uIyZ6JjPdo6FT28NcS928yplJWIbTcsHMRLPYsZ9E
+GO7JTs+MUwp5E3wGLJescTzBdWnSfhnqWF8JUCjVxUaJ5Tlr6FKcL1dZDXZSV+QT
+AT/tzYUNAGnDZQK6LvQ9BNi6ZY7Z0/Trv4cfuiMLJSL3i0ZBbMks5vP5/bLRMhZh
+gaDIGJ7ZdpiuQ7vWuX+/LGBdBXzMy9aSpI6m6DNb91bJE9AYTppLjrY2AiRZ526O
+uXRVmoAba9+4RuIJZf5I4RYD31FmAa8haMiQqx4ESyVC9EIsw46L0r8fQGp4yOct
+/ke7vgG5Ag0EVnKlmAEQALpPU/Kd58YIaCOGMh59cGBLH13dflRycXj4m4wbru0R
+q7VtcEC5y9sP8VkA5ziwJfUr/If4Ky+9NqbcKJXwiQkYGAiPhWRaU1uL/NC+DDX5
+vM5hFW2HnvGHnxIdQ0cimXtxwUsw6GYKNR8BqTrEL89V/Re0rXfZmP64RPwST320
+Jl+nFpm5GZGRy0h1KeXfkCOZXhZv6XhGztJV/EfwmwOm7w8gXyuwZTUk1NVy6MZq
+JPcYHm8mPM7ZCesLazc8TZMOCf2MMKz+L9Tg2BysDgEmHxB0fggi6X9TyUZ5Bxkl
+vn+K7zKAGqP5nKWku0eiULrVesUm1NvZfaYgs7A6qvIcu6LO5KRk6lMbbWGB1DgW
+eymcXrIW85e4cPVFY2BTuN6wBJgEbGkdHL+jDPB69LGq9zGe/f0/hHUEyaD1HqHH
+qd9ArrSLAibVcHVTpcVuX2akiCuJ+jit5uwZqJeDUNGFuU57uogKq84zPsN2QUKk
+LM1JsGf/ctmcOU/h/K7v/7LrRJTnmUvCnk+YLa4mSUH0tgdEq9QsrcrHlWRd+1jH
+LsOS0clOkmlT8zV2tAUNghKSJBQ4cqExid2vh/A0CBITW5DvKbd9QXgRfcWi7CHV
+bXwYvrY+RxXaLlWQT4F6/Tt0Gie6ee3OkdGpm6Wyn03Q+L/efqzu0zHyhHz2h7x7
+ABEBAAGJAiUEGAEKAA8FAlZypZgCGwwFCQeGH4AACgkQtjtTWkwgbKmagA//YZXg
+hn9XaW39IRjnhDnViFFpAcZP75y96aR8IhAsn6dY5IMUllRpmLA0XuwLdTRytcwn
+zsCKzkvETkQgWqqMqf9xtNlfhr0l3u42ihlC8bNPzbnOv3wwfwaj09l2h1xLDC0t
+/oL+A9rZVgjpfvCl18FLVFpQH1Jb49fRH+tBHq5ZXJSdPXvGT228fMXJq7EECbRR
+Z33oLcjjO8e6Osfch/tCiX59YEMxlnuUyMh35/cjH57Lf2WxpJVleJE/YabKOk+K
+Una0417UGP3ox8R6/SjCXdTPksmuFPL33NB19Q1UuBeW6+yUr9bOmk2Y5df67dfD
+hzendAv2q3JdrL22/auyLX0dQuk8TkWRm6WxxsOttQgRzIBzUJOrRLTAm9W+c821
+QiI6SIsY2VMhmlWnp7e+LXrkGbgrHsrDEQvK4TTukkm/o9seN9sPhRMYY8HEZrf3
+L+HvaeHSG/vcS/gcMNEDCBCEAuEewvV5fJzqQwzEteE1Hdb8B0GrYEMgPWqPiDXk
+WoGdWZw4snv0ABuzND7ZKHTw+Y8bDTwPSIAayq86yZZb7j5LbToQh8qXjd4t388w
+TWi34UA56lP0JeRDFoCz5kfusqaXHyaajC6PBfQJvWOmRq0eElkCypjwpSNJeoV9
+WM8eCXEvI//zLCCL8wGXBKdNO1sfIqaoPK2zU8+ZAg0EVpWOlAEQAO39kLgWyyQ8
+2QCAurbjQr4KM8nOr/Ry4TIAEl4BV5hYkVQlFxvM0cFXOvzm9bSkQolQbJPJXEZX
+U/1XOSpovlFGK6lWLALmV/jw/vx8IyARrbPgsi2eUiJacnVSUN5O8tzUOIsLFaCx
+hNFGP7HvT+wvoSYfuVoTUL/lGWeQae7EzhWCu5xPVQwexkkT+R58973k2HMm276K
+L+/fjlmoeGwY/J94lhXYKJLaJMirG/K+uWJ2tXCGqKt3UIou6/T778VjnQ7xOrjF
+vsrP20hA4O0JIGx7HbiwHZrAe3dF0LCZbt30XpkGZbJwqWUW25eM1/RsM0Ikty1U
+DLBQrbyXCOtDDzrLdU72S2ZUINKxIEl3RNuEPthSe+RqdMnNaEX68KhDBqsK4Phl
+1pYG+UtMgW/ReMntUDb5GXBG5i9M3Y+UhHMu/Gvj4mIiKi6cacEflbIBXF27p6da
+x0goIia6ObQlSq9Jcsm1j+ZTktQjJoZ73AGc4PFF5K2808JZp6GALzc0cyQ7u34C
+f3MO6aYNkXebPBRlE7w1c8CjCbD5f5i37juNQ4C6UddquOJG6ibQidbfr0kn1lSZ
+3Wb2kKahD5X9g9pDnrLmuIjPhbgcmoBqqSyHi87QkzIivdUmMEPFVHpAD1QwdXY9
+NVQAUD29hO6/3FNdXfIckV7BfjjYfrtbABEBAAG0IU15bGVzIEJvcmlucyA8bWJv
+cmluc0Bnb29nbGUuY29tPokCHAQQAQIABgUCWL7qvwAKCRCVUaCxpuKXztn0D/9k
+JpQL0eqVj7xr3vPFsBRugEuQB/sbhjVK+E9ZOq+Ssvs9QRSkJAiQrLVVDQZEIx7z
+56U67lAOIRyxNeT9eL+9MTNaWop8F9bFyAoD7s/eH6LGA+h5BLK5DfAORJbUwzBm
+fqleTgIToU7ckr/83wOyH14KItOz2JGvuo5P209pFNYZ114TCJgtg8aVZRZQCx9y
+fOI4kXHy+wHmiPHv2/shnDEISUlfgrmWJgg4fkauQbgD6G9U9Kf0rpJodidWG/dy
+TX+j5KsTKmV5XiY/5+0dkN+hjx98QZE6RAmtq58aerirYAntZYMrkknM+1bgJnEG
+yKUredZbSIVaYgc9tAUk793aCCD7Ew9JVLl1prP8a1HA+ZeRbzSw6lGmuK+YKSyt
+/01Tz6i05Bi7wdDVjiU70r8gR5ZnP/OduOSmvMoFXCq91YzePt+bJioPPIIPX6Z/
+1dTpOvBK8AlJwp79Vb/+iyuxATKk6RwRSETSDRcqA8p3yoRSMv+2/OtlyIFU5GxQ
+VimdJVHMnwnxJ0OgrqNq+Bsk70qWeqDyJKBBRDm5HkyW59XIZ9B0QEdnFTGsNS89
+hfCGyUuNJt7U+uL2cQdf5UWX4FAo8B6UIiqzul2dw8umXCHA+DxuolEoK8JsvSb1
+UKnt5qtKUtckbRzkffcQyKNClwqNuZOqahLLjZKvJIkCOQQTAQgAIwUCWJCxOAIb
+AwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEOc7xkHMEfTImAMQAJvksYVm
+iDOXoqK6eTTDiGM2DsK57v8z5UajvYhw+Dnc//fobtC13uQxGlMiLYIIWmvmMuFv
+rnl+8xiytCOmosNeuoSUcD5CC/vUObwJM7QJlvx6y00onjsdLuHAyM57dmZgFWuj
+aI//iyXkkRTCEs7X2JrgkJzE7zCn9P1qLqZ6sGuHfDKSbQs75UV9wOE33cr5O4/r
+rE1QvJtHE8kjuqLcDoRPM9to/2j3IelTQHtwKRgNevpzxLpfrdp5O2g06+VETEOB
+vriPuaSo88254NWBNEslGjABPrdnLEzRS2UNjAC3A7LKzptsb56znkGj2/I1ZNPc
+a0cmUvxao95/roP7JD6w11Oa+V3iYSV+EGYRq9UD+T5nfQPK76/PW9T/GjcFUPON
+kr2ItrEZ5vURhz1ChHUkkP9FIfDzZthwsVV8aR3ktM9YzAT6tNhanBWzMDQc/MMm
+4Zo4Idh8U1lf/rLrEIDR0RzH8d4uW8T/K0GF7XA6JUO5bFk6+E6MwV3pUtMn/pcm
+jJoNuWOJsE8LoGjkaTjIID+DA4tbmVVhegPQjiRayVkIflAFjO1bczoyxU/6J3QN
+ePLiLqp3SJSePCa9dCnm7rtRCZ3GwQOKbKMLjBcpCtQAiaMXrxCtE4580JsCZDif
+PqQRMqA+pGQgchifOfRdtxYoCJudmNyfiMkutCFNeWxlcyBCb3JpbnMgPG1ib3Jp
+bnNAdXMuaWJtLmNvbT6JARwEEAECAAYFAlbuBzsACgkQwnN5L32DVF2YRgf/Y45C
+QErahooYrXghHqN0q3Tt7iGuJr/GyLCEcQFkEeUj8G25Q6PdnAWSb5/qm1De7LY8
+UcOFDo/seVj5ANNxrVnWXXLlpEZwrtN2CWDVbWEUHxxpDESH+0FrAN1F589bT8DI
+L7Vq5z2dh+ulXnymqiGSwQkFzMlZYbrS05/O5+Ljpxv1ZYKQ3N1ulJJi+Z68GTpr
+rtkMEns4S+la0cj9Aw/S/94uGvXA82k5mvhKbsqz1nFvnde8QhPyVDTwMCJ0f++J
+n1KzPNXnHjzMes+fBuCNVV97jOoPZZF1TMJvJeAOgRqQkxNAEzb7E4W41WMsPRMB
+SsoyDiFkFXeoHbp3SYkCHAQQAQgABgUCV+ReKgAKCRAUXU4NeXB5mqlZD/sGvm6o
+pVbHlshEu3hmsEzBzWgaa94VFJ21mO5h7joDX+lSM6ozTKjCovklLGybGUj9caUw
+3DuZx472HBsATcJH70koSNJcrD5ePzK35YLtkuZq0rWr/o1GxelEzoeJgjmsZqEj
+6vGVkyZc6+NW5dBhMcKkITHMrFprq5R9do6v7dYlNbnBySMT1FOTTay1yhoHw3Az
+/afTE6DsH0s9MUJExmok1hSn5cpcWQjnY1GeL17UikO7BGaHQD9n3/4+KOX/Ga40
+dLUUtBL4sL6l31HlyTbcPO1AQPvHzUdvsBIbZKk7MilzBPz13GLcoMQEQb/UMIqB
+dc5M18oHMzckVbOoAMjKujPgP68m7+wYnaj7Xl9uYtfTgj9RtzVsh7JRoWxmPPx1
+Rx6VaHO50QkALtrgr0BXuFqjzkVqmb4nEi1OaI4Mv1grBXkoYl48P98MMVNfmtJk
+LE45NrHEsZAqOaU4eTeOmcedivTFilku6lKKdkBwLuLr+UHeVDEFCLKPY5jVdEbr
+vYnfitDFsY+x/QUKkaLrqEEFgeHCAMUp7mtDXhGgE8j3UY+U6ftrtOgbt3SUF5nB
+nFD6aPplWZW8FDlGecVjxuG3NHPCyg92GMa5pIBlnlDnZuS0u4Mc1CpzFgcrg2u4
+8kQnpHGHJ7Xo2R7F6r0CLUGayK5lAtxhX43W64kCHAQQAQgABgUCV+VoygAKCRDU
+L1Awh3AmJ1dYD/wNSDzkUZpH+5rubJROIdVnR8DNDQkqVZln/ZVWXc8bghK3OlR1
+35NmjiFrtvEEudHMxkLdoJBFuDBNR1yf4Y0nJU25El/WehqYzQe/rMNPyJ/uPOmT
+P1AQrNUBc1x4nrMJbZq/1yiTst8mJu7ZRnEvM0F1JOy+rDwySNM8918aOuX+ZqNf
+vL4oAALkLvLL0x0pj5gdgVu666X29z+wZJ3b4sJKZAuZfYWS9WS+Y7AELu5oiH97
+DJo04vgyqcJOpcrNp17B+3yoAxjTHv0jW3xPg3MLfHRx2ZSfnSV7QNc0DWj0KU1i
+MaQYRM593BFOXLwJrEw3xiCONnArgrUC7L7DsaveJtuVN8BLKZDT709Bi6p4DpQn
+IvsSztiAPapgg+e7Lt/V1f6kWcXub5ga5wTMubZYAlkk61vh5nPAwQymcKyAIMEp
+4Q7vrQhqv8/COYRnYhwIrvdPRay4lgLQ0OJz0A3X1RtRlaH7ODOapsrZn0LT5Syc
+MDIk76fnhg857jxhfnpWjc3Xp0JB/twaBdvUWWDjpIb5t3d4l4nO5DkXNKfSQEmw
+PWKUetQlMjEzPD7B1nPZrmbZNK0RXe21ZfVjHvXXvXiHXp+HT3RxAMNCH4mVX3LR
+SQzz8OOEieLFO50vNc4mxDN+AknM0Q7aC1FiEcJtEXdiFkPbtL460R62R4kCHAQQ
+AQgABgUCV/Ok/gAKCRCYZCyGIK9H1tkUD/0TnHwIF8sGbrPQWvKNrNSpuTEx8i5P
+w/To8yyrI+59abcJSHWh8uYJ/bm7Z9HQsguKF7Fdi2pwWxsjC4ND80x+a9f0DGS6
+AoIJDtYXdVInsbaAkBqLp7JMWI0gmCgnTdHRPSmJXM/l0BX0zFAGQbWGC7XBYc8M
+cBpjiVMJXyDqYFm9QEBLW9zShB3Pb8y0lEiAPmsCfsnwiOIAFJw7eBtimdYo/e9O
+5VAxFFImZ5Yk14nvyUdL80e4RX7O+lZ9JJq0wIz98fmR1aaPcKTQirTuJRLft43g
+nFdxeH43REzkqyj+9PB99ewjF16+0RGNWm+vpk5TyM80UGj7Ok/pzkxr82qzQwJi
+XDl5XmvgTAuagVeglKqh4onQHtvXTh9sVKg4zJqm/+eesjh0YrNn5qWOWOjtyfCX
+3/WlcKBbvZ1X7S0l4mkG7iKAfOB+sgs66Nq2a+sf1EUou4iz40wLfxpz1fB3SLgN
+oQQxkB4k7PDntjM6y8FiXRUvELKF46QJ8OIbEjsdDOpY8fA2M1Mwd8WgpcJpFxDj
+DYUPW8e6m1KvIwwpkcpYSSVna7KzBGtTCy+3+R/RB6c7MpJgl+sSIt3yL+S22M36
+LSW5Yh+gtm7BZS22bEB2NL0kQEDY1S+j4y6qDQmTxR/X904ofsQLj9gJ0gxsQ3w4
+cXwFJWEnG2vmZYkCHwQwAQgACQUCWJCxHgIdAAAKCRDnO8ZBzBH0yCq/EADbu9TZ
+i8AlVAgk9D1uxMuLGYrSheOlX/NJKVQmyMBLzp4oLNiSSmScUlzXQjRxHOf12pF4
+GLrvQZo2VxxoGt+WQlL64n/IT+imVM8qesHuKODtPlHRiltFtK8J+w/WnMXyAq6Y
+4WyOYly4ilTPAtkKPW4x12fItB2xB/JEKRW8oeWFe4KXJaq1hImOuSSAObfkkC9+
+9wdF39Lu6U8KECOEvCfgaQ2yxCvT6b1tDQjUP8/O3CCFz0/66QJFSNq+/Gmzvkpx
+cxpHflqS7vVZuR4lLAhlg9pSH2QEganBDcg4Pm5cZhJiOcAYfjxDtZrXmAYfbF5B
+oZZICVmv2K7eXzVdvTv7mkTjynaUehv0W7OTWWsdUHI1qiAtbK/IXfzd6fcNqtyA
+CtWIxtWocHrdkZdMS+9Hd/0FGV3aPn3ApyYDsdOmhFgSUF/bmpY0jcW88b0QJtz2
+CXl5IIrmqTfmgWWA7NmLj/F0zw3TU5M/NKBtL/wDVHEzfiFEj2uNXFrI5waxbtjk
+iwvGLsAb3TIDVBdBhKQWPflHy/kvxaRrQX5Z5HhNJKtFFbk9CfP7p/dFB0VN7FDH
+1ANbfLUOhdA5zgI2+zoLcIf54Yx5MD9NlSXMruo4x7+GkqdeDV4JxjeCpeCbjXGE
+ZJxwzBcMjR+Q9nJtwlU/FAKyDWgm8b6z5pB8G4kCIgQTAQoADAUCV9/YSAWDB4Yf
+gAAKCRCBhnRIn7wSfqyDD/48iOpq+Rm1+oHRdmz0iYdVsyt8E435PtlkW7l6NE0k
+1BgGnubLkNbDgbJBbdr3AgTAzotBqAQmAnRLdirlWeCYaTIM0Ng2lYRfWmlmHkcb
+1P/f4aBzVjsCz68IzYIrRlsSxg2Imm0klSNN8IGL9Xl7unBS8Gk+1o1/d8HY8y6x
+eWkpqcLJ4wVCwuCBbRlxOmp0n0Wk2cPi9KWzKWonb+KwYrfDLKzoxvlcs6B3PPSs
+FDyIIdLfwFAHlbJBACWVZHKCNZXG6GsqT/pW+xdcXAhG8a/Is1GCGHBURxtZeLbi
+qrcsrtIx0fEQjINKA0v00vPU7OoJF8BGrKntVqHzP6BHaqo4nZzgyOZqIBwH/YIU
+X3RJOQNAMKqK10ywYauL6YnOL1rr8DrYrXBHCCmBl6QsQPlmAhHgdPl9ZKiYDpLh
+VPSDW+4eXYm4i+IEUJ/GuNZhxjI1V7gjJ/bsKD64qAiGYjPBxfnqM5xNF0p7JiU7
+/D4FXUOllNFM8yx5vRzBwo7Q1l5yVlZ80fpcKk99QUrHBuBZ6Hd6tlNRCYiyARwe
+Ezzw0tybVpYDQ0Hhp47Mp1tMyuSo4eJwQDExDz9lFlO2uBnmC2OnUrRnpe2D2ZM7
+FJUFq+xFIVnPpDC186gDSN3w4h5+pAzokfy1xtGDFm7EUbwLlNwphNG/GE+AJw+R
+dIkCMQQTAQoAGwUCVpWOlAIbAwMLCQcDFQoIAh4BAheAAxYCAQAKCRDnO8ZBzBH0
+yHnBEACIuAutkvqNa3eWm3WjH50Mkxgvcp1ox9UT6YoUctnBvR7lbZJQIsrtBbV+
