mirror of
https://github.com/dashpay/dash.git
synced 2024-12-24 11:32:46 +01:00
Merge bitcoin/bitcoin#22418: release: Remove gitian
ab9c34237ab7b056394e0bd1f7cb131ffd95754c release: remove gitian (fanquake) Pull request description: Note that this doesn't yet touch any glibc back compat related code. ACKs for top commit: laanwj: Code review ACK ab9c34237ab7b056394e0bd1f7cb131ffd95754c Tree-SHA512: 8e2fe3ec1097f54bb11ab9136b43818d90eab5dbb0a663ad6a552966ada4bdb49cc12ff4e66f0ec0ec5400bda5c81f3a3ce70a9ebb6fe1e0db612da9f00a51a7
This commit is contained in:
parent
bfe050d1ca
commit
1c0cb3e8cc
@ -24,18 +24,12 @@ Build Tools and Keys
|
||||
Contains files used to package dashd/dash-qt
|
||||
for Debian-based Linux systems. If you compile dashd/dash-qt yourself, there are some useful files here.
|
||||
|
||||
### [Gitian-descriptors](/contrib/gitian-descriptors) ###
|
||||
Notes on getting Gitian builds up and running using KVM.
|
||||
|
||||
### [Builder keys](/contrib/builder-keys)
|
||||
PGP keys used for signing Dash Core [release](/doc/release-process.md) results.
|
||||
|
||||
### [MacDeploy](/contrib/macdeploy) ###
|
||||
Scripts and notes for Mac builds.
|
||||
|
||||
### [Gitian-build](/contrib/gitian-build.py) ###
|
||||
Script for running full Gitian builds.
|
||||
|
||||
Test and Verify Tools
|
||||
---------------------
|
||||
|
||||
|
@ -164,7 +164,7 @@ Perform basic security checks on a series of executables.
|
||||
symbol-check.py
|
||||
===============
|
||||
|
||||
A script to check that the executables produced by Gitian only contain
|
||||
A script to check that release executables only contain
|
||||
certain symbols and are only linked against allowed libraries.
|
||||
|
||||
For Linux this means checking for allowed gcc, glibc and libstdc++ version symbols.
|
||||
@ -172,9 +172,9 @@ This makes sure they are still compatible with the minimum supported distributio
|
||||
|
||||
For macOS and Windows we check that the executables are only linked against libraries we allow.
|
||||
|
||||
Example usage after a Gitian build:
|
||||
Example usage:
|
||||
|
||||
find ../gitian-builder/build -type f -executable | xargs python3 contrib/devtools/symbol-check.py
|
||||
find ../path/to/executables -type f -executable | xargs python3 contrib/devtools/symbol-check.py
|
||||
|
||||
If no errors occur the return value will be 0 and the output will be empty.
|
||||
|
||||
|
@ -1,270 +0,0 @@
|
||||
#!/usr/bin/env python3
|
||||
# Copyright (c) 2018-2019 The Bitcoin Core developers
|
||||
# Distributed under the MIT software license, see the accompanying
|
||||
# file COPYING or http://www.opensource.org/licenses/mit-license.php.
|
||||
|
||||
import argparse
|
||||
import os
|
||||
import subprocess
|
||||
import sys
|
||||
|
||||
def setup():
|
||||
global args, workdir
|
||||
programs = ['ruby', 'git', 'make', 'wget', 'curl']
|
||||
if args.kvm:
|
||||
programs += ['apt-cacher-ng', 'python-vm-builder', 'qemu-kvm', 'qemu-utils']
|
||||
elif args.docker:
|
||||
if not os.path.isfile('/lib/systemd/system/docker.service'):
|
||||
dockers = ['docker.io', 'docker-ce']
|
||||
for i in dockers:
|
||||
return_code = subprocess.call(['sudo', 'apt-get', 'install', '-qq', i])
|
||||
if return_code == 0:
|
||||
break
|
||||
if return_code != 0:
|
||||
print('Cannot find any way to install Docker.', file=sys.stderr)
|
||||
sys.exit(1)
|
||||
else:
|
||||
programs += ['apt-cacher-ng', 'lxc', 'debootstrap']
|
||||
subprocess.check_call(['sudo', 'apt-get', 'install', '-qq'] + programs)
|
||||
if not os.path.isdir('gitian.sigs'):
|
||||
subprocess.check_call(['git', 'clone', 'https://github.com/dashpay/gitian.sigs.git'])
|
||||
if not os.path.isdir('dash-detached-sigs'):
|
||||
subprocess.check_call(['git', 'clone', 'https://github.com/dashpay/dash-detached-sigs.git'])
|
||||
if not os.path.isdir('gitian-builder'):
|
||||
subprocess.check_call(['git', 'clone', 'https://github.com/devrandom/gitian-builder.git'])
|
||||
if not os.path.isdir('dash'):
|
||||
subprocess.check_call(['git', 'clone', 'https://github.com/dashpay/dash.git'])
|
||||
os.chdir('gitian-builder')
|
||||
make_image_prog = ['bin/make-base-vm', '--suite', 'focal', '--arch', 'amd64']
