Replace compile-time debug flag with runtime HDF5_DEBUG=PL

brtnfld · brtnfld · commit c3fc3ea397c9 · 2026-02-05T12:28:28.000-06:00
Remove H5PL_DEBUG_KEYSTORE compile-time flag and use HDF5's standard
runtime debug infrastructure instead. Plugin debug output can now be
enabled at runtime with:

    export HDF5_DEBUG=PL

Changes:
- Add H5_PKG_PL to debug package enum in H5private.h
- Register "pl" package name in H5.c initialization
- Update H5PL_SIG_DEBUG_PRINT to check H5DEBUG(PL) at runtime
- Remove H5PL_DEBUG_KEYSTORE option from CMakeLists.txt
- Remove conditional compilation around debug output
- Update documentation to use HDF5_DEBUG=PL
- Update error messages to suggest runtime debug flag

This makes plugin debugging more accessible without requiring
recompilation.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -803,9 +803,6 @@ set(HDF5_PLUGIN_KEYSTORE_DIR "" CACHE PATH
 set(HDF5_PLUGIN_PUBLIC_KEY_FILE "" CACHE FILEPATH
     "Path to RSA public key (PEM format) for plugin signature verification (single key, backward compatibility)")
 
-# Debug output for KeyStore (helps troubleshoot key loading issues)
-option(HDF5_PLUGIN_KEYSTORE_DEBUG "Enable debug output for plugin KeyStore initialization" OFF)
-
 # Security: Disable environment variable override (prevents runtime keystore redirection)
 # Note: Sysadmins can also lock the keystore at runtime without recompiling by
 # creating a lock file (/etc/hdf5/lock_keystore on Unix, or
@@ -940,12 +937,6 @@ if (HDF5_REQUIRE_SIGNED_PLUGINS)
   # Enable digital signature verification
   add_compile_definitions(H5_REQUIRE_DIGITAL_SIGNATURE)
 
-  # Enable debug output if requested
-  if (HDF5_PLUGIN_KEYSTORE_DEBUG)
-    add_compile_definitions(H5PL_DEBUG_KEYSTORE)
-    message(STATUS "Plugin KeyStore debug output: ENABLED")
-  endif ()
-
   # Security: Disable environment variable override if requested
   if (HDF5_LOCK_PLUGIN_KEYSTORE)
     add_compile_definitions(H5PL_DISABLE_ENV_KEYSTORE)
diff --git a/release_docs/PLUGIN_SIGNATURE_README.md b/release_docs/PLUGIN_SIGNATURE_README.md
@@ -1108,7 +1108,8 @@ The current system makes conscious trade-offs:
    export HDF5_PLUGIN_KEYSTORE=/tmp/fake_keystore
 
    # Enable debug output to see which keystore is used
-   HDF5_PLUGIN_KEYSTORE_DEBUG=1 h5dump test_file.h5
+   export HDF5_DEBUG=PL
+   h5dump test_file.h5
 
    # Expected output: "Skipping HDF5_PLUGIN_KEYSTORE environment variable (locked by sysadmin)"
    ```
diff --git a/src/H5.c b/src/H5.c
@@ -209,6 +209,7 @@ H5_init_library(void)
     H5_debug_g.pkg[H5_PKG_MM].name = "mm";
     H5_debug_g.pkg[H5_PKG_O].name  = "o";
     H5_debug_g.pkg[H5_PKG_P].name  = "p";
+    H5_debug_g.pkg[H5_PKG_PL].name = "pl";
     H5_debug_g.pkg[H5_PKG_S].name  = "s";
     H5_debug_g.pkg[H5_PKG_T].name  = "t";
     H5_debug_g.pkg[H5_PKG_V].name  = "v";
diff --git a/src/H5PLpkg.h b/src/H5PLpkg.h
@@ -127,12 +127,13 @@ typedef const void *(*H5PL_get_plugin_info_t)(void);
 #define H5PL_SIG_KEYSTORE_DIR_STR "(not configured)"
 #endif
 
-/* Debug logging for keystore operations (enable via CMake: HDF5_PLUGIN_KEYSTORE_DEBUG) */
-#ifdef H5PL_DEBUG_KEYSTORE
-#define H5PL_SIG_DEBUG_PRINT(...) fprintf(stderr, __VA_ARGS__)
-#else
-#define H5PL_SIG_DEBUG_PRINT(...) /* no-op */
-#endif
+#define H5PL_SIG_DEBUG_PRINT(...)                                                                            \
+    do {                                                                                                     \
+        if (H5DEBUG(PL)) {                                                                                   \
+            fprintf(H5DEBUG(PL), __VA_ARGS__);                                                               \
+            fflush(H5DEBUG(PL));                                                                             \
+        }                                                                                                    \
+    } while (0)
 
 #endif /* H5_REQUIRE_DIGITAL_SIGNATURE */
 
diff --git a/src/H5PLsig.c b/src/H5PLsig.c
@@ -971,8 +971,6 @@ H5PL__init_keystore(void)
                     attempted_source);
     }
 
-#ifdef H5PL_DEBUG_KEYSTORE
-    /* Optional debug output (enable via compile-time flag) */
     if (H5PL_keystore_count_g > 0) {
         H5PL_SIG_DEBUG_PRINT("HDF5 Plugin KeyStore initialized:\n");
         H5PL_SIG_DEBUG_PRINT("  Keys loaded: %zu\n", H5PL_keystore_count_g);
@@ -983,7 +981,6 @@ H5PL__init_keystore(void)
     if (H5PL_revoked_sigs_count_g > 0) {
         H5PL_SIG_DEBUG_PRINT("  Revoked signatures loaded: %zu\n", H5PL_revoked_sigs_count_g);
     }
-#endif
 
 done:
     /* Cleanup on initialization failure */
@@ -1610,7 +1607,7 @@ H5PL__verify_with_all_keys(int fd, size_t binary_size, const unsigned char *sign
         else {
             diagnostic = "\n"
                          "  DIAGNOSIS: Unknown verification failure\n"
-                         "  - Enable HDF5_PLUGIN_KEYSTORE_DEBUG for detailed logging\n";
+                         "  - Enable debug output with: export HDF5_DEBUG=PL\n";
         }
 
         keystore_path = getenv("HDF5_PLUGIN_KEYSTORE");
diff --git a/src/H5private.h b/src/H5private.h
@@ -984,6 +984,7 @@ typedef enum {
     H5_PKG_MM, /* Core memory management   */
     H5_PKG_O,  /* Object headers           */
     H5_PKG_P,  /* Property lists           */
+    H5_PKG_PL, /* Plugins                  */
     H5_PKG_S,  /* Dataspaces               */
     H5_PKG_T,  /* Datatypes                */
     H5_PKG_V,  /* Vector functions         */