+DMwN/Z76surTP10Tj6QKDfVz4nL2zka+tlatWDDUujWuC/wSjqSJ4DZnAA9l6m+x
+8v3/s/HFB9f+iDRBGjOWXMfcdoePdyVFW0ZbPMceernITA9g5trNfeaXUI1YPVPE
+e7LDawNjB2OEUccOyUVeT3rbZoNJOk4mmlaPgYwG3u65HvlnRyTXn7bQrCBvD+P
+61/K4ZxViWVqQYwYFRXi9okhocckGynHxoa4bFnook4P8L8N3qYh/3B0s/XvHF8A
+gbTimbo7+kk655eYtG7kxziks+YGQKe0AlBqF0ztaLVjMswQXkYgy9yh5ot5sxmS
+Rle1ZJk/A+0vJghVeaE/o+886BzT4YogfYWvZX1vq90vDMqX6RhZzb459jt2L158
+APQVbnWk0pNzUAMUudj4zWBGs7LzXjo07nsicKARDO/ratkwV58u9gfYf20ZevCh
+pFbrh4WuMCh0zGtFa4Wiwksxauk05iZgYOdwWoIlyjkR4oU1fPOuulKI9qBCMwzd
+S+wvcIzdhvoEQoxck6W+DezYEfxWUG4SRcd9a49hgJixb/bZL/DsOwTFGq2arwG/
+FCRIvpcBDlazeJUbxQ61WTxGP4btqla5IClHHer9oF+XEkNWv7QlTXlsZXMgQm9y
+aW5zIDxteWxlcy5ib3JpbnNAZ21haWwuY29tPokBHAQQAQIABgUCVu4HOwAKCRDC
+c3kvfYNUXeyIB/0b87yed4qZ+YYYBGvrm68OP6zanl1XlNfJS9sUMZLlFzvP6RX7
+3LzvZTRqMsXCjiimbgU2E069xiSfpozFb/fQl5l4V2981D+rI5MGkxMK9UV8nPTK
+wXd6S12CY5Pr+k4452vHEt2lcoEBGlTxEzuvN2OKSKbgThDBVKXH4IXdWa1Bh8I4
+U5JwfQykdLeiCXUwURdfyE7Ky+4/aBPvTTIv8nbdOuj+ivrBN2V1+CBKMx4UC71x
+RyyiUUnZSOsVnrzgKYZ2ukmljJ/tbknYepZd2CY0pX3f8b1bVUXj6vOjnetPj2fH
+6ITbOwEwneHKDA0P7/+gB0Cunbet1xa2d/4FiQIcBBABAgAGBQJYvuq/AAoJEJVR
+oLGm4pfOs0MP/3IZxRCUfuwRHrO0tViAz3OH4G0BNOU3qdzKZ2/sDEaZKUbMRgyO
+XF+GhHkhAJdB+JrepdlugTKdvgZ8iGwse3ojmxgAGXPtKbi6nP1DrZ6p5vBluCdc
+z/MC+LFA2iQUKMbLcj9NUwQW+9/Hw6D/WHs2JALIi6B76sGOtQHrYCpwCtNzCoGE
+UsNd/K20FIRkmt2zEOnuDrF59U1Y6439nv+WCtYVg8T41hyKs0H4aNZOGC9CaAbN
+mxeNLbTGthsnXsNKVyw3Hvm0wIOOIo5qG7W434a2bULuZVQEHW/LRV4kXuWbg1SL
+n2gt+QZrI/eJ+qHnWMzxBFuwqYCGus0zciOmDbKnCwsZxq2kPXFyXz4rZzZoOcpN
+jFZ07hpooGzulL6oVz+1QDc1fnatbgeKMQEoRw+4Va1aiYbGQDTsww4knpejEJyS
+MlbIy71R5ZOtRKEfu01BIn0MiX+RDQTpV4oY013lkVSHYe+4JcEM4yZy++lVLfea
+rRkQi2mdT6aSeIWeb822ptt2REt5QS7MFresD30JLQRAuaJVlQ3NEWntQq+LAwcc
+uvubDGwqVLAMK6tmQ43bLEwasZ+AYawc8Q/5SjTylASdyxSJUUK63JyCYfnqdw9s
+uCLcSVS4by0NUqS8Gr3++GLlyfZ5Wt5JdjsQfbcTHLdnYJ85g/r6371/iQIcBBAB
+CAAGBQJX5F4pAAoJEBRdTg15cHmaWzQP/3TDwyDrjOaXZZrp16rvBcRoXgBmE2l1
+idK77k7dyrZ0IdzCdmAeALC0S7b5hnOJCyHj9Si7/qPwBOIdlT2E8+0WkUktsFtr
+ZqVgQFYvAWdyxiYMh6s1jvmbPQvq/u1BxZlwlLiPUo+V3NKz+hl890hc3duhIzmJ
+7X3SkW4pMFMLI/9H5ulqvvQyAbhXlQ5j50RcgGVpduAJGy37Cc6QxdxUkGXF6FPx
+Ne7lhVGmDn6cU8jpZZ05p79cDh3Qh4HsR7SHC2YzxKLIwsdgn41bGbqQOuh/ZXfz
+aGC6EsxZWo2QMkeCz9ayNNz3E2QxH7o5TajFCFAwb5HW+ufxGd3O6IY79r1R667g
+sTF+W1yo6vMMFpoP/MDEvf2cOzaiJ1JiQ7iq+XkPVDGw72+FzsyzQ+m0ajb31fIQ
+zSiW7BdnMjn7IvHOO/2/KvKCLRZMK1H4sUUsERnPOAT6gkL+WIvAboLb6sx/l35S
+aHHKIyNSjc8jTR9FxtmTZATjcz6Wj3+MR/4VRr/LZpCc4TG585emJnjoTp5JmQz4
+mnU+M1urKh8lNcoJV6oKAEJZmejWs6C1s/UF+7MqfUXh925FE3HDkLfm6R7CWUHc
+XrB9FGRwRd1kK2+f9TtQlQOC0tJH9ntufPFkfDpV/oMD5x6UIW9qEWIUlFbPYtMa
+DwNrvtY5gwg5iQIcBBABCAAGBQJX5WjFAAoJENQvUDCHcCYnJYIQALbnxsnzyh8L
+MXRH0LSM7xuCh1U+xKupAKMC19Yy9sc0HRzYwjdcqY3QbaaxOjexHRHii6hXCUjs
+woefVtg6/Xw+NiGaK3VEwK7VGMq4ZBObSJHGmZOzv/NOTOtW07xtsJ5Cta1njbHq
+znsklgFW5u/PJ1Id9EsROzm80CDK9ZAhqhT5s7bzBPV4ThDxGyaiDIVXX7TxGkp8
+BQfAzvj6QZgwXfl8pr6ReES/4qL+SyFrQkmz7ZEirhWFnN6dEa4WjHkH0NMasgM
+bB5uRuOP5BP2DKYSUpx4J3LHHW0kqhwoJ7y/k2agcMtu2VvorehsmTJYCJroCg/5
+drtyHKVu6NCDAir58c5ZLpgSyKCAa/xTUtd7+Yce0HHixwt1LW23iqC3BSKMT9OZ
+ZGTDv+khWzM0vTuIobm+KmuCJq3MOXk0OTYkRV4O1JsytQRWhw8w0zw3Ziq0eepw
+h+emUey/ammePNuaHBx0MTnV0rgnlqRgTIFK3fC1YJQQ4vi0OqiSDMnCfAO1u6ht
+GS6TDULOb3grSQnZBl1IFB1594VsZ6KaMxpA4Ko7Vc1ZlPsvfJdonDEhjZFNa3Ue
+z19ZPIKhj8vuxWFwakUVM4g3724F3bjI8H+cbF851n92LM591nR5uYddr/DVK8d6
+yW5qYmpUBsLw7CRLTQjNzI0o0iZn6dIKiQIcBBABCAAGBQJX86T5AAoJEJhkLIYg
+r0fW1fgQALygE1VC6TN3afQ+UkALedXqZ07b2ypYeL6wE5aSFI3qhTOwcrRFkwll
+iZ0Ou0xhKOUkvfMoCfujrpK1VNQQ5LK4OYu64ga5K8WU4AzePgYzPY7Nn5LoSWl7
+tXSoxFMuk8AWpIt7XJ9hQqa9PsbDLwvKgQ0ZPkp26dSzx0Epic5lqzy9/u13H6IE
+hQDhdHbQlPNSr/JxivIzhvg93k+zFbmreryVp8VN33rWnPdkv7NJs868hNztaBIa
+Wm4ZtIoQBEtSsVTJ8llSLJEfwMN0fRNM76skmK1jzmtrnngsHvvZIdU6HwAwisg4
+ZLcpsrv0M/MLXH/tjHfdMudnj6HZenkDG07mRvRuNKxFBgoPC5KWrJ63+JqhR35S
+D5HfVhl7WWeDS/bsQEWK+hu82Jl0W5uoG7TgIO1S8viKN7Zdcv8NhDjSV9VRaGgC
+Nt4KS1lhWIRQZo7hww4Ex/dh0QVbHthnvcwEdn3DbJ7NdjR3hu9howgXzhEZfTgf
+c4PyN7h9jgdtbcaL+dQzA1lkSxe0DtVNLurOlTJnUBVHOb0evz9QcqkT0abh3Itr
+vpcz8aOoI2r1Jjgtm6toDpELa/9WTHiECW3oxAUrZFrzYigVShWym1FGrz8lk3w2
+sDO+A6YqGgN7ar0PdmeaRFUYwNzQmhrKfW4a82gd70s2BEdFAR8CiQIiBBMBCgAM
+BQJX39hIBYMHhh+AAAoJEIGGdEifvBJ+SBsQAKgXFN+vYHwj+tRSLYOLU9mzM5Jl
+JUeCV1RVxb/hbTh4RdcRJ3Do7WmXt0qTQ+1yMgfvTad84y9w7QA7xI64s3uv3kD4
+vWBgw1pLqxix+FIXZTIHNe3OaNkEfcTdMoJyvuWVpOXUz8xbWFZIJke41aA3QJXK
+KLy132/NGiieKoYlGgJ4kaXzM4/17qfS1gnfiOw/sAMKna6FlV9qZwxtS3PqeYbV
+iZZ5yPIuXb2CD+nG8Fnj98KrZWOI4/YAZiIe16ccCNxcdXjROXHzBdOY1OG/6Np5
+c+BtCaG0D+Oa7U5K6ZHfu6TTCo7c+L25ekZp8YGn5Whb2HNzfRjn1NkKmDKxa5ar
+hTIHGgB3Zizcf22PwNnrUx3godC20ELTWA4MV/JB596MKp+p6j5hxhoJrZnJl33Y
+P1jALLSmO3CukOmRUgw5MPSgaloInO4yyJgL9vmZ71ikPJ4D1sEFeKAia/hvTU+Y
+dOb8jg7wtuBrwF+2vgbjbfCzIMvi/7hLJjmDF6qVs6hRjCSQVPPsBXaM4gtrhNOh
+ZwNPL70bkg0icsal1Hdua2MXoPmY3eX9g4CatuWcnVu9oL0mtAmAzP1I/gP8OPYd
+R5YA7mXSdCp2smutC1hvW/kWyv9SrU7oIu0/e1nkx4O3Xv5LbK1TRXMk4YDrVLrg
+nIuFf+gUxkeck51AiQI0BBMBCgAeBQJWlY6UAhsDAwsJBwMVCggCHgECF4ADFgIB
+AhkBAAoJEOc7xkHMEfTIB1IP/jd39peJKGZkKeK7X4fUB6CmnxWAWX7aTe4cZA9/
+Rpbts7O6LRYaErlabEqYW3RUXIiuqr34Z/2sw9JGaPCmXWBP2d6mwSaCyJW4d8+m
+rv+BzAcoWjdf6XdohLCNp/9XwAsE9Pe/i4I1oxLWYRsnlJBEK8ANpseDImiwR4D5
+HLnelCEt73Jhl0stDtlALz+4Ex5nq0PL+QYDKE6Ol6Blut3Zr0InL77PLBHcfl6C
+TKPs3jbHZVS2zve8Zz2iI73mpqzSkSqB5ZZmdPCof5a1d5Tm+hcfu9VG4xPASuAI
+GuB/wLQX9BK7t18LFH7oPej6pn97WmkchnO+SQzhVxG1OKdNNCA8/qikUAxHi+TN
+z990hQU8AaUR0LPcmoreY+QZX7EJjn1rpa4KKmxigNGFwiTLqScBekwpIv9VDOoV
+EnPJ2MjFfHTXpFED2btey4bKWneisqAgiUxLcBv8h7ibBG/TdgBxmKzofeuDSLRZ
+H206wfMhff+YAqADF/Rg8CafZBMErNM1BUNg3IBgwH/GKqsX5Qt2IyVQf3NYAkRX
+ZUHWMqB+/TEON3gAkd7ZvYDP1KEINUnVA3xDwztA+bP2tlBnJdLkBis/nOYFZtsi
+8AkityhOzVC+7dnKw1QoqwuGBxwJgX9hmqgtETJw0HabXEPosyAngh57iDVFPSaK
+4+sntCVNeWxlcyBCb3JpbnMgPG15bGVzYm9yaW5zQGdvb2dsZS5jb20+iQIcBBAB
+AgAGBQJYvuq/AAoJEJVRoLGm4pfO3mIQAIIR/5JwKuwuu1H4NYG58A3TXB8Izy2Y
+GGrwmF0YfrwLDvHsXMeMkl46PmSWz6qJcs1fnyNwTurP/3qknPEH5spdjyLECXdG
+ps1MyeYyEjVFu7cxA5qpvil+TU7tn89mwf4CaHDKi5Li/RsgQT0kcSAX0EQ690rO
+m1xOkWjpDas5tfJPXX35e6lPvlzhlRDzVuxRgRzi6CDhMy+KtYyzABpG0xt+ak++
+aonL7yWiHoKZGNUmstGR3ZfcvgYa7A/jA3/EPKxovqj5k7KzC0MkUU2OyrhmUK3m
+HnY7/hqtc7LLE2HfmBctprZ06fGkgmY+tn8E3sRCT/nncGn4Ur2ovdNtFcwSWvfK
+9uGR3N6Sa5OFCVt6Uxgt7yL3PEryDsq7x+ycbtUYr1n0GxMxPQYee0kah1RHqIKk
+JaNJuUL4pkgzAEXHZUXoEE09UjoJQRPcebFV42ssONz3ENLFMKUEd6xbzkVWa9RV
+h+CPTRLagYkfnpvJd4qSbqeo9bjtFQyqhhfeBekVxzj1bixG6tKQ/mMpqSkLHXFU
+WzbNJWBx0yG1LvW/0IfjpkNoTETGii+JeVUD4Z3N0tCXR8tgyatiptZGjp87jfxD
+KTF5A5aIZPMQzlNqZdJ6y2MAFvNLtBwqi2Rn1HFP3p5vaEe4XyuVI2QiaR4jFhnD
+lYnp2NFwjxz6iQI3BBMBCgAhBQJYkWsOAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4B
+AheAAAoJEOc7xkHMEfTI8s8QAK1qXN5jxhzPYDLiz4NvjchC5wTNZYD+g74bxyYg
+jJOA7u6HIBLwCs3xaptzlYseci9nDsPVZ1fzCDHQemjWHMlFfVeZlK9nc3qyj9BY
+woUI1eQgZMGOFYf56gnbDSHOHPzSmQfw1CzDmXHdv4h/5HMT00Q/wJXjN/F1MpjR
+fm4vIigHRcZ8cJCHjJOtr9qppRdMQqxYg2KLA/Ly6UO04chkqj643Zmv0UGwlCzA
+/yfrZd9LeKDw7WXt2S2M0AslB8J6I8LYXDx4n3ri32G3bQ/ifCIvsTuTsHpqIdAU
+CiqQErMSuw5kFQley3YkJEYDuFsNfFrizCq+1JyNlUARGKANUbjLiLgb3pDe1LCk
+dCxQTlHhLpd5H2xy6/0SVy9XYzYHR3gRVX0TId14MRspgC/TKE6GvOcu4lP0qd0x
+WxbIdO0YW3qjmkCoyAGN0S/842x1RyEbzlSguBIetGh0dpoVc9teSOaotoRO9hv1
+LkY1bUroaJLIcJE5M9eihvZIVfzCW5rMAmJ5hT+i83x+3IforsdbCRKatd/T//uQ
+8QXv4/Qu9JfhGL9fbN9r4aCR+YgrrqfxWX/5hdJnGvzdh/TqTXo2XSWhhmphiSFC
+93EojKtcrHjMuIhTdA4pYVTLkS8AXCD76Lmzxi9K/Fvvanm2WFnsLYjn/PNkbr5U
+8URriQI5BBMBCAAjBQJYngOvAhsDBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AA
+CgkQ5zvGQcwR9MjdFRAApqCfPXRkjRZRdhtCVnT15QbMPPEDyCmwwCgRvfX6+jdv
+AUnyGUStKRZ79awehoXvLQGKpaVRiJt2kqt2Y2eK9uyPlNNvkwSd0/+Qpix8pBm1
+s1nA/khNTeUpUQ8cIFlsNhBYo91AFKr/qq9DUPX+VKvpUSEwvSn9dsXL2y3baMyp
+NaJIS7rEfI5/u3r6eItwu4Gj951H/6M4QXyqLMZhlpRHt4W1GRYPkjzLyw9a2OOJ
+GZudX/Vhwk19koM27hF5XNeH2IkG3eILwdjWdQWjaJzZtnfWh3CkYut95se0vreP
+K7sFbUauVArs3CtBuAWDZ4+k0K/rY/PP4tSReXhQfZAoVEGEn4wyar1PHgggBStw
+7H/Bzb3ZLz5U6gfjThJynzLXd2xbi/Via9s7vOhuiYV5MDVNnfvWrs6q6bG0KXYH
+yCcAXHME8ftbo7dgdKzbMSnC13evbRVL9ZnajCXz4cvWEaDUBj4sJUGxfgGIEX/h
+7iqv/oGCG9JzGKYtshOFL2MskImzSOmGE8q51Lt0wBC94ZKVYlQnWy0uqhaSZC6j
+Sd0Csu2cdAX6kVG01xoiqafZk5Az4YP3U/EiUyZH+HB0rNV/pvmdzC99LZ2LTJKX
+y/nRKAG9lNsub8LZCHlVwH02iXNUeogK2hU798Pgjc+BLnYCx3HoN56rXzzKhdS0
+P015bGVzIEJvcmlucyAoTm90IHVzZWQgYWZ0ZXIgSmFudWFyeSAyMDE3KSA8bWJv
+cmluc0B1cy5pYm0uY29tPokCHAQQAQIABgUCWL7qvwAKCRCVUaCxpuKXziHaEACN
+U6bIrEP229xDXRmhcx0xQ6nJ30wBbX0uNS7WJXxmyo2AuSfxx2dIjrF3O9UDDHpl
+u3hsL6rdaIzYO0tg/Vgy1KJVYhbwpFuOWz/NRW24KbY7mnyq7rx31jmTPCMptM4P
+yYv6mC/9j0ZOH+xzOjzmXuE6fuZIB4GCqqlWPBzJiqxh++sRxMejYGe5HVfe0t17
+TJNTHk0RKViM8c3bBnQi6RLASUn9wGFI/yPbEE7R0+dPgqLe/10Hrc74vv5RDJhL
+UimiyL4hTodhsV9bcaOBio9DiB8gAC9hfYBNw4ps7HaVBnqrJNSPuIMk6boXjtTz
+XENBU15BWsyKMUQ2gpBqDcspnHZqRTzNDjplMB6d6pMoKZpLljnflBu+F/kq3TSE
+u9JthqxeevAGa+IS8ZGJ/P7HO3b5SDyh/wdIMstTgGrfB3fA0fGfGUUQIqLOZWqW
+S+Ud7k4XdydaUeGlfK+1x7/41WYDULad0UlIM/G1Z7FaEJAouBfGM0TAkQnGsA1+
+QhUOaIJqUjP2szzfzn/gswr6eYBGwvojVVClbPCvBn3RUB+Y+NgOMKhF/xJiYA38
+nYv27TW8MQASoh1prLQsci9gtwoR+MUlA8eCKcf+TyOgVz/f/N271vWSEWesqLj3
+wtx37edD10AWgzTFMsNSJMtbBpy1csDgWT7aNwclzIkCOQQTAQgAIwUCWKFlowIb
+AwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEOc7xkHMEfTIvsIQANvVntac
+LCksR8dYkAV9syIn8uHzbVTYJPPZ4kq6UW6nR3k+9dbGRL6kBk/YOn0/ib3mVz/q
+MPZLFqmoWTkRh3qCGeBLfZtOd4HjLQ5vvpFsnkWmN4BW3Ji/lSeYHyXU5Zv9Z9YO
+xbo1y9tOHvhrsre3kh31E9AN5rb9x2KVS3dwfmN4PIx+m0aC6JqfNlf78hDUbGdu
+Pm6TkHcmEVfbJT/XqqzUTcJsNVk7047rGxZGo+TxbW8Ri3CPoe7QR/LhQ/IxIPp1
+eNu6oMWycY6m7EYhNiagf76j/Jv9T7R5XmRtxZq21z4985cRNC5auooD+apdOiVj
+ft3gAbey/DZPhpY6P2Dtzq1MFXdHRfoW5an40Bg5IgnbRhqcg9EY1+182WNB2iaz
+ntR43IeNNZXXlkLIVxW4oAG3vq6DV37lwNuOYLTsdGUvbkMd/u1zmecfX9C8wU4/
+Exefk676SE1v5shA54UDUvUhaGnDbLZZ66MfiXfitE/RuG3/uFfkxeKc3/CsUKk3
+RYbtKA3Ou/0O9C6pKIVCiQhUe/HVSidkk0GAZ3Fq64Cqajd2Byz0QFDHwKv16BSY
+E4mmAWXYw2aV7pO+tivib6XXbLHU/WgJ1qbm/Qr3uo+ZYv4k7f4IwYi0kbSb9nx
+tbft90fuq3xmJk/BzY6NZ2f6FIO8aaJzTIGbuQENBFaVjpQBCAC3wjTlC5/jdi2j
+nIophctvA8XaqmrQeD6GaLugfCfy1zzU/7LbzGbb0mzPdnF1OT8htQFu+CWNrInU
+DqM2sHE0tqx2EQ82KoK9uQduFjyX33GK0FFkQh+cDHkTDSIQkoqx67FHP+jgehv8
+rAzpwc/G4QgoWppj+q1GwcPe34WMCazsfUMYyr/+iyw6PY0WZyQNMUgOItwGlvq7
+QsYqW2rF8bl6qO8KPlXxXK7f7ERm1ScLvec6W7DbaQcO3KlK+tUgsFVAkHEYwz7M
+Gy2ybNN/fHTjS0uB9ODkyRFFGsEXcg1BhJsgHNy+mWTs6dOmtKEZW41BeXL6pgpp
+xQcCfCVABEBAAGJA0QEGAEKAA8FAlaVjpQFCQ8JnAACGwwBKQkQ5zvGQcwR9MjA
+XSAEGQEKAAYFAlaVjpQACgkQ3qFjcZdAMaXgNAgAkmmQPq02lPA7cjdkWtbYF0tx
+YnnjPcIhj8metii3YseDkfJcsVc5IVDMqg3Ns6W2cudSR9cgfw+Jc5MeVtEgBerR
+w6UXAfvGK7khVXe9TFe46Fx1TEJ1rW/hc0lNKNNcJfQhYPIlsjFRiYQEvOi7A9VK
+cpatFXqHDRGSvjWnZfavJEpQL7f5eFd/GXzFTNOzKYwTRqOn3ESQEzY65lbORQwb
+wTT4V704i6x3aBhwjmqnOMFaPlU69QQgrmPZkaSk+R7NkUS/AcpDFJ5t1L/z2HiK
+F/XeG5U6lmDy/Pna0et6jnTFEkDOkMPQSpuV5kVrmYychbWiSbX2xLSnHOWh3un+
+D/9zafSr+LbYbKsp8lmSrcucZZeuD7OLJCk5MnGboNzdGuwMmxKmtRSuL+lk9L/k
+gNLRIvy4XlgnVycVUDFoKcUCNxgIwN/P7vkEbvfdYVeqcS4QWGyPYh0XdBvDWl3E
+Wt5iCyHItkRu4gYwphMuqH0HT1ukilwxwyVi7grJr+b6BAWmfLyWEuN1ewaxNoII
+q302TraoPGlbrQb3klqtkiL1i1y6zIbkwsycxkSZ6TX02hKLBB0bvAPBA6wJpL6y
+mUrKAJSynTvg0YFmT1A8qdKvpGaIjNx23d8Ak/wxOW0aBjsOXowJbWxAzsjzYWgz
+UjHxqjlu5M0L1eAgAjB7uHWM/CQvUKevn3NB/QvvSTxBKF3idebMrGBjeIIbpefM
+v4q84+6msPeNpZOAjL86uHi6+Afd/R/eZU36mAuLepEO27M+5Y1dZbtbSsSy85Xb
+DPJwdnPnZm9iASoxLdUqKYPTn3P6grmlFR6PaxSlvH4VOwOJZ/00ZocUkwev8xQF
+babOCpb8+LhtqHx+4fU36HzPl/DnFclgXwld4yxw8ui7HQahjfvkIM+wdpp/G+2+
+iGggWWZZ3aJ8AGx9NgbZg6Tt5VvS8o/B1BQR4li0Lq3qyzINz5tCrlaUXFpAJB/j
+l3Gu785wMDCEQb/ea29LIKzfYiqK6KOG9K+VaYi6STifNbkBDQRWlY6UAQgAveYL
+9Vh+G8jdNcPxr7oneutYclTxbLDAXcF1cPygn4h71dGrE3tNpbsLxG8K3C8nxQdc
+L0NwBnRp5LAF/QNLhxWLbFRnxXlULU9McWc9oUC6VFKSBGOmtdbuyzKneBIri0BT
+Xqrjmc4lI3dwvHxRRX1Bf4krbk8UTeM2P5tt6NciJ1yQliXvPk6iHVeP+LWv+k6A
+kG6KLn5TVwZjHbEflGcPrwX/1vWQPySp/36kx91t9+xbw/LW+Sa8bxyNvovH8oXQ
+aEFmHlk0BhgN1nyftutFpT7FcJfglf6ljXPx5WJynib1baAnu70VsPsL6SVlXxQn
+mfNyeS+ts2y7hqJdQwARAQABiQNEBBgBCgAPBQJWlY6UBQkPCZwAAhsiASkJEOc7
+xkHMEfTIwF0gBBkBCgAGBQJWlY6UAAoJEJM7AfQLXKlG4xgH/2rkUtqEPcpZHPHT
+6Yd6qvyQVLA4YDad7VwIHHI+XtOReq6GbEOlHUJaaQthwobO9HfZ07winb9DeMnM
+mx+QY3yrdMidS57vSp0Z1sJsA69UaOCcMO4HEZEoMC4W45YRZhMHJ5V/uL47uCHj
+be+Ss7RwGn9+1DrmFApNPQqJ/KYZC4uXJxbS8qStZtcjbEdcKYsoegAdtzXOMaI1
+G1YACZgzrPmATp5jQ7xpo4l5YCyCbqH4dDMnUiXDjl4Av2dczX0Jbd9DKpw2U9rL
+AsGTbRtEv36hWKDPW9Cb0FcqO9e8w4Mxv6teOip4+WQMgITkoVZ3BOaLi3BYi1NJ
+RajTpN60AQ/+O0ElgIoCFsHcVYI4NSWDzmmFXqeE1jllVw2wnA2rO8gp3q0fcjEd
+57LjowC3GVFBZfrwKX94G0Jtl4WHtzNUymUxnuz6z35jT6C5ijNNDgd/+uAszaGg
+Shp61pl0hFTibIx4rUT4fXYuQhwu+JsYgiE7kLjGG4wNaOP1EqtoBrhR+vud+Obi
+2K/iz2wlfbhF45Lrh/om8B795uA2kn42X+FhgYwrf2x++2jkO2McJ3VvZdv5AoVx
+zQYkkUb3pJrCPhK/l7Awgf7qpRvrrQcOX+tpnlhJ2keWUSjd1Kk1QcbFPKWQG4kU
+nMUcMWp8VG+WCLBu1MleYF5DFAwkGrGQV6pQNdMOs14Qy5xZJoVYrNuL349BYeKr
+AxPbkNhNPYxXhdNi35jmXvXIExnoe0scJgcjhcHC9rgX3NOVmD9HEY4MzAZnNLzi
+5EUsbtWV1/Sui/tjnojbnCxq7uncPvBZNiMS8voKsFIXXjewhctO+VNLRBbvM18M
+JOaK/QJVeR8lwvvsDzly9QcvA8YPpyOZVr83MXl3nk0fkGT0rjZzHzvNhvL0zWSo
+LbGK3K95XCBzNHuOUqJCMlRDcdgW43WYMzzpLvMOGSxlm36n4EyncCo4bDMl9OMP
+mp78cAZSaannJqbKrGZp4bNzIgnoupPeo3DurGIiTvr0weuQZHymNlqZAg0EV/eG
+ZgEQALphDJCKCF/WZ5TWAbw7KOV9GnsowkkebG0GO0fl9a0zwhYJ2ZmcKhSA1skc
+hgPYWfeH+KNfj9L/j3aZvKZp2ZbbgPuZh1784G4BAKZ9+PKkEJRLkaFmZkXS270O
+DhyflnH6ZyGe3ffSbtPpxSt5ZHX8KIFcg0lZDohK7A7wwNb85Iok3KtF2t/gervc
+8MGRKQcrdrBdUfId/Kl4k/jh+oFZsb6PjfvFYkUSqdVIiEyWTnL6pLtOhlOaPJur
+QDzy18xnO1K5S/oICkZVtL/PFKnJisVtJbW9kr2CWtnaomxZlgIGW3rXtbU/mdZg
+ik/pPY0s6bHoeT2iRAv5NWt84awGR0wEj8oGVX1KXFAWXAg9KPbhrt9SOmM/zYHH
+yx0StQz8NESevt6ktTzyN0vFrNbLAj7KH6sR8TgD72jGlybHAm2nM/vaxWWhaFpU
+uNYNtpIn4Au+QWv0+Y5rbufGdFi3vsPkAxa22ePKha9Lx8nkFyb43u1utUE5GqTr
+VYIkOa4r2CEKBD9icLV7s8YSHFRVh8kRT6b40gA9w4TSW/ecdJMC6d+kjMfAj1NO
+R30qPisfPG1Bb62ZOh4Y7SCGcGPqnvjWvMxh1UcRHmKy8PfpWKPdtbR/6oki0htw
+OnCI8wFQ4g8HmxpnOfu2hc0yj5+ZgA3jileTfwiadkzkXSWNABEBAAG0JUdpYnNv
+biBGYWhuZXN0b2NrIDxnaWJmYWhuQGdtYWlsLmNvbT6JAjkEEwEIACMFAlf3hmYC
+GwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRCwH7uSghxYerFZD/4yuqSl
+Hdrm+1PPnen6mBT/VcBGvz88hJMgsD3r0Vlnidpc/JSlggJWdUyCziwW7tfwPkjS
+1JSZUMPXNAffn53xKDF3nYCCseDWBdrwPJzc09qYbXIPmtUH/5B2ETzfiSW+z+Ub
+9hmsBJDVWtEfrFWZ0ECcYQ/X2MnbFJAYqJ3OzejRKPc5nyAyVZFgnGbL6eeG64oZ
+lZvpT5xBc/xsxPN/hHGGCaLrqyeYvd9999rxgaD+EyJbabRtfL3+f2MBleOKHMYO
+KeA9i/pWHas7yU9b7ChVZf9L/n2ejVDuYJbskQzH68PyS55P85i+EOBcLKWpKSIP
+ORpNDO70dFMi3Q4NIhzSBXWvqsWkqgGW6gkXg9Fdu3BiIz72EdP+UWaHhFesvgq9
+u3WQ7BOEJZASJHagN3w7e/hGD+Y10eNdpJSceZMNqBkTDtAu4gCVAIBAr88g3urQ
+JWnNr8DfmuVZy6T3lHHlNhy09+BPdXMNe2rCy23HNKx54M3FJRfrNHYyoAyDw8tI
+g3izFJDkPAOgWMZ7MO3RIXP5/Wxks5fVlDq+pJ4YrhLczS2bzoxo0PcXwh7WjWD9
+PGtkdVpJh0teGmQTE4TRNbam97QSEEMuMNzqe0T+S9Kcymii7rEYDVCn8Gu2og0E
+6rXrq5muYKO67P6e6WSiv9PdFvN2TFMNluxwUrkCDQRX94ZmARAAp8o5b/A2nI5E
+BaXq1fGWWEUV8IQdlDLwZnmWCj56Bocs1c2swcsbmw4HlHDRMhIS3tHFYnpvXMwk
+hvZbKG8bkCpADRnwT6gvqmwoSiCQRaSuHrs2PbcGeYNCVjmuPMvH8yP2VWJaGxye
+rtEkNRcrradu0OdkYhtay2ppZ1EUDGG/ensm8MCuNMR01Btk/DJOpyamJTsGdfFs
+DG0mNTfYOD1EVZ2YrjO5GohWIBOy08XwxYPwPP/EF02jSgBbJ3hXA2wsc2OozLz/
+iPZA1Ok0PKpwGvfZoJq9TckzGUGHVuEBjqMoQm7MMVYC0vo1X26He8RsqU1Jby/X
+OBJS0LLmYP7+RTpEBhJcicUNrl/1Np/8NVR8U0A4LwHCDT/yctSMMZm+zQ+T6T1x
+pXtyQx/oNNGScc5rX48766q/6LNYfXTktSVEr1kPpuA8brHenT0zX1C5nTn9DTx/
+XWVvn0jVAnriR07PVLjlW2UR8L7puwKsQJZ/oWTpy8gVvfnMRuUDLdmxktIyT8yR
+ltGUAWHrkA+b7Phj3RGP5mWq0FgadOBaHsE+lyhZ8sdx4cdFXja9tDeVg3NQ9iCi
+kq0DcA3WQRyT8Y48Wpc4eF4MKiROnEudIKNotwdQS9yQwyILgGMLsoyf1ZCCercW
+OWM0pGV3xWGRcu8If3DFmPEL+e1FQl8AEQEAAYkCHwQYAQgACQUCV/eGZgIbDAAK
+CRCwH7uSghxYerY9EACRtMAzk3Ax3oFTvZi6HLemr6/ptsgppqq9XcsN9F0AEDrs
+BaYQK7kHMteX4V4oIQOxrQnZZf1/p+14CFrvhzYq35QxfoaMdV4wX1yG+wF/uhtu
+mCBHABhMMnWAZmfT6SbiAxny8FcmgW3Sf+OQeKLcTAP59tEOiUFTE39OYSPnVDxR
+dWQHAMJupxrtsdrzho5hZjlLN+asj3YU5twztHr7pk2iZzPKNw4ZBLjrj1NKi4Ly
+66KWiJyOFn5PS5texF9sCYw59kedG/kaBbxz4O/5xSYwvW7zGFAOX/cLehpoDwhh
+mwmIRJm85brDfjvXldO8ZQZi8GWdKD4WdnRXVUQyRntux2bRseiXkTfN/NTrFYPr
+gZvYmNflMdSQKqP1P0rjQpHabfWR6aSqzjtDSKdfj09HXWs3NbvpVnLBOIvInggt
+PCU7lWaeIyM0rqvCgl8pRVWWJ0/CCsuTQ71FigPd9ifvu4DIdgj+QAIOGpkEre+u
+4RAaaXzvzIRhDtELzsVp7UYGOzZ6TD1M35fmnqu8/jy4I/jOQ0H/6CKBr0tfyzjy
+luh/yZ6zHR8uYECpweWWG4T1PhbGUvq5GwB+nODHR1Ag9qk4efHq187DNJTNkGkp
+XD/6E+tsVumhHOmMNIB7Rd4+6JNxVsZkhC2OwCAmwrq36YYemlZOuL8qhmYVIpkC
+DQRYhpLWARAA6AT3VJMFQPXTVYs9sMW/nt14mkGnrEh70UXg6TqVkO8rsNsi3cXl
+Hq+iHsXKI3v4tfMfng+xRdYIvi6NidS1SEXIUwsdrxrPT9omFtYsqQkZfPQu9rKt
+Gh8+koltDgHLZORTibZTsnLmKRq2vGyqsk5PHp9e7OhMoxHL0OeBVmnK4i8+n5NW
+Z1d5gSIstNyFhDmlVMSL5rgTPDEEVF2J/wcVF9VaaNKqan/arV0e0G4lMo0zf3R1
+M978WE9uumnxLDphToHVNi8LGbDSgElJx7EczTHjKkyKKRA9zC1R9SL8bABMpZQN
+HxB1daQhCPLnuhm7359qNK/hslwGRQe6ScHkiSpxeJJry34+muaP1ARtSVkAQWRZ
+Z46QmReYS/FupXXDI9HghA9jxGxRohIq5Dc48lNbFHrEpbi7LznOH869D2BQTRgJ
+/UjU5RKuRaQrm8KbJirGQ6v1FmmPX0oLgv1IUXuqJJ7cubMCrZKeISq60z48FFUz
+f38HYIhyhfzSKL3T/r4SLZL9+KQXKhfPbnT17bAx7cqNQZte3sxV1Rl1kp8H8KfS
+nS1ZyFxmynts9XKZrzNwCNUGlqZdpwPm132BVWqx4U6fp1rOT80lFxCLQ/Sta0lG
+vVc+qEMdVqbDPWWYt6xeLCoUkXNq9VQVKHhE0Iz84ytM7EqnQOFcBgUAEQEAAbQj
+SXRhbG8gQS4gQ2FzYXMgPG1lQGl0YWxvYWNhc2FzLmNvbT6JAiIEEgEIAAwFAlia
+OQsFgweGH4AACgkQ5zvGQcwR9MjBjxAAtLf1vcDkOsYtU+RCrpfWotwaFoYLRDlc
+DIjFLO1bX2TIy1YFXDA9c0x8J5Pbt3wmhtkFojgmaGqvWpCJkb7lnudx9Qi/a2gx
+ys7HS9heaUDoYM8kgeXVHJe1UcVi4veOthg8wp/hQJDUuKba1Xw9ujVi1PqbBNCw
+5ALJK1iNcFmgjtk4Ab2rgCFHqTr/KOUNtYLs/uI9YOHGnzUAW0SrLgHQFD2B6TWv
+kFBsRkR+LrY1xGinzt2V34BWmTgIvivC/DNdibhVoU2tSEj0VFkJuyKNSEj2PLA3
+lzaDteCezITqkn0TFpWVkl0NH8c39WV9d9OE60zvTPKfWYteio7VKIQpnCIMGhwr
+ojt0RD0EEznmc5UV+RWKRcoWk7B2BqsZxFp94XRBqFjVOmWeK/hMZxoMl7I0V4gk
+NyLbPMRyi87ZrVmof+wv7B7Vs8eBKiPDQu9W53bozX4bSf2oyZ3EWSPg+GCCSFc6
+NbBfkq8kdyA5LTKGRgxYZseiKaGvAP20AgRVSYhikl1zlcnGtnjjv6PeAAb4PlQc
+ANhLLZ27XUVOWAtUdm9WQyGC7ONNKF7VbR1ikT04JaQMHb7a+cSiLlsV27B+9gk0
+bqIDSr8LOT1EDYFb4Xpw1eWCHlepbCFGl0MHOSuOzr4MXgZAjPiGrW6fCk7zCFlc
+bjfaMmOafUSJAjgEEwEIACwFAliGktYJECPv7+k8TP/+AhsDBQkeEzgAAhkBBAsH
+CQMFFQgKAgMEFgABAgAAx9IQANh9VjRLD8cLrsjVgKeC8/ncD6cpk7OqbH5vKjse
+56RK0ABpU3ZSS9rzJdT+h3vTnIgRKCUBaw2xcv7oN+GCNT3VJ7MmyF4NyDTOjBiP
+o/Wvck1C81n2t4+05INt6AL7Zn5HfeEGWVLo7zbzReCXdm3kmoifYxxwIEnPZeJa
+Ly3nJRUlTMWm59lfU88q0RCyBZdI9+muiD7voSIR5Nu6Uf/Erw+YryXcBLlRIG9k
+1nML5cAcH1qhvhyu9Fj6B2SeDcBHK37KyxiOmsIY5H1KsX7ijdR1MrLUSIbqODpi
+pN4qFHPR+IzDyAWXs2QdEAEruh33SCzYX1rcVpVQU0buARBlGK+XzxwIXUn/V1Ku
+2bTRl5eKbgvn4bB6V9fxrUvN3g/mdmB/pGLCt9imEqPcVoiApnLbTJ6HIIFT/rNe
+RomqK5iDNG27HjGxofIKbkqhFJ2j/JEBJKpG4DHrVEkup6GTxzAzCHLr6Rkmyp32
+LQUq5yrV6u7e7tV6HoyaEDo6ywafAuBTfh3DAcfMandkpFdujGVniGrj9PJ8Ux4/
+Jxu1pN151uHifMITuVCkmjrS6gfFzCoSzcQV7yjNecvnse5ipCcyo6QJ2yCkwK+f
+u+VcWy5JVw+FOvS44tgGLcsBexPPOtZPxVeZ1GCMVjPawNMjOjmB0jLBA2lmvDJk
+iSumuQINBFiGktYBEACvROrJShVGFXjlldqr+DpTMsN7HBirnM7v6esapd1HGJNB
+QNhK16vGC6NwD7fpOJ5bn0AzE1RPNKZ/CXOEoCne70M4XuzskUlqR74kwvRcxkV1
+WAHN+ABUIOXmfIVQZiQ9bM8FlUFFoW75MXDd8UeaOnMaxOMfYMQn0zCk+0w2o6UH
+KtyTJEQ6L9XfFePaxTqxpWlWgDL50JeLPcqQbF5av851xppPqRrrSMat0E4T5I4h
+W2m96A4KTCXt0TyrcziYSJ1elhiXZpgJ+ZlwEpk3lD32JDjar49gpcx2Nno4qj2i
+Mdx62D2/OxpckLoRNaj25sdgC7JZBzmGGwbuSbE1q5QTwjMInbNccsUmFNECWPBM
+vpJK/RC+/Htz8q373t/45W4d7zXNgQxlAKF99NVhZ1EBD5CSy3Q6qPqdrbdJh3Dl
+VH/KnFl+hLwxsnjV0VhXPJgsg62TzIGDlS/N6N5C62lj9cCW6biek4QULgN1/Ni0
+hedK6aBdzDtpS4CR1s1rca+rgqimrgOtl6qJW3+MSxtiLsDLLDAYsZdhWnuBhUB7
+XIyBBtNir5rFibLNjkdxUF4Ug89U99m8vNOFiTaOBjy3rTvF9XtEqY3qg/KSUf75
+Wwp4ys1LuA7RoKkNET/WXsGiU47eS0dD6DOQmSKrrAIPfqseW9phJD+hbbrPWQAR
+AQABiQI1BBgBCAApBQJYhpLWCRAj7+/pPEz//gIbDAUJHhM4AAQLBwkDBRUICgID
+BBYAAQIAAAsJD/0aaHE3/txaeMU1bfDs0nWIBmSrqhVvHEvyzIzWK30D6Nfmv7bP
+81hILfa2PfxjIgOCHtdA4xtAqV3G2/+7UeWLKlv0tuiZmx8p8mQkA6MsOnuDR4sW
+TQ8Vd0arkTyzlBOwvz/SL8YXDSxWeSAgSSbQ+Ri7XrwwE+BjcWSeKabqmgQ4Hp7L
+bQ0IvQ5f+hBWfLvugCgHI/7PRPhQbpallIdQLE7Qoavl8aDG8AqeN6tBLfjn19RR
+kottbntbUlSG+WoYk2hYiydZGRlKwkNfcsuaaNF0p9pH0HR6RrsknrqxT+l8DaLm
+4BwIMFXjnSuCEPfiJ3kV4bzRRND7iOfokdjJioj4ChrFR6461kDl7zqdkGIqU45q
+Q+aklo0WTFvfiiTrsMXLpIhrCNn8oGST0eM8u3GCfmMFbxhO897NTDYnz1wOMcXu
+MVqJ489aDKKvEV8zLljjUjJiZVDnbq0QE1abzVdmBtJRA3732buBwrzlHL5z4Bca
+Zwe1bQsPHAzyC9EpJn7PtJcdDkfBk1PsGWx9cmPvqvX1Xbm8UoVie0x+wge5SM77
+5JeDdR41lHndWw67Ry59GgQapkOoargTqKyNYMYAxZBqKvdvIhS8jdAt5ldagJpV
+quRCpSq91OAxMG0TFGCBXKjtqzsHk58WtAalk49TvO/0r0inTnfWSORiKQ==
+=jVEm
+-----END PGP PUBLIC KEY BLOCK-----
--- a/packages/nodejs/nodejs.nix
+++ b/packages/nodejs/nodejs.nix
@ -0,0 +1,225 @@
+{ lib, stdenv, fetchurl, openssl, python, zlib, libuv, util-linux, http-parser, bash
+, pkg-config, which, buildPackages
+# for `.pkgs` attribute
+, callPackage
+# Updater dependencies
+, writeScript, coreutils, gnugrep, jq, curl, common-updater-scripts, nix, runtimeShell
+, gnupg
+, darwin, xcbuild
+, procps, icu
+}:
+
+{ enableNpm ? true, version, sha256, patches ? [] } @args:
+
+let
+  inherit (darwin.apple_sdk.frameworks) CoreServices ApplicationServices;
+
+  isCross = stdenv.hostPlatform != stdenv.buildPlatform;
+
+  majorVersion = lib.versions.major version;
+  minorVersion = lib.versions.minor version;
+
+  pname = if enableNpm then "nodejs" else "nodejs-slim";
+
+  useSharedHttpParser = !stdenv.isDarwin && lib.versionOlder "${majorVersion}.${minorVersion}" "11.4";
+
+  sharedLibDeps = { inherit openssl zlib libuv; } // (lib.optionalAttrs useSharedHttpParser { inherit http-parser; });
+
+  sharedConfigureFlags = lib.concatMap (name: [
+    "--shared-${name}"
+    "--shared-${name}-libpath=${lib.getLib sharedLibDeps.${name}}/lib"
+    /** Closure notes: we explicitly avoid specifying --shared-*-includes,
+     *  as that would put the paths into bin/nodejs.
+     *  Including pkg-config in build inputs would also have the same effect!
+     */
+  ]) (builtins.attrNames sharedLibDeps) ++ [
+    "--with-intl=system-icu"
+    "--openssl-use-def-ca-store"
+  ];
+
+  copyLibHeaders =
+    map
+      (name: "${lib.getDev sharedLibDeps.${name}}/include/*")
+      (builtins.attrNames sharedLibDeps);
+
+  extraConfigFlags = lib.optionals (!enableNpm) [ "--without-npm" ];
+  self = stdenv.mkDerivation {
+    inherit pname version;
+
+    src = fetchurl {
+      url = "https://nodejs.org/dist/v${version}/node-v${version}.tar.xz";
+      inherit sha256;
+    };
+
+    strictDeps = true;
+
+    env = lib.optionalAttrs (stdenv.isDarwin && stdenv.isx86_64) {
+      # Make sure libc++ uses `posix_memalign` instead of `aligned_alloc` on x86_64-darwin.
+      # Otherwise, nodejs would require the 11.0 SDK and macOS 10.15+.
+      NIX_CFLAGS_COMPILE = "-D__ENVIRONMENT_MAC_OS_X_VERSION_MIN_REQUIRED__=101300";
+    };
+
+    CC_host = "cc";
+    CXX_host = "c++";
+    depsBuildBuild = [ buildPackages.stdenv.cc openssl libuv zlib icu ];
+
+    # NB: technically, we do not need bash in build inputs since all scripts are
+    # wrappers over the corresponding JS scripts. There are some packages though
+    # that use bash wrappers, e.g. polaris-web.
+    buildInputs = lib.optionals stdenv.isDarwin [ CoreServices ApplicationServices ]
+      ++ [ zlib libuv openssl http-parser icu bash ];
+
+    nativeBuildInputs = [ which pkg-config python ]
+      ++ lib.optionals stdenv.isDarwin [ xcbuild ];
+
+    outputs = [ "out" "libv8" ];
+    setOutputFlags = false;
+    moveToDev = false;
+
+    configureFlags = let
+      inherit (stdenv.hostPlatform) gcc isAarch32;
+    in sharedConfigureFlags ++ lib.optionals (lib.versionOlder version "19") [
+      "--without-dtrace"
+    ] ++ (lib.optionals isCross [
+      "--cross-compiling"
+      "--dest-cpu=${let platform = stdenv.hostPlatform; in
+                    if      platform.isAarch32 then "arm"
+                    else if platform.isAarch64 then "arm64"
+                    else if platform.isMips32 && platform.isLittleEndian then "mipsel"
+                    else if platform.isMips32 && !platform.isLittleEndian then "mips"
+                    else if platform.isMips64 && platform.isLittleEndian then "mips64el"
+                    else if platform.isPower && platform.is32bit then "ppc"
+                    else if platform.isPower && platform.is64bit then "ppc64"
+                    else if platform.isx86_64 then "x86_64"
+                    else if platform.isx86_32 then "x86"
+                    else if platform.isS390 && platform.is64bit then "s390x"
+                    else if platform.isRiscV && platform.is64bit then "riscv64"
+                    else throw "unsupported cpu ${stdenv.hostPlatform.uname.processor}"}"
+    ]) ++ (lib.optionals (isCross && isAarch32 && lib.hasAttr "fpu" gcc) [
+      "--with-arm-fpu=${gcc.fpu}"
+    ]) ++ (lib.optionals (isCross && isAarch32 && lib.hasAttr "float-abi" gcc) [
+      "--with-arm-float-abi=${gcc.float-abi}"
+    ]) ++ extraConfigFlags ++ [ "--without-node-snapshot" ];
+
+    configurePlatforms = [];
+
+    dontDisableStatic = true;
+
+    enableParallelBuilding = true;
+
+    # Don't allow enabling content addressed conversion as `nodejs`
+    # checksums it's image before conversion happens and image loading
+    # breaks:
+    #   $ nix build -f. nodejs --arg config '{ contentAddressedByDefault = true; }'
+    #   $ ./result/bin/node
+    #   Check failed: VerifyChecksum(blob).
+    __contentAddressed = false;
+
+    passthru.interpreterName = "nodejs";
+
+    passthru.pkgs = callPackage ../../node-packages/default.nix {
+      nodejs = self;
+    };
+
+    setupHook = ./setup-hook.sh;
+
+    pos = builtins.unsafeGetAttrPos "version" args;
+
+    inherit patches;
+
+    doCheck = lib.versionAtLeast version "16"; # some tests fail on v14
+
+    # Some dependencies required for tools/doc/node_modules (and therefore
+    # test-addons, jstest and others) target are not included in the tarball.
+    # Run test targets that do not require network access.
+    checkTarget = lib.concatStringsSep " " [
+      "build-js-native-api-tests"
+      "build-node-api-tests"
+      "tooltest"
+      "cctest"
+    ];
+
+    # Do not create __pycache__ when running tests.
+    checkFlags = [ "PYTHONDONTWRITEBYTECODE=1" ];
+
+    postInstall = ''
+      HOST_PATH=$out/bin patchShebangs --host $out
+
+      ${lib.optionalString (enableNpm) ''
+        mkdir -p $out/share/bash-completion/completions
+        ln -s $out/lib/node_modules/npm/lib/utils/completion.sh \
+          $out/share/bash-completion/completions/npm
+        for dir in "$out/lib/node_modules/npm/man/"*; do
+          mkdir -p $out/share/man/$(basename "$dir")
+          for page in "$dir"/*; do
+            ln -rs $page $out/share/man/$(basename "$dir")
+          done
+        done
+      ''}
+
+      # install the missing headers for node-gyp
+      cp -r ${lib.concatStringsSep " " copyLibHeaders} $out/include/node
+
+      # assemble a static v8 library and put it in the 'libv8' output
+      mkdir -p $libv8/lib
+      pushd out/Release/obj.target
+      find . -path "./torque_*/**/*.o" -or -path "./v8*/**/*.o" | sort -u >files
+      ${if stdenv.buildPlatform.isGnu then ''
+        ar -cqs $libv8/lib/libv8.a @files
+      '' else ''
+        # llvm-ar supports response files, so take advantage of it if it’s available.
+        if [ "$(basename $(readlink -f $(command -v ar)))" = "llvm-ar" ]; then
+          ar -cqs $libv8/lib/libv8.a @files
+        else
+          cat files | while read -r file; do
+            ar -cqS $libv8/lib/libv8.a $file
+          done
+        fi
+      ''}
+      popd
+
+      # copy v8 headers
+      cp -r deps/v8/include $libv8/
+
+      # create a pkgconfig file for v8
+      major=$(grep V8_MAJOR_VERSION deps/v8/include/v8-version.h | cut -d ' ' -f 3)
+      minor=$(grep V8_MINOR_VERSION deps/v8/include/v8-version.h | cut -d ' ' -f 3)
+      patch=$(grep V8_PATCH_LEVEL deps/v8/include/v8-version.h | cut -d ' ' -f 3)
+      mkdir -p $libv8/lib/pkgconfig
+      cat > $libv8/lib/pkgconfig/v8.pc << EOF
+      Name: v8
+      Description: V8 JavaScript Engine
+      Version: $major.$minor.$patch
+      Libs: -L$libv8/lib -lv8 -pthread -licui18n -licuuc
+      Cflags: -I$libv8/include
+      EOF
+    '';
+
+    passthru.updateScript = import ./update.nix {
+      inherit writeScript coreutils gnugrep jq curl common-updater-scripts gnupg nix runtimeShell;
+      inherit lib;
+      inherit majorVersion;
+    };
+
+    meta = with lib; {
+      description = "Event-driven I/O framework for the V8 JavaScript engine";
+      homepage = "https://nodejs.org";
+      changelog = "https://github.com/nodejs/node/releases/tag/v${version}";
+      license = licenses.mit;
+      maintainers = with maintainers; [ goibhniu gilligan cko marsam ];
+      platforms = platforms.linux ++ platforms.darwin;
+      mainProgram = "node";
+      knownVulnerabilities = optional (versionOlder version "18") "This NodeJS release has reached its end of life. See https://nodejs.org/en/about/releases/.";
+
+      # Node.js build system does not have separate host and target OS
+      # configurations (architectures are defined as host_arch and target_arch,
+      # but there is no such thing as host_os and target_os).
+      #
+      # We may be missing something here, but it doesn’t look like it is
+      # possible to cross-compile between different operating systems.
+      broken = stdenv.buildPlatform.parsed.kernel.name != stdenv.hostPlatform.parsed.kernel.name;
+    };
+
+    passthru.python = python; # to ensure nodeEnv uses the same version
+  };
+in self
--- a/packages/nodejs/npm-patches.nix
+++ b/packages/nodejs/npm-patches.nix
@ -0,0 +1,23 @@
+{ fetchpatch }:
+
+[
+  # Makes `npm pack` obey `--foreground-scripts`
+  (fetchpatch {
+    name = "libnpmpack-obey-foreground-scripts.patch";
+    url = "https://github.com/npm/cli/commit/e4e8ae20aef9e27e57282e87e8757d5b364abb39.patch";
+    hash = "sha256-NQ8CZBfRqAOMe0Ysg3cq1FiferWKTzXC1QXgzX+f8OU=";
+    stripLen = 2;
+    extraPrefix = "deps/npm/node_modules/";
+    includes = [ "deps/npm/node_modules/libnpmpack/lib/index.js" ];
+  })
+
+  # Makes `npm pack` obey `--ignore-scripts`
+  (fetchpatch {
+    name = "libnpmpack-obey-ignore-scripts.patch";
+    url = "https://github.com/npm/cli/commit/a990c3c9a0e67f0a8b6454213675e159fe49432d.patch";
+    hash = "sha256-eA5YST9RxMMjk5FCwEbl1HQUpXZuwWZkx5WC4yJium8=";
+    stripLen = 2;
+    extraPrefix = "deps/npm/node_modules/";
+    includes = [ "deps/npm/node_modules/libnpmpack/lib/index.js" ];
+  })
+]
--- a/packages/nodejs/revert-arm64-pointer-auth.patch
+++ b/packages/nodejs/revert-arm64-pointer-auth.patch
@ -0,0 +1,13 @@
+Fixes cross compilation to aarch64-linux by reverting
+https://github.com/nodejs/node/pull/43200
+
+--- old/configure.py
+++ new/configure.py
+@@ -1236,7 +1236,6 @@
+ 
+   # Enable branch protection for arm64
+   if target_arch == 'arm64':
+-    o['cflags']+=['-msign-return-address=all']
+     o['variables']['arm_fpu'] = options.arm_fpu or 'neon'
+ 
+   if options.node_snapshot_main is not None:
--- a/packages/nodejs/setup-hook.sh
+++ b/packages/nodejs/setup-hook.sh
@ -0,0 +1,5 @@
+addNodePath () {
+    addToSearchPath NODE_PATH "$1/lib/node_modules"
+}
+
+addEnvHooks "$hostOffset" addNodePath
--- a/packages/nodejs/trap-handler-backport.patch
+++ b/packages/nodejs/trap-handler-backport.patch
@ -0,0 +1,76 @@
+Backport V8_TRAP_HANDLER_SUPPORTED conditional compilation for trap
+handler implementation.
+
+See https://github.com/v8/v8/commit/e7bef8d4cc4f38cc3d5a532fbcc445dc62adc08f
+
+E.g. when cross-compiling from aarch64-linux for x86_64-linux target,
+handler-inside-posix.cc is built on aarch64-linux even though it is not
+supported; see src/trap-handler/trap-handler.h in v8 for (host, target)
+combinations where trap handler is supported.
+
+Note that handler-inside-posix.cc fails to build in the case above.
+
+diff --git a/deps/v8/src/trap-handler/handler-inside-posix.cc b/deps/v8/src/trap-handler/handler-inside-posix.cc
+index e4454c378f..17af3d75dc 100644
+--- a/deps/v8/src/trap-handler/handler-inside-posix.cc
+++ b/deps/v8/src/trap-handler/handler-inside-posix.cc
+@@ -47,6 +47,8 @@ namespace v8 {
+ namespace internal {
+ namespace trap_handler {
+ 
+#if V8_TRAP_HANDLER_SUPPORTED
+
+ #if V8_OS_LINUX
+ #define CONTEXT_REG(reg, REG) &uc->uc_mcontext.gregs[REG_##REG]
+ #elif V8_OS_DARWIN
+@@ -181,6 +183,8 @@ void HandleSignal(int signum, siginfo_t* info, void* context) {
+   // TryHandleSignal modifies context to change where we return to.
+ }
+ 
+#endif
+
+ }  // namespace trap_handler
+ }  // namespace internal
+ }  // namespace v8
+diff --git a/deps/v8/src/trap-handler/handler-inside-win.cc b/deps/v8/src/trap-handler/handler-inside-win.cc
+index fcccc78ee5..3d7a2c416a 100644
+--- a/deps/v8/src/trap-handler/handler-inside-win.cc
+++ b/deps/v8/src/trap-handler/handler-inside-win.cc
+@@ -38,6 +38,8 @@ namespace v8 {
+ namespace internal {
+ namespace trap_handler {
+ 
+#if V8_TRAP_HANDLER_SUPPORTED
+
+ // The below struct needed to access the offset in the Thread Environment Block
+ // to see if the thread local storage for the thread has been allocated yet.
+ //
+@@ -129,6 +131,8 @@ LONG HandleWasmTrap(EXCEPTION_POINTERS* exception) {
+   return EXCEPTION_CONTINUE_SEARCH;
+ }
+ 
+#endif
+
+ }  // namespace trap_handler
+ }  // namespace internal
+ }  // namespace v8
+diff --git a/deps/v8/src/trap-handler/handler-outside-simulator.cc b/deps/v8/src/trap-handler/handler-outside-simulator.cc
+index 179eab0659..5e58719e7f 100644
+--- a/deps/v8/src/trap-handler/handler-outside-simulator.cc
+++ b/deps/v8/src/trap-handler/handler-outside-simulator.cc
+@@ -4,6 +4,9 @@
+ 
+ #include "include/v8config.h"
+ #include "src/trap-handler/trap-handler-simulator.h"
+#include "src/trap-handler/trap-handler.h"
+
+#if V8_TRAP_HANDLER_SUPPORTED
+ 
+ #if V8_OS_DARWIN
+ #define SYMBOL(name) "_" #name
+@@ -35,3 +38,5 @@ asm(
+     SYMBOL(v8_probe_memory_continuation) ":         \n"
+     // If the trap handler continues here, it wrote the landing pad in %rax.
+     "  ret                                          \n");
+
+#endif
--- a/packages/nodejs/update-keyring
+++ b/packages/nodejs/update-keyring
@ -0,0 +1,18 @@
+#!/usr/bin/env nix-shell
+#! nix-shell --pure -i bash -p coreutils findutils gnupg curl
+
+# https://github.com/nodejs/node#release-team
+HOME=`mktemp -d`
+keyserver="pool.sks-keyservers.net"
+cat << EOF | xargs -P 4 -n 1 gpg --keyserver $keyserver --recv-keys
+94AE36675C464D64BAFA68DD7434390BDBE9B9C5
+FD3A5288F042B6850C66B31F09FE44734EB7990E
+71DCFD284A79C3B38668286BC97EC7A07EDE3FC1
+DD8F2338BAE7501E3DD5AC78C273792F7D83545D
+C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8
+B9AE9905FFD7803F25714661B63B535A4C206CA9
+56730D5401028683275BD23C23EFEFE93C4CFFFE
+77984A986EBC2AA786BC0F66B01FBB92821C587A
+EOF
+
+gpg -a --export > nodejs-release-keys.asc
--- a/packages/nodejs/update.nix
+++ b/packages/nodejs/update.nix
@ -0,0 +1,29 @@
+{ lib
+, writeScript
+, coreutils
+, curl
+, gnugrep
+, jq
+, gnupg
+, common-updater-scripts
+, majorVersion
+, nix
+, runtimeShell
+}:
+
+writeScript "update-nodejs" ''
+  #!${runtimeShell}
+  PATH=${lib.makeBinPath [ common-updater-scripts coreutils curl gnugrep jq gnupg nix ]}
+
+  HOME=`mktemp -d`
+  cat ${./nodejs-release-keys.asc} | gpg --import
+
+  tags=`curl --silent https://api.github.com/repos/nodejs/node/git/refs/tags`
+  version=`echo $tags | jq -r '.[] | select(.ref | startswith("refs/tags/v${majorVersion}")) | .ref' | sort --version-sort  | tail -1 | grep -oP "^refs/tags/v\K.*"`
+
+  curl --silent -o $HOME/SHASUMS256.txt.asc https://nodejs.org/dist/v''${version}/SHASUMS256.txt.asc
+  hash_hex=`gpgv --keyring=$HOME/.gnupg/pubring.kbx --output - $HOME/SHASUMS256.txt.asc | grep -oP "^([0-9a-f]{64})(?=\s+node-v''${version}.tar.xz$)"`
+  hash=`nix-hash --type sha256 --to-base32 ''${hash_hex}`
+
+  update-source-version nodejs-${majorVersion}_x "''${version}" "''${hash}"
+''
--- a/packages/nodejs/v18.nix
+++ b/packages/nodejs/v18.nix
@ -0,0 +1,32 @@
+{ callPackage, lib, overrideCC, pkgs, buildPackages, fetchpatch, openssl, python3, enableNpm ? true }:
+
+let
+  # Clang 16+ cannot build Node v18 due to -Wenum-constexpr-conversion errors.
+  # Use an older version of clang with the current libc++ for compatibility (e.g., with icu).
+  ensureCompatibleCC = packages:
+    if packages.stdenv.cc.isClang && lib.versionAtLeast (lib.getVersion packages.stdenv.cc.cc) "16"
+      then overrideCC packages.llvmPackages_15.stdenv (packages.llvmPackages_15.stdenv.cc.override {
+        inherit (packages.llvmPackages) libcxx;
+        extraPackages = [ packages.llvmPackages.libcxxabi ];
+      })
+      else packages.stdenv;
+
+  buildNodejs = callPackage ./nodejs.nix {
+    inherit openssl;
+    stdenv = ensureCompatibleCC pkgs;
+    buildPackages = buildPackages // { stdenv = ensureCompatibleCC buildPackages; };
+    python = python3;
+  };
+in
+buildNodejs {
+  inherit enableNpm;
+  version = "18.18.2";
+  sha256 = "sha256-ckni8K+UPsOFmVBPSyor0x+5OHhykbbMymyLrfAeO1Y=";
+  patches = [
+    ./disable-darwin-v8-system-instrumentation.patch
+    ./bypass-darwin-xcrun-node16.patch
+    ./revert-arm64-pointer-auth.patch
+    ./node-npm-build-npm-package-logic.patch
+    ./trap-handler-backport.patch
+  ];
+}
--- a/packages/nodejs/v20.nix
+++ b/packages/nodejs/v20.nix
@ -0,0 +1,19 @@
+{ callPackage, openssl, python3, enableNpm ? true }:
+
+let
+  buildNodejs = callPackage ./nodejs.nix {
+    inherit openssl;
+    python = python3;
+  };
+in
+buildNodejs {
+  inherit enableNpm;
+  version = "20.9.0";
+  sha256 = "sha256-oj2WgQq/BFVCazSdR85TEPMwlbe8BXG5zFEPSBw6RRk=";
+  patches = [
+    ./revert-arm64-pointer-auth.patch
+    ./disable-darwin-v8-system-instrumentation-node19.patch
+    ./bypass-darwin-xcrun-node16.patch
+    ./node-npm-build-npm-package-logic.patch
+  ];
+}
--- a/packages/nodejs/v21.nix
+++ b/packages/nodejs/v21.nix
@ -0,0 +1,19 @@
+{ callPackage, openssl, python3, enableNpm ? true }:
+
+let
+  buildNodejs = callPackage ./nodejs.nix {
+    inherit openssl;
+    python = python3;
+  };
+in
+buildNodejs {
+  inherit enableNpm;
+  version = "21.2.0";
+  sha256 = "sha256-1Xyc6jlHZPodmvUeUsdEn3EZPp1ExKgfvt7GU+yCdwc=";
+  patches = [
+    ./revert-arm64-pointer-auth.patch
+    ./disable-darwin-v8-system-instrumentation-node19.patch
+    ./bypass-darwin-xcrun-node16.patch
+    ./node-npm-build-npm-package-logic.patch
+  ];
+}
--- a/packages/protobufc/default.nix
+++ b/packages/protobufc/default.nix
@ -0,0 +1,38 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, fetchpatch
+, autoreconfHook
+, pkg-config
+, protobuf
+, zlib
+, buildPackages
+}:
+
+stdenv.mkDerivation rec {
+  pname = "protobuf-c";
+  version = "1.5.0";
+
+  src = fetchFromGitHub {
+    owner = "protobuf-c";
+    repo = "protobuf-c";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-Dkpcc7ZfvAIVY91trRiHuiRFcUGUbQxbheYKTBcq80I=";
+  };
+
+  outputs = [ "out" "dev" "lib" ];
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+
+  buildInputs = [ protobuf zlib ];
+
+  PROTOC = lib.getExe buildPackages.protobuf;
+
+  meta = with lib; {
+    homepage = "https://github.com/protobuf-c/protobuf-c/";
+    description = "C bindings for Google's Protocol Buffers";
+    license = licenses.bsd2;
+    platforms = platforms.all;
+    maintainers = with maintainers; [ nickcao ];
+  };
+}
--- a/packages/restart-aesmd/default.nix
+++ b/packages/restart-aesmd/default.nix
@ -0,0 +1,10 @@
+{ pkgs
+, lib
+, nixsgx
+, ...
+}:
+pkgs.writeShellScriptBin "restart-aesmd" ''
+  ${pkgs.coreutils}/bin/mkdir -p /var/run/aesmd
+  ${pkgs.killall}/bin/killall -q aesm_service
+  exec ${nixsgx.sgx-psw}/bin/aesm_service --no-syslog
+''
--- a/packages/sgx-dcap/SGXDataCenterAttestationPrimitives-parallel-make.patch
+++ b/packages/sgx-dcap/SGXDataCenterAttestationPrimitives-parallel-make.patch
@ -0,0 +1,26 @@
+diff --git a/Makefile b/Makefile
+index 344d08e..edd287a 100644
+--- a/Makefile
+++ b/Makefile
+@@ -48,7 +48,7 @@ PCKRetrievalTool: QuoteGeneration
+ 	$(MAKE) -C tools/PCKRetrievalTool
+ 
+ SGXPlatformRegistration:
+-	$(MAKE) -C tools/SGXPlatformRegistration
+	$(MAKE) -j1 -C tools/SGXPlatformRegistration
+ 
+ WinPle:
+ 	$(MAKE) -C driver/win/PLE
+diff --git a/tools/PCKCertSelection/Makefile b/tools/PCKCertSelection/Makefile
+index c1115fe..fbdfa06 100644
+--- a/tools/PCKCertSelection/Makefile
+++ b/tools/PCKCertSelection/Makefile
+@@ -82,7 +82,7 @@ $(PROJECTS): $(BIN_DIR)
+ $(BIN_DIR):
+ 	$(PCKCERTSEL_VERBOSE)mkdir -p $@
+ 
+-$(ZIPFILE):
+$(ZIPFILE): $(PROJECTS)
+ 	bash pack.sh
+ 	$(PCKCERTSEL_VERBOSE)echo "$@ : done"
+ 	$(PCKCERTSEL_VERBOSE)echo
--- a/packages/sgx-dcap/SGXDataCenterAttestationPrimitives-tarball-repro.patch
+++ b/packages/sgx-dcap/SGXDataCenterAttestationPrimitives-tarball-repro.patch
@ -0,0 +1,191 @@
+diff --git a/QuoteGeneration/installer/linux/common/libsgx-ae-id-enclave/createTarball.sh b/QuoteGeneration/installer/linux/common/libsgx-ae-id-enclave/createTarball.sh
+index 1ee6355..249e37e 100755
+--- a/QuoteGeneration/installer/linux/common/libsgx-ae-id-enclave/createTarball.sh
+++ b/QuoteGeneration/installer/linux/common/libsgx-ae-id-enclave/createTarball.sh
+@@ -58,6 +58,6 @@ python ${SCRIPT_DIR}/gen_source.py --bom=../licenses/BOM_license.txt --cleanup=f
+ SGX_VERSION=$(awk '/IDE_VERSION/ {print $3}' ${ROOT_DIR}/common/inc/internal/se_version.h|sed 's/^\"\(.*\)\"$/\1/')
+ pushd ${INSTALL_PATH} &> /dev/null
+ sed -i "s/USR_LIB_VER=.*/USR_LIB_VER=${SGX_VERSION}/" Makefile
+-tar -zcvf ${TARBALL_NAME} *
+tar -zcv --sort=name --owner=root:0 --group=root:0 --mtime='UTC 2019-01-01 00:00:00' -f ${TARBALL_NAME} *
+ popd &> /dev/null
+
+diff --git a/QuoteGeneration/installer/linux/common/libsgx-ae-qe3/createTarball.sh b/QuoteGeneration/installer/linux/common/libsgx-ae-qe3/createTarball.sh
+index 2ac7592..e525128 100755
+--- a/QuoteGeneration/installer/linux/common/libsgx-ae-qe3/createTarball.sh
+++ b/QuoteGeneration/installer/linux/common/libsgx-ae-qe3/createTarball.sh
+@@ -58,5 +58,5 @@ python ${SCRIPT_DIR}/gen_source.py --bom=../licenses/BOM_license.txt --cleanup=f
+ SGX_VERSION=$(awk '/QE3_VERSION/ {print $3}' ${ROOT_DIR}/common/inc/internal/se_version.h|sed 's/^\"\(.*\)\"$/\1/')
+ pushd ${INSTALL_PATH} &> /dev/null
+ sed -i "s/USR_LIB_VER=.*/USR_LIB_VER=${SGX_VERSION}/" Makefile
+-tar -zcvf ${TARBALL_NAME} *
+tar -zcv --sort=name --owner=root:0 --group=root:0 --mtime='UTC 2019-01-01 00:00:00' -f ${TARBALL_NAME} *
+ popd &> /dev/null
+diff --git a/QuoteGeneration/installer/linux/common/libsgx-ae-qve/createTarball.sh b/QuoteGeneration/installer/linux/common/libsgx-ae-qve/createTarball.sh
+index 294706f..b86e17c 100755
+--- a/QuoteGeneration/installer/linux/common/libsgx-ae-qve/createTarball.sh
+++ b/QuoteGeneration/installer/linux/common/libsgx-ae-qve/createTarball.sh
+@@ -58,5 +58,5 @@ python ${SCRIPT_DIR}/gen_source.py --bom=../licenses/BOM_license.txt --cleanup=f
+ SGX_VERSION=$(awk '/QVE_VERSION/ {print $3}' ${ROOT_DIR}/common/inc/internal/se_version.h|sed 's/^\"\(.*\)\"$/\1/')
+ pushd ${INSTALL_PATH} &> /dev/null
+ sed -i "s/USR_LIB_VER=.*/USR_LIB_VER=${SGX_VERSION}/" Makefile
+-tar -zcvf ${TARBALL_NAME} *
+tar -zcv --sort=name --owner=root:0 --group=root:0 --mtime='UTC 2019-01-01 00:00:00' -f ${TARBALL_NAME} *
+ popd &> /dev/null
+diff --git a/QuoteGeneration/installer/linux/common/libsgx-ae-tdqe/createTarball.sh b/QuoteGeneration/installer/linux/common/libsgx-ae-tdqe/createTarball.sh
+index 9f5e4df..48ee554 100755
+--- a/QuoteGeneration/installer/linux/common/libsgx-ae-tdqe/createTarball.sh
+++ b/QuoteGeneration/installer/linux/common/libsgx-ae-tdqe/createTarball.sh
+@@ -58,5 +58,5 @@ python ${SCRIPT_DIR}/gen_source.py --bom=../licenses/BOM_license.txt --cleanup=f
+ SGX_VERSION=$(awk '/TDQE_VERSION/ {print $3}' ${ROOT_DIR}/common/inc/internal/se_version.h|sed 's/^\"\(.*\)\"$/\1/')
+ pushd ${INSTALL_PATH} &> /dev/null
+ sed -i "s/USR_LIB_VER=.*/USR_LIB_VER=${SGX_VERSION}/" Makefile
+-tar -zcvf ${TARBALL_NAME} *
+tar -zcv --sort=name --owner=root:0 --group=root:0 --mtime='UTC 2019-01-01 00:00:00' -f ${TARBALL_NAME} *
+ popd &> /dev/null
+diff --git a/QuoteGeneration/installer/linux/common/libsgx-dcap-default-qpl/createTarball.sh b/QuoteGeneration/installer/linux/common/libsgx-dcap-default-qpl/createTarball.sh
+index ad7de91..80940ee 100755
+--- a/QuoteGeneration/installer/linux/common/libsgx-dcap-default-qpl/createTarball.sh
+++ b/QuoteGeneration/installer/linux/common/libsgx-dcap-default-qpl/createTarball.sh
+@@ -59,6 +59,6 @@ python ${SCRIPT_DIR}/gen_source.py --bom=../licenses/BOM_license.txt --cleanup=f
+ SGX_VERSION=$(awk '/DEFAULT_QPL_VERSION/ {print $3}' ${ROOT_DIR}/common/inc/internal/se_version.h|sed 's/^\"\(.*\)\"$/\1/')
+ pushd ${INSTALL_PATH} &> /dev/null
+ sed -i "s/USR_LIB_VER=.*/USR_LIB_VER=${SGX_VERSION}/" Makefile
+-tar -zcvf ${TARBALL_NAME} *
+tar -zcv --sort=name --owner=root:0 --group=root:0 --mtime='UTC 2019-01-01 00:00:00' -f ${TARBALL_NAME} *
+ popd &> /dev/null
+
+diff --git a/QuoteGeneration/installer/linux/common/libsgx-dcap-ql/createTarball.sh b/QuoteGeneration/installer/linux/common/libsgx-dcap-ql/createTarball.sh
+index f60411f..0c5cba6 100755
+--- a/QuoteGeneration/installer/linux/common/libsgx-dcap-ql/createTarball.sh
+++ b/QuoteGeneration/installer/linux/common/libsgx-dcap-ql/createTarball.sh
+@@ -61,5 +61,5 @@ python ${SCRIPT_DIR}/gen_source.py --bom=../licenses/BOM_license.txt --cleanup=f
+ SGX_VERSION=$(awk '/QUOTE_LOADER_VERSION/ {print $3}' ${ROOT_DIR}/common/inc/internal/se_version.h|sed 's/^\"\(.*\)\"$/\1/')
+ pushd ${INSTALL_PATH} &> /dev/null
+ sed -i "s/USR_LIB_VER=.*/USR_LIB_VER=${SGX_VERSION}/" Makefile
+-tar -zcvf ${TARBALL_NAME} *
+tar -zcv --sort=name --owner=root:0 --group=root:0 --mtime='UTC 2019-01-01 00:00:00' -f ${TARBALL_NAME} *
+ popd &> /dev/null
+diff --git a/QuoteGeneration/installer/linux/common/libsgx-dcap-quote-verify/createTarball.sh b/QuoteGeneration/installer/linux/common/libsgx-dcap-quote-verify/createTarball.sh
+index 1e67891..af616d8 100755
+--- a/QuoteGeneration/installer/linux/common/libsgx-dcap-quote-verify/createTarball.sh
+++ b/QuoteGeneration/installer/linux/common/libsgx-dcap-quote-verify/createTarball.sh
+@@ -62,5 +62,5 @@ python ${SCRIPT_DIR}/gen_source.py --bom=../licenses/BOM_license.txt --cleanup=f
+ SGX_VERSION=$(awk '/QUOTE_VERIFIER_VERSION/ {print $3}' ${ROOT_DIR}/common/inc/internal/se_version.h|sed 's/^\"\(.*\)\"$/\1/')
+ pushd ${INSTALL_PATH} &> /dev/null
+ sed -i "s/USR_LIB_VER=.*/USR_LIB_VER=${SGX_VERSION}/" Makefile
+-tar -zcvf ${TARBALL_NAME} *
+tar -zcv --sort=name --owner=root:0 --group=root:0 --mtime='UTC 2019-01-01 00:00:00' -f ${TARBALL_NAME} *
+ popd &> /dev/null
+diff --git a/QuoteGeneration/installer/linux/common/libsgx-pce-logic/createTarball.sh b/QuoteGeneration/installer/linux/common/libsgx-pce-logic/createTarball.sh
+index ebb1239..1073bd9 100755
+--- a/QuoteGeneration/installer/linux/common/libsgx-pce-logic/createTarball.sh
+++ b/QuoteGeneration/installer/linux/common/libsgx-pce-logic/createTarball.sh
+@@ -58,5 +58,5 @@ python ${SCRIPT_DIR}/gen_source.py --bom=../licenses/BOM_license.txt --cleanup=f
+ SGX_VERSION=$(awk '/PCE_WRAPPER_VERSION/ {print $3}' ${ROOT_DIR}/common/inc/internal/se_version.h|sed 's/^\"\(.*\)\"$/\1/')
+ pushd ${INSTALL_PATH} &> /dev/null
+ sed -i "s/USR_LIB_VER=.*/USR_LIB_VER=${SGX_VERSION}/" Makefile
+-tar -zcvf ${TARBALL_NAME} *
+tar -zcv --sort=name --owner=root:0 --group=root:0 --mtime='UTC 2019-01-01 00:00:00' -f ${TARBALL_NAME} *
+ popd &> /dev/null
+diff --git a/QuoteGeneration/installer/linux/common/libsgx-qe3-logic/createTarball.sh b/QuoteGeneration/installer/linux/common/libsgx-qe3-logic/createTarball.sh
+index c6271d3..417cb70 100755
+--- a/QuoteGeneration/installer/linux/common/libsgx-qe3-logic/createTarball.sh
+++ b/QuoteGeneration/installer/linux/common/libsgx-qe3-logic/createTarball.sh
+@@ -56,5 +56,5 @@ python ${SCRIPT_DIR}/gen_source.py --bom=../licenses/BOM_license.txt --cleanup=f
+
+ # Create the tarball
+ pushd ${INSTALL_PATH} &> /dev/null
+-tar -zcvf ${TARBALL_NAME} *
+tar -zcv --sort=name --owner=root:0 --group=root:0 --mtime='UTC 2019-01-01 00:00:00' -f ${TARBALL_NAME} *
+ popd &> /dev/null
+diff --git a/QuoteGeneration/installer/linux/common/libsgx-tdx-logic/createTarball.sh b/QuoteGeneration/installer/linux/common/libsgx-tdx-logic/createTarball.sh
+index 80dff97..04738c3 100755
+--- a/QuoteGeneration/installer/linux/common/libsgx-tdx-logic/createTarball.sh
+++ b/QuoteGeneration/installer/linux/common/libsgx-tdx-logic/createTarball.sh
+@@ -59,5 +59,5 @@ python ${SCRIPT_DIR}/gen_source.py --bom=../licenses/BOM_license.txt --cleanup=f
+ SGX_VERSION=$(awk '/TDQE_WRAPPER_VERSION/ {print $3}' ${ROOT_DIR}/common/inc/internal/se_version.h|sed 's/^\"\(.*\)\"$/\1/')
+ pushd ${INSTALL_PATH} &> /dev/null
+ sed -i "s/USR_LIB_VER=.*/USR_LIB_VER=${SGX_VERSION}/" Makefile
+-tar -zcvf ${TARBALL_NAME} *
+tar -zcv --sort=name --owner=root:0 --group=root:0 --mtime='UTC 2019-01-01 00:00:00' -f ${TARBALL_NAME} *
+ popd &> /dev/null
+diff --git a/QuoteGeneration/installer/linux/common/libtdx-attest/createTarball.sh b/QuoteGeneration/installer/linux/common/libtdx-attest/createTarball.sh
+index 4e53085..7047a49 100755
+--- a/QuoteGeneration/installer/linux/common/libtdx-attest/createTarball.sh
+++ b/QuoteGeneration/installer/linux/common/libtdx-attest/createTarball.sh
+@@ -61,5 +61,5 @@ python ${SCRIPT_DIR}/gen_source.py --bom=../licenses/BOM_license.txt --cleanup=f
+ SGX_VERSION=$(awk '/STRFILEVER/ {print $3}' ${ROOT_DIR}/common/inc/internal/se_version.h|sed 's/^\"\(.*\)\"$/\1/')
+ pushd ${INSTALL_PATH} &> /dev/null
+ sed -i "s/USR_LIB_VER=.*/USR_LIB_VER=${SGX_VERSION}/" Makefile
+-tar -zcvf ${TARBALL_NAME} *
+tar -zcv --sort=name --owner=root:0 --group=root:0 --mtime='UTC 2019-01-01 00:00:00' -f ${TARBALL_NAME} *
+ popd &> /dev/null
+diff --git a/QuoteGeneration/installer/linux/common/sgx-dcap-pccs/createTarball.sh b/QuoteGeneration/installer/linux/common/sgx-dcap-pccs/createTarball.sh
+index fa3286e..cacf5a3 100755
+--- a/QuoteGeneration/installer/linux/common/sgx-dcap-pccs/createTarball.sh
+++ b/QuoteGeneration/installer/linux/common/sgx-dcap-pccs/createTarball.sh
+@@ -57,5 +57,5 @@ python ${SCRIPT_DIR}/gen_source.py --bom=../licenses/BOM_license.txt --cleanup=f
+
+ # Create the tarball
+ pushd ${INSTALL_PATH} &> /dev/null
+-tar -zcvf ${TARBALL_NAME} *
+tar -zcv --sort=name --owner=root:0 --group=root:0 --mtime='UTC 2019-01-01 00:00:00' -f ${TARBALL_NAME} *
+ popd &> /dev/null
+diff --git a/QuoteGeneration/installer/linux/common/tdx-qgs/createTarball.sh b/QuoteGeneration/installer/linux/common/tdx-qgs/createTarball.sh
+index 6797401..0f59abf 100755
+--- a/QuoteGeneration/installer/linux/common/tdx-qgs/createTarball.sh
+++ b/QuoteGeneration/installer/linux/common/tdx-qgs/createTarball.sh
+@@ -55,5 +55,5 @@ python ${SCRIPT_DIR}/gen_source.py --bom=BOMs/tdx-qgs-package.txt --cleanup=fals
+
+ # Create the tarball
+ pushd ${INSTALL_PATH} &> /dev/null
+-tar -zcvf ${TARBALL_NAME} *
+tar -zcv --sort=name --owner=root:0 --group=root:0 --mtime='UTC 2019-01-01 00:00:00' -f ${TARBALL_NAME} *
+ popd &> /dev/null
+diff --git a/tools/PCKRetrievalTool/installer/common/sgx-pck-id-retrieval-tool/createTarball.sh b/tools/PCKRetrievalTool/installer/common/sgx-pck-id-retrieval-tool/createTarball.sh
+index f09f0d8..60a3796 100755
+--- a/tools/PCKRetrievalTool/installer/common/sgx-pck-id-retrieval-tool/createTarball.sh
+++ b/tools/PCKRetrievalTool/installer/common/sgx-pck-id-retrieval-tool/createTarball.sh
+@@ -56,5 +56,5 @@ python ${SCRIPT_DIR}/gen_source.py --bom=BOMs/pck-id-retrieval-tool-package.txt
+
+ # Create the tarball
+ pushd ${INSTALL_PATH} &> /dev/null
+-tar -zcvf ${TARBALL_NAME} *
+tar -zcv --sort=name --owner=root:0 --group=root:0 --mtime='UTC 2019-01-01 00:00:00' -f ${TARBALL_NAME} *
+ popd &> /dev/null
+diff --git a/tools/SGXPlatformRegistration/package/installer/common/libsgx-ra-network/createTarball.sh b/tools/SGXPlatformRegistration/package/installer/common/libsgx-ra-network/createTarball.sh
+index f0109c5..64a8523 100755
+--- a/tools/SGXPlatformRegistration/package/installer/common/libsgx-ra-network/createTarball.sh
+++ b/tools/SGXPlatformRegistration/package/installer/common/libsgx-ra-network/createTarball.sh
+@@ -59,6 +59,6 @@ python ${SCRIPT_DIR}/gen_source.py --bom=BOMs/../../licenses/BOM_license.txt --c
+ RA_VERSION=$(awk '/STRFILEVER/ {print $3}' ${ROOT_DIR}/../../QuoteGeneration/common/inc/internal/se_version.h|sed 's/^\"\(.*\)\"$/\1/')
+ pushd ${INSTALL_PATH} &> /dev/null
+ sed -i "s/USR_LIB_VER=.*/USR_LIB_VER=${RA_VERSION}/" Makefile
+-tar -zcvf ${TARBALL_NAME} *
+tar -zcv --sort=name --owner=root:0 --group=root:0 --mtime='UTC 2019-01-01 00:00:00' -f ${TARBALL_NAME} *
+ popd &> /dev/null
+
+diff --git a/tools/SGXPlatformRegistration/package/installer/common/libsgx-ra-uefi/createTarball.sh b/tools/SGXPlatformRegistration/package/installer/common/libsgx-ra-uefi/createTarball.sh
+index d62f397..73854a1 100755
+--- a/tools/SGXPlatformRegistration/package/installer/common/libsgx-ra-uefi/createTarball.sh
+++ b/tools/SGXPlatformRegistration/package/installer/common/libsgx-ra-uefi/createTarball.sh
+@@ -59,6 +59,6 @@ python ${SCRIPT_DIR}/gen_source.py --bom=BOMs/../../licenses/BOM_license.txt --c
+ RA_VERSION=$(awk '/STRFILEVER/ {print $3}' ${ROOT_DIR}/../../QuoteGeneration/common/inc/internal/se_version.h|sed 's/^\"\(.*\)\"$/\1/')
+ pushd ${INSTALL_PATH} &> /dev/null
+ sed -i "s/USR_LIB_VER=.*/USR_LIB_VER=${RA_VERSION}/" Makefile
+-tar -zcvf ${TARBALL_NAME} *
+tar -zcv --sort=name --owner=root:0 --group=root:0 --mtime='UTC 2019-01-01 00:00:00' -f ${TARBALL_NAME} *
+ popd &> /dev/null
+
+diff --git a/tools/SGXPlatformRegistration/package/installer/common/sgx-ra-service/createTarball.sh b/tools/SGXPlatformRegistration/package/installer/common/sgx-ra-service/createTarball.sh
+index de7e205..a18b930 100755
+--- a/tools/SGXPlatformRegistration/package/installer/common/sgx-ra-service/createTarball.sh
+++ b/tools/SGXPlatformRegistration/package/installer/common/sgx-ra-service/createTarball.sh
+@@ -57,5 +57,5 @@ python ${SCRIPT_DIR}/gen_source.py --bom=../licenses/BOM_license.txt --cleanup=f
+
+ # Create the tarball
+ pushd ${INSTALL_PATH} &> /dev/null
+-tar -zcvf ${TARBALL_NAME} *
+tar -zcv --sort=name --owner=root:0 --group=root:0 --mtime='UTC 2019-01-01 00:00:00' -f ${TARBALL_NAME} *
+ popd &> /dev/null
--- a/packages/sgx-dcap/default.nix
+++ b/packages/sgx-dcap/default.nix
@ -0,0 +1,217 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, fetchurl
+, cmake
+, boost
+, python3
+, openssl
+, which
+, wget
+, curl
+, zip
+, nixsgx
+,
+}:
+
+let inherit (lib) optional; in
+
+let
+  self = stdenv.mkDerivation rec {
+    pname = "sgx-dcap";
+    version = "1.20";
+
+    postUnpack =
+      let
+        dcap = rec {
+          filename = "prebuilt_dcap_${version}.tar.gz";
+          prebuilt = fetchurl {
+            url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}";
+            hash = "sha256-nPsI89KSBA3cSNTMWyktZP5dkf+BwL3NZ4MuUf6G98o=";
+          };
+        };
+      in
+      ''
+        # Make sure we use the correct version of prebuilt DCAP
+        grep -q 'ae_file_name=${dcap.filename}' "$sourceRoot/QuoteGeneration/download_prebuilt.sh" \
+          || (echo "Could not find expected prebuilt DCAP ${dcap.filename} in dcap source" >&2 && grep 'ae_file_name' "$sourceRoot/QuoteGeneration/download_prebuilt.sh"  && exit 1)
+
+        tar -zxf ${dcap.prebuilt} -C $sourceRoot/QuoteGeneration/
+      '';
+
+    src = fetchFromGitHub {
+      owner = "intel";
+      repo = "SGXDataCenterAttestationPrimitives";
+      rev = "DCAP_${version}";
+      hash = "sha256-gNQzV6wpoQUZ3x/RqvFLwak4HhDOiJC5mW0okGx3UGA=";
+      fetchSubmodules = true;
+    };
+
+    outputs = [
+      "out"
+      "dev"
+      "ae_id_enclave"
+      "ae_qe3"
+      "ae_qve"
+      "ae_tdqe"
+      "pce_logic"
+      "qe3_logic"
+      "default_qpl"
+      "ql"
+      "quote_verify"
+      "ra_network"
+      "ra_uefi"
+      "tdx_logic"
+      "libtdx_attest"
+    ];
+
+    patches = [
+      ./SGXDataCenterAttestationPrimitives-tarball-repro.patch
+      ./SGXDataCenterAttestationPrimitives-parallel-make.patch
+    ];
+
+    postPatch = ''
+      patchShebangs --build $(find . -name '*.sh')
+    '';
+
+    preBuild = ''
+      makeFlagsArray+=(SGX_SDK="${nixsgx.sgx-sdk}" SGXSSL_PACKAGE_PATH="${nixsgx.sgx-ssl}")
+    '';
+
+    # sigh... Intel!
+    enableParallelBuilding = true;
+    dontUseCmakeConfigure = true;
+
+    # setOutputFlags = false;
+    # moveToDev = false;
+
+    # sigh... Intel!
+    installPhase = ''
+      # set -x
+      set -e
+      runHook preInstall
+
+      # sigh... Intel!
+      mkdir -p QuoteGeneration/pccs/lib/
+      cp tools/PCKCertSelection/out/libPCKCertSelection.so QuoteGeneration/pccs/lib/
+
+      mkdir -p "$out"
+
+      dcap_pkgdirs=(
+          ./QuoteGeneration/installer/linux/common/libsgx-ae-id-enclave
+          ./QuoteGeneration/installer/linux/common/libsgx-ae-qe3
+          ./QuoteGeneration/installer/linux/common/libsgx-ae-qve
+          ./QuoteGeneration/installer/linux/common/libsgx-ae-tdqe
+          ./QuoteGeneration/installer/linux/common/libsgx-dcap-default-qpl
+          ./QuoteGeneration/installer/linux/common/libsgx-dcap-ql
+          ./QuoteGeneration/installer/linux/common/libsgx-dcap-quote-verify
+          ./QuoteGeneration/installer/linux/common/libsgx-pce-logic
+          ./QuoteGeneration/installer/linux/common/libsgx-qe3-logic
+          ./QuoteGeneration/installer/linux/common/libsgx-tdx-logic
+          ./QuoteGeneration/installer/linux/common/libtdx-attest
+          ./tools/SGXPlatformRegistration/package/installer/common/libsgx-ra-network
+          ./tools/SGXPlatformRegistration/package/installer/common/libsgx-ra-uefi
+          #./QuoteGeneration/installer/linux/common/sgx-dcap-pccs
+      )
+
+      for src in ''${dcap_pkgdirs[@]}; do
+          dst="$out/$src"
+          echo "Processing $src"
+          "$src"/createTarball.sh
+          mkdir -p "$dst"
+          make DESTDIR="$dst/output" -C "$src"/output install
+      done
+
+      dcap_map=(
+          QuoteGeneration/installer/linux/common/libsgx-ae-id-enclave/output
+          "$ae_id_enclave"
+          QuoteGeneration/installer/linux/common/libsgx-ae-qe3/output
+          "$ae_qe3"
+          QuoteGeneration/installer/linux/common/libsgx-ae-qve/output
+          "$ae_qve"
+          QuoteGeneration/installer/linux/common/libsgx-ae-tdqe/output
+          "$ae_tdqe"
+          QuoteGeneration/installer/linux/common/libsgx-pce-logic/output
+          "$pce_logic"
+          QuoteGeneration/installer/linux/common/libsgx-qe3-logic/output
+          "$qe3_logic"
+          QuoteGeneration/installer/linux/common/libsgx-dcap-default-qpl/output/libsgx-dcap-default-qpl
+          "$default_qpl"
+          QuoteGeneration/installer/linux/common/libsgx-dcap-ql/output/libsgx-dcap-ql
+          "$ql"
+          QuoteGeneration/installer/linux/common/libsgx-dcap-quote-verify/output/libsgx-dcap-quote-verify
+          "$quote_verify"
+          QuoteGeneration/installer/linux/common/libsgx-tdx-logic/output/libsgx-tdx-logic
+          "$tdx_logic"
+          QuoteGeneration/installer/linux/common/libtdx-attest/output/libtdx-attest
+          "$libtdx_attest"
+          tools/SGXPlatformRegistration/package/installer/common/libsgx-ra-network/output/libsgx-ra-network
+          "$ra_network"
+          tools/SGXPlatformRegistration/package/installer/common/libsgx-ra-uefi/output/libsgx-ra-uefi
+          "$ra_uefi"
+          #QuoteGeneration/installer/linux/common/sgx-dcap-pccs/output
+          #"$pccs"
+          #    sgx-pck-id-retrieval-tool
+          #    sgx-ra-service
+          #    tdx-qgs
+      )
+
+      for ((i = 0 ; i < ''${#dcap_map[@]} ; i+=2 )); do
+          src="''${dcap_map[i]}"
+          dst="''${dcap_map[i+1]}"
+
+          echo "Processing $src"
+
+          mkdir -p "$dst"
+
+          moveToOutput "$src" "$dst"
+          moveToOutput "$src-dev" "$dst"
+
+          mv "$dst"/$src/* "$dst"/
+
+          if [[ -d "$dst"/$src-dev ]]; then
+            cp -a "$dst"/$src-dev/. "$dst"/
+          fi
+
+          if [[ -d "$dst"/usr ]]; then
+            cp -a "$dst"/usr/. "$dst"/
+            rm -fr "$dst"/usr
+          fi
+
+          [[ -d "$dst"/lib64 ]] && mv "$dst"/lib64 "$dst"/lib
+          [[ -d "$dst"/opt ]] && rm -fr "$dst"/opt
+
+          rm -fr "$dst/''${src%%/*}"
+      done
+
+      mkdir -p "$out"/share/doc
+      echo Hello > "$out"/share/doc/README.md
+
+      runHook postInstall
+    '';
+
+    nativeBuildInputs = [
+      nixsgx.sgx-sdk
+      cmake
+      openssl
+      python3
+      boost
+      curl
+      which
+      wget
+      zip
+    ];
+
+    doCheck = false;
+
+    dontDisableStatic = false;
+
+    meta = with lib; {
+      description = "Intel(R) Software Guard Extensions Data Center Attestation Primitives";
+      homepage = "https://github.com/intel/SGXDataCenterAttestationPrimitives";
+      platforms = [ "x86_64-linux" ];
+      license = with licenses; [ bsd3 ];
+    };
+  };
+in
+self
--- a/packages/sgx-psw/default.nix
+++ b/packages/sgx-psw/default.nix
@ -0,0 +1,188 @@
+{ stdenv
+, lib
+, fetchurl
+, cmake
+, coreutils
+, curl
+, file
+, makeWrapper
+, nixosTests
+, protobuf
+, python3
+, nixsgx
+, which
+, debug ? false
+}:
+stdenv.mkDerivation rec {
+  inherit (nixsgx.sgx-sdk) version versionTag src patches;
+  pname = "sgx-psw";
+
+  postUnpack =
+    let
+      # Fetch the pre-built, Intel-signed Architectural Enclaves (AE). They help
+      # run user application enclaves, verify launch policies, produce remote
+      # attestation quotes, and do platform certification.
+      ae.prebuilt = fetchurl {
+        url = "https://download.01.org/intel-sgx/sgx-linux/${versionTag}/prebuilt_ae_${versionTag}.tar.gz";
+        hash = "sha256-IGV9VEwY/cQBV4Vz2sps4JgRweWRl/l08ocb9P4SH8Q=";
+      };
+      # Also include the Data Center Attestation Primitives (DCAP) platform
+      # enclaves.
+      dcap = rec {
+        version = "1.20";
+        filename = "prebuilt_dcap_${version}.tar.gz";
+        prebuilt = fetchurl {
+          url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}";
+          hash = "sha256-nPsI89KSBA3cSNTMWyktZP5dkf+BwL3NZ4MuUf6G98o=";
+        };
+      };
+    in
+    nixsgx.sgx-sdk.postUnpack + ''
+      # Make sure we use the correct version of prebuilt DCAP
+      grep -q 'ae_file_name=${dcap.filename}' "$src/external/dcap_source/QuoteGeneration/download_prebuilt.sh" \
+        || (echo "Could not find expected prebuilt DCAP ${dcap.filename} in linux-sgx source" >&2 && exit 1)
+
+      tar -zxf ${ae.prebuilt}   -C $sourceRoot/
+      tar -zxf ${dcap.prebuilt} -C $sourceRoot/external/dcap_source/QuoteGeneration/
+    '';
+
+  nativeBuildInputs = [
+    cmake
+    file
+    makeWrapper
+    python3
+    nixsgx.sgx-sdk
+    which
+  ];
+
+  buildInputs = [
+    curl
+    protobuf
+  ];
+
+  hardeningDisable = [
+    # causes redefinition of _FORTIFY_SOURCE
+    "fortify3"
+  ] ++ lib.optionals debug [
+    "fortify"
+  ];
+
+  postPatch = ''
+    patchShebangs \
+      linux/installer/bin/build-installpkg.sh \
+      linux/installer/common/psw/createTarball.sh \
+      linux/installer/common/psw/install.sh
+  '';
+
+  dontUseCmakeConfigure = true;
+
+  buildFlags = [
+    "psw_install_pkg"
+  ] ++ lib.optionals debug [
+    "DEBUG=1"
+  ];
+
+  installFlags = [
+    "-C linux/installer/common/psw/output"
+    "DESTDIR=$(TMPDIR)/install"
+  ];
+
+  postInstall = ''
+    installDir=$TMPDIR/install
+    sgxPswDir=$installDir/opt/intel/sgxpsw
+
+    mv $installDir/usr/lib64/ $out/lib/
+    ln -sr $out/lib $out/lib64
+
+    # Install udev rules to lib/udev/rules.d
+    mv $sgxPswDir/udev/ $out/lib/
+
+    # Install example AESM config
+    mkdir $out/etc/
+    mv $sgxPswDir/aesm/conf/aesmd.conf $out/etc/
+    rmdir $sgxPswDir/aesm/conf/
+
+    # Delete init service
+    rm $sgxPswDir/aesm/aesmd.conf
+
+    # Move systemd services
+    mkdir -p $out/lib/systemd/system/
+    mv $sgxPswDir/aesm/aesmd.service $out/lib/systemd/system/
+    mv $sgxPswDir/remount-dev-exec.service $out/lib/systemd/system/
+
+    # Move misc files
+    mkdir $out/share/
+    mv $sgxPswDir/licenses $out/share/
+
+    # Remove unnecessary files
+    rm $sgxPswDir/{cleanup.sh,startup.sh}
+    rm -r $sgxPswDir/scripts
+
+    # Move aesmd binaries/libraries/enclaves
+    mv $sgxPswDir/aesm/ $out/
+
+    # We absolutely MUST avoid stripping or patching these ".signed.so" SGX
+    # enclaves. Stripping would change each enclave measurement (hash of the
+    # binary).
+    #
+    # We're going to temporarily move these enclave libs to another directory
+    # until after stripping/patching in the fixupPhase.
+    mkdir $TMPDIR/enclaves
+    mv $out/aesm/*.signed.so* $TMPDIR/enclaves
+
+    mkdir $out/bin
+    makeWrapper $out/aesm/aesm_service $out/bin/aesm_service \
+      --suffix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ protobuf ]}:$out/aesm \
+      --chdir "$out/aesm"
+
+    # Make sure we didn't forget to handle any files
+    rmdir $sgxPswDir || (echo "Error: The directory $installDir still contains unhandled files: $(ls -A $installDir)" >&2 && exit 1)
+  '';
+
+  stripDebugList = [
+    "lib"
+    "bin"
+    # Also strip binaries/libs in the `aesm` directory
+    "aesm"
+  ];
+
+  postFixup = ''
+    # Move the SGX enclaves back after everything else has been stripped.
+    mv $TMPDIR/enclaves/*.signed.so* $out/aesm/
+    rmdir $TMPDIR/enclaves
+
+    # Fixup the aesmd systemd service
+    #
+    # Most—if not all—of those fixups are not relevant for NixOS as we have our own
+    # NixOS module which is based on those files without relying on them. Still, it
+    # is helpful to have properly patched versions for non-NixOS distributions.
+    echo "Fixing aesmd.service"
+    substituteInPlace $out/lib/systemd/system/aesmd.service \
+      --replace '@aesm_folder@' \
+                "$out/aesm" \
+      --replace 'Type=forking' \
+                'Type=simple' \
+      --replace "ExecStart=$out/aesm/aesm_service" \
+                "ExecStart=$out/bin/aesm_service --no-daemon"\
+      --replace "/bin/mkdir" \
+                "${coreutils}/bin/mkdir" \
+      --replace "/bin/chown" \
+                "${coreutils}/bin/chown" \
+      --replace "/bin/chmod" \
+                "${coreutils}/bin/chmod" \
+      --replace "/bin/kill" \
+                "${coreutils}/bin/kill"
+  '';
+
+  passthru.tests = {
+    service = nixosTests.aesmd;
+  };
+
+  meta = with lib; {
+    description = "Intel SGX Architectural Enclave Service Manager";
+    homepage = "https://github.com/intel/linux-sgx";
+    maintainers = with maintainers; [ phlip9 veehaitch citadelcore ];
+    platforms = [ "x86_64-linux" ];
+    license = with licenses; [ bsd3 ];
+  };
+}
--- a/packages/sgx-sdk/CppMicroServices-no-mtime.patch
+++ b/packages/sgx-sdk/CppMicroServices-no-mtime.patch
@ -0,0 +1,26 @@
+diff --git a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp
+index aee499e9..13fa89d4 100644
+--- a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp
+++ b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp
+@@ -105,7 +105,7 @@ bool BundleResourceContainer::GetStat(int index,
+                    const_cast<mz_zip_archive*>(&m_ZipArchive), index)
+                    ? true
+                    : false;
+-    stat.modifiedTime = zipStat.m_time;
+    stat.modifiedTime = 0;
+     stat.crc32 = zipStat.m_crc32;
+     // This will limit the size info from uint64 to uint32 on 32-bit
+     // architectures. We don't care because we assume resources > 2GB
+diff --git a/external/CppMicroServices/third_party/miniz.c b/external/CppMicroServices/third_party/miniz.c
+index 6b0ebd7a..fa2aebca 100644
+--- a/external/CppMicroServices/third_party/miniz.c
+++ b/external/CppMicroServices/third_party/miniz.c
+@@ -170,7 +170,7 @@
+ // If MINIZ_NO_TIME is specified then the ZIP archive functions will not be able to get the current time, or
+ // get/set file times, and the C run-time funcs that get/set times won't be called.
+ // The current downside is the times written to your archives will be from 1979.
+-//#define MINIZ_NO_TIME
+#define MINIZ_NO_TIME
+ 
+ // Define MINIZ_NO_ARCHIVE_APIS to disable all ZIP archive API's.
+ //#define MINIZ_NO_ARCHIVE_APIS
--- a/packages/sgx-sdk/aesm-cxx-standard.patch
+++ b/packages/sgx-sdk/aesm-cxx-standard.patch
@ -0,0 +1,13 @@
+diff --git a/psw/ae/aesm_service/source/CMakeLists.txt b/psw/ae/aesm_service/source/CMakeLists.txt
+index ffc1bee7..5c61e9f1 100644
+--- a/psw/ae/aesm_service/source/CMakeLists.txt
+++ b/psw/ae/aesm_service/source/CMakeLists.txt
+@@ -64,7 +64,7 @@ if(SGX_DISABLE_PSE)
+ endif()
+ 
+ set(CMAKE_CXX_STANDARD_REQUIRED 1)
+-set(CMAKE_CXX_STANDARD 11)
+set(CMAKE_CXX_STANDARD 17)
+ set(CMAKE_SKIP_BUILD_RPATH true)
+ 
+ ########## SGX SDK Settings ##########
--- a/packages/sgx-sdk/default.nix
+++ b/packages/sgx-sdk/default.nix
@ -0,0 +1,290 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, autoconf
+, automake
+, binutils
+, callPackage
+, cmake
+, file
+, gdb
+, git
+, libtool
+, linkFarmFromDrvs
+, ocaml
+, ocamlPackages
+, openssl
+, perl
+, python3
+, texinfo
+, validatePkgConfig
+, writeShellApplication
+, writeShellScript
+, writeText
+, debug ? false
+}:
+stdenv.mkDerivation rec {
+  pname = "sgx-sdk";
+  # Version as given in se_version.h
+  version = "2.23.100.2";
+  # Version as used in the Git tag
+  versionTag = "2.23";
+
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "linux-sgx";
+    rev = "sgx_${versionTag}";
+    hash = "sha256-i+fE6xKiuljG8LY8TIHgrW15DVpdp46bZdNo/BjgT/I=";
+    fetchSubmodules = true;
+  };
+
+  postUnpack = ''
+    # Make sure this is the right version of linux-sgx
+    grep -q '"${version}"' "$src/common/inc/internal/se_version.h" \
+      || (echo "Could not find expected version ${version} in linux-sgx source" >&2 && exit 1)
+  '';
+
+  patches = [
+    # no timestamp in mini zip archives
+    ./CppMicroServices-no-mtime.patch
+    # Set the CXX standard for nix builds of sgx-psw
+    ./aesm-cxx-standard.patch
+    # There's a `make preparation` step that downloads some prebuilt binaries
+    # and applies some patches to the in-repo git submodules. This patch removes
+    # the parts that download things, since we can't do that inside the sandbox.
+    ./disable-downloads.patch
+  ];
+
+  postPatch = ''
+    patchShebangs linux/installer/bin/build-installpkg.sh \
+      linux/installer/common/sdk/createTarball.sh \
+      linux/installer/common/sdk/install.sh \
+      external/sgx-emm/create_symlink.sh
+
+    make preparation
+  '';
+
+  # We need `cmake` as a build input but don't use it to kick off the build phase
+  dontUseCmakeConfigure = true;
+
+  # SDK built with stackprotector produces broken enclaves which crash at runtime.
+  # Disable all to be safe, SDK build configures compiler mitigations manually.
+  hardeningDisable = [ "all" ];
+
+  nativeBuildInputs = [
+    autoconf
+    automake
+    cmake
+    file
+    git
+    ocaml
+    ocamlPackages.ocamlbuild
+    perl
+    python3
+    texinfo
+    validatePkgConfig
+  ];
+
+  buildInputs = [
+    libtool
+    openssl
+  ];
+
+  BINUTILS_DIR = "${binutils}/bin";
+
+  # Build external/ippcp_internal first. The Makefile is rewritten to make the
+  # build faster by splitting different versions of ipp-crypto builds and to
+  # avoid patching the Makefile for reproducibility issues.
+  preBuild =
+    let
+      ipp-crypto-no_mitigation = callPackage ./ipp-crypto.nix { };
+
+      sgx-asm-pp = "python ${src}/build-scripts/sgx-asm-pp.py --assembler=nasm";
+
+      nasm-load = writeShellScript "nasm-load" "${sgx-asm-pp} --MITIGATION-CVE-2020-0551=LOAD $@";
+      ipp-crypto-cve_2020_0551_load = callPackage ./ipp-crypto.nix {
+        extraCmakeFlags = [ "-DCMAKE_ASM_NASM_COMPILER=${nasm-load}" ];
+      };
+
+      nasm-cf = writeShellScript "nasm-cf" "${sgx-asm-pp} --MITIGATION-CVE-2020-0551=CF $@";
+      ipp-crypto-cve_2020_0551_cf = callPackage ./ipp-crypto.nix {
+        extraCmakeFlags = [ "-DCMAKE_ASM_NASM_COMPILER=${nasm-cf}" ];
+      };
+    in
+    ''
+      echo "Setting up IPP crypto build artifacts"
+
+      pushd 'external/ippcp_internal'
+
+      cp -r ${ipp-crypto-no_mitigation}/include/. inc/
+
+      install -D -m a+rw ${ipp-crypto-no_mitigation}/lib/intel64/libippcp.a \
+        lib/linux/intel64/no_mitigation/libippcp.a
+      install -D -m a+rw ${ipp-crypto-cve_2020_0551_load}/lib/intel64/libippcp.a \
+        lib/linux/intel64/cve_2020_0551_load/libippcp.a
+      install -D -m a+rw ${ipp-crypto-cve_2020_0551_cf}/lib/intel64/libippcp.a \
+        lib/linux/intel64/cve_2020_0551_cf/libippcp.a
+
+      rm inc/ippcp.h
+      patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i inc/ippcp21u7.patch -o inc/ippcp.h
+
+      install -D ${ipp-crypto-no_mitigation.src}/LICENSE license/LICENSE
+
+      popd
+    '';
+
+  buildFlags = [
+    "sdk_install_pkg"
+  ] ++ lib.optionals debug [
+    "DEBUG=1"
+  ];
+
+  postBuild = ''
+    patchShebangs linux/installer/bin/sgx_linux_x64_sdk_${version}.bin
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    installDir=$TMPDIR
+    ./linux/installer/bin/sgx_linux_x64_sdk_${version}.bin -prefix $installDir
+    installDir=$installDir/sgxsdk
+
+    echo "Move files created by installer"
+
+    mkdir -p $out/bin
+    pushd $out
+
+    mv $installDir/bin/sgx-gdb $out/bin
+    mkdir $out/bin/x64
+    for file in $installDir/bin/x64/*; do
+      mv $file bin/
+      ln -sr bin/$(basename $file) bin/x64/
+    done
+    rmdir $installDir/bin/{x64,}
+
+    # Move `lib64` to `lib` and symlink `lib64`
+    mv $installDir/lib64 lib
+    ln -s lib/ lib64
+
+    # Fixup the symlinks for libsgx_urts.so.* -> libsgx_urts.so
+    for file in lib/libsgx_urts.so.*; do
+      ln -srf lib/libsgx_urts.so $file
+    done
+
+    mv $installDir/include/ .
+
+    mkdir -p share/
+    mv $installDir/{SampleCode,licenses} share/
+
+    mkdir -p share/bin
+    mv $installDir/{environment,buildenv.mk} share/bin/
+    ln -s share/bin/{environment,buildenv.mk} .
+
+    # pkgconfig should go to lib/
+    mv $installDir/pkgconfig lib/
+    ln -s lib/pkgconfig/ .
+
+    # Also create the `sdk_libs` for compat. All the files
+    # link to libraries in `lib64/`, we shouldn't link the entire
+    # directory, however, as there seems to be some ambiguity between
+    # SDK and PSW libraries.
+    mkdir sdk_libs/
+    for file in $installDir/sdk_libs/*; do
+      ln -sr lib/$(basename $file) sdk_libs/
+      rm $file
+    done
+    rmdir $installDir/sdk_libs
+
+    # No uninstall script required
+    rm $installDir/uninstall.sh
+
+    # Create an `sgxsdk` symlink which points to `$out` for compat
+    ln -sr . sgxsdk
+
+    # Make sure we didn't forget any files
+    rmdir $installDir || (echo "Error: The directory $installDir still contains unhandled files: $(ls -A $installDir)" >&2 && exit 1)
+
+    popd
+
+    runHook postInstall
+  '';
+
+  preFixup = ''
+    echo "Strip sgxsdk prefix"
+    for path in "$out/share/bin/environment" "$out/bin/sgx-gdb"; do
+      substituteInPlace $path --replace "$TMPDIR/sgxsdk" "$out"
+    done
+
+    echo "Fixing pkg-config files"
+    sed -i "s|prefix=.*|prefix=$out|g" $out/lib/pkgconfig/*.pc
+
+    echo "Fixing SGX_SDK default in samples"
+    substituteInPlace $out/share/SampleCode/LocalAttestation/buildenv.mk \
+      --replace '/opt/intel/sgxsdk' "$out"
+    for file in $out/share/SampleCode/*/Makefile; do
+      substituteInPlace $file \
+        --replace '/opt/intel/sgxsdk' "$out"
+    done
+
+    echo "Fixing BINUTILS_DIR in buildenv.mk"
+    substituteInPlace $out/share/bin/buildenv.mk \
+      --replace 'BINUTILS_DIR ?= /usr/local/bin' \
+                'BINUTILS_DIR ?= ${BINUTILS_DIR}'
+
+    echo "Fixing GDB path in bin/sgx-gdb"
+    substituteInPlace $out/bin/sgx-gdb --replace '/usr/local/bin/gdb' '${gdb}/bin/gdb'
+  '';
+
+  doInstallCheck = true;
+
+  installCheckPhase = ''
+    runHook preInstallCheck
+
+    # Make sure all symlinks are valid
+    output=$(find "$out" -type l -exec test ! -e {} \; -print)
+    if [[ -n "$output" ]]; then
+      echo "Broken symlinks:"
+      echo "$output"
+      exit 1
+    fi
+
+    runHook postInstallCheck
+  '';
+
+  setupHook = writeText "setup-hook.sh" ''
+    sgxsdk() {
+        export SGX_SDK=@out@
+    }
+
+    postHooks+=(sgxsdk)
+  '';
+
+  passthru.tests = callPackage ../samples { sgxMode = "SIM"; };
+
+  # Run tests in SGX hardware mode on an SGX-enabled machine
+  # $(nix-build -A sgx-sdk.runTestsHW)/bin/run-tests-hw
+  passthru.runTestsHW =
+    let
+      testsHW = lib.filterAttrs (_: v: v ? "name") (callPackage ../samples { sgxMode = "HW"; });
+      testsHWLinked = linkFarmFromDrvs "sgx-samples-hw-bundle" (lib.attrValues testsHW);
+    in
+    writeShellApplication {
+      name = "run-tests-hw";
+      text = ''
+        for test in ${testsHWLinked}/*; do
+          printf '*** Running test %s ***\n\n' "$(basename "$test")"
+          printf 'a\n' | "$test/bin/app"
+          printf '\n'
+        done
+      '';
+    };
+
+  meta = with lib; {
+    description = "Intel SGX SDK for Linux built with IPP Crypto Library";
+    homepage = "https://github.com/intel/linux-sgx";
+    maintainers = with maintainers; [ phlip9 sbellem arturcygan veehaitch ];
+    platforms = [ "x86_64-linux" ];
+    license = with licenses; [ bsd3 ];
+  };
+}
--- a/packages/sgx-sdk/disable-downloads.patch
+++ b/packages/sgx-sdk/disable-downloads.patch
@ -0,0 +1,26 @@
+diff --git a/Makefile b/Makefile
+index 32433051..2e480efb 100644
+--- a/Makefile
+++ b/Makefile
+@@ -50,8 +50,8 @@ tips:
+ preparation:
+ # As SDK build needs to clone and patch openmp, we cannot support the mode that download the source from github as zip.
+ # Only enable the download from git
+-	git submodule update --init --recursive
+-	./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
+	# git submodule update --init --recursive
+	# ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
+ 	cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 ||  git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R
+ 	cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 ||  git apply ../sgx_protobuf.patch --check -R
+ 	./external/sgx-emm/create_symlink.sh
+@@ -59,8 +59,8 @@ preparation:
+ 	cd external/cbor && cp -r libcbor sgx_libcbor
+ 	cd external/cbor/libcbor && git apply ../raw_cbor.patch >/dev/null 2>&1 || git apply ../raw_cbor.patch --check -R
+ 	cd external/cbor/sgx_libcbor && git apply ../sgx_cbor.patch >/dev/null 2>&1 || git apply ../sgx_cbor.patch --check -R
+-	./download_prebuilt.sh
+-	./external/dcap_source/QuoteGeneration/download_prebuilt.sh
+	# ./download_prebuilt.sh
+	# ./external/dcap_source/QuoteGeneration/download_prebuilt.sh
+ 
+ psw:
+ 	$(MAKE) -C psw/ USE_OPT_LIBS=$(USE_OPT_LIBS)
--- a/packages/sgx-sdk/ipp-crypto.nix
+++ b/packages/sgx-sdk/ipp-crypto.nix
@ -0,0 +1,30 @@
+{ gcc11Stdenv
+, fetchFromGitHub
+, cmake
+, nasm
+, ninja
+, openssl
+, python3
+, extraCmakeFlags ? [ ]
+}:
+gcc11Stdenv.mkDerivation rec {
+  pname = "ipp-crypto";
+  version = "2021.10.0";
+
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "ipp-crypto";
+    rev = "ippcp_${version}";
+    hash = "sha256-DfXsJ+4XqyjCD+79LUD53Cx8D46o1a4fAZa2UxGI1Xg=";
+  };
+
+  cmakeFlags = [ "-DARCH=intel64" ] ++ extraCmakeFlags;
+
+  nativeBuildInputs = [
+    cmake
+    nasm
+    ninja
+    openssl
+    python3
+  ];
+}
--- a/packages/sgx-ssl/default.nix
+++ b/packages/sgx-ssl/default.nix
@ -0,0 +1,81 @@
+{ stdenv
+, fetchFromGitHub
+, fetchurl
+, lib
+, openssl
+, perl
+, nixsgx
+, which
+, debug ? false
+}:
+let
+  sgxVersion = nixsgx.sgx-sdk.versionTag;
+  opensslVersion = "3.0.12";
+in
+stdenv.mkDerivation {
+  pname = "sgx-ssl" + lib.optionalString debug "-debug";
+  version = "${sgxVersion}_${opensslVersion}";
+
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "intel-sgx-ssl";
+    rev = "3.0_Rev2";
+    hash = "sha256-dmLyaG6v+skjSa0KxLAfIfSBOxp9grrI7ds6WdGPe0I=";
+  };
+
+  postUnpack =
+    let
+      opensslSourceArchive = fetchurl {
+        url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz";
+        hash = "sha256-+Tyejt3l6RZhGd4xdV/Ie0qjSGNmL2fd/LoU0La2m2E=";
+      };
+    in
+    ''
+      ln -s ${opensslSourceArchive} $sourceRoot/openssl_source/openssl-${opensslVersion}.tar.gz
+    '';
+
+  postPatch = ''
+    patchShebangs Linux/build_openssl.sh
+
+    # Run the test in the `installCheckPhase`, not the `buildPhase`
+    substituteInPlace Linux/sgx/Makefile \
+      --replace '$(MAKE) -C $(TEST_DIR) all' \
+                'bash -c "true"'
+  '';
+
+  nativeBuildInputs = [
+    perl
+    nixsgx.sgx-sdk
+    stdenv.cc.libc
+    which
+  ];
+
+  makeFlags = [
+    "-C Linux"
+  ] ++ lib.optionals debug [
+    "DEBUG=1"
+  ];
+
+  installFlags = [
+    "DESTDIR=$(out)"
+  ];
+
+  # Build the test app
+  doInstallCheck = false;
+  installCheckTarget = "test";
+  installCheckFlags = [
+    "SGX_MODE=SIM"
+    "-j 1" # Makefile doesn't support multiple jobs
+  ];
+  nativeInstallCheckInputs = [
+    openssl
+  ];
+
+  meta = with lib; {
+    description = "Cryptographic library for Intel SGX enclave applications based on OpenSSL";
+    homepage = "https://github.com/intel/intel-sgx-ssl";
+    maintainers = with maintainers; [ phlip9 trundle veehaitch ];
+    platforms = [ "x86_64-linux" ];
+    license = [ licenses.bsd3 licenses.openssl ];
+  };
+}