|
||||
if args.docker:
|
||||
make_image_prog += ['--docker']
|
||||
elif args.lxc:
|
||||
make_image_prog += ['--lxc', '--disksize', '13000']
|
||||
subprocess.check_call(make_image_prog)
|
||||
os.chdir(workdir)
|
||||
if args.is_focal and not args.kvm and not args.docker:
|
||||
subprocess.check_call(['sudo', 'sed', '-i', 's/lxcbr0/br0/', '/etc/default/lxc-net'])
|
||||
print('Reboot is required')
|
||||
sys.exit(0)
|
||||
|
||||
def build():
|
||||
global args, workdir
|
||||
|
||||
os.makedirs('dashcore-binaries/' + args.version, exist_ok=True)
|
||||
print('\nBuilding Dependencies\n')
|
||||
os.chdir('gitian-builder')
|
||||
os.makedirs('inputs', exist_ok=True)
|
||||
|
||||
subprocess.check_call(['wget', '-O', 'inputs/osslsigncode-2.0.tar.gz', 'https://github.com/mtrojnar/osslsigncode/archive/2.0.tar.gz'])
|
||||
subprocess.check_call(["echo '5a60e0a4b3e0b4d655317b2f12a810211c50242138322b16e7e01c6fbb89d92f inputs/osslsigncode-2.0.tar.gz' | sha256sum -c"], shell=True)
|
||||
subprocess.check_call(['make', '-C', '../dash/depends', 'download', 'SOURCES_PATH=' + os.getcwd() + '/cache/common'])
|
||||
|
||||
if args.linux:
|
||||
print('\nCompiling ' + args.version + ' Linux')
|
||||
subprocess.check_call(['bin/gbuild', '--fetch-tags', '-j', args.jobs, '-m', args.memory, '--commit', 'dash='+args.commit, '--url', 'dash='+args.url, '../dash/contrib/gitian-descriptors/gitian-linux.yml'])
|
||||
subprocess.check_call(['bin/gsign', '-p', args.sign_prog, '--signer', args.signer, '--release', args.version+'-linux', '--destination', '../gitian.sigs/', '../dash/contrib/gitian-descriptors/gitian-linux.yml'])
|
||||
subprocess.check_call('mv build/out/dashcore-*.tar.gz build/out/src/dashcore-*.tar.gz ../dashcore-binaries/'+args.version, shell=True)
|
||||
|
||||
if args.windows:
|
||||
print('\nCompiling ' + args.version + ' Windows')
|
||||
subprocess.check_call(['bin/gbuild', '--fetch-tags', '-j', args.jobs, '-m', args.memory, '--commit', 'dash='+args.commit, '--url', 'dash='+args.url, '../dash/contrib/gitian-descriptors/gitian-win.yml'])
|
||||
subprocess.check_call(['bin/gsign', '-p', args.sign_prog, '--signer', args.signer, '--release', args.version+'-win-unsigned', '--destination', '../gitian.sigs/', '../dash/contrib/gitian-descriptors/gitian-win.yml'])
|
||||
subprocess.check_call('mv build/out/dashcore-*-win-unsigned.tar.gz inputs/', shell=True)
|
||||
subprocess.check_call('mv build/out/dashcore-*.zip build/out/dashcore-*.exe build/out/src/dashcore-*.tar.gz ../dashcore-binaries/'+args.version, shell=True)
|
||||
|
||||
if args.macos:
|
||||
print('\nCompiling ' + args.version + ' MacOS')
|
||||
subprocess.check_call(['wget', '-N', '-P', 'inputs', 'https://bitcoincore.org/depends-sources/sdks/Xcode-12.2-12B45b-extracted-SDK-with-libcxx-headers.tar.gz'])
|
||||
subprocess.check_output(["echo 'df75d30ecafc429e905134333aeae56ac65fac67cb4182622398fd717df77619 inputs/Xcode-12.2-12B45b-extracted-SDK-with-libcxx-headers.tar.gz' | sha256sum -c"], shell=True)
|
||||
subprocess.check_call(['bin/gbuild', '--fetch-tags', '-j', args.jobs, '-m', args.memory, '--commit', 'dash='+args.commit, '--url', 'dash='+args.url, '../dash/contrib/gitian-descriptors/gitian-osx.yml'])
|
||||
subprocess.check_call(['bin/gsign', '-p', args.sign_prog, '--signer', args.signer, '--release', args.version+'-osx-unsigned', '--destination', '../gitian.sigs/', '../dash/contrib/gitian-descriptors/gitian-osx.yml'])
|
||||
subprocess.check_call('mv build/out/dashcore-*-osx-unsigned.tar.gz inputs/', shell=True)
|
||||
subprocess.check_call('mv build/out/dashcore-*.tar.gz build/out/dashcore-*.dmg build/out/src/dashcore-*.tar.gz ../dashcore-binaries/'+args.version, shell=True)
|
||||
|
||||
os.chdir(workdir)
|
||||
|
||||
if args.commit_files:
|
||||
print('\nCommitting '+args.version+' Unsigned Sigs\n')
|
||||
os.chdir('gitian.sigs')
|
||||
subprocess.check_call(['git', 'add', args.version+'-linux/'+args.signer])
|
||||
subprocess.check_call(['git', 'add', args.version+'-win-unsigned/'+args.signer])
|
||||
subprocess.check_call(['git', 'add', args.version+'-osx-unsigned/'+args.signer])
|
||||
subprocess.check_call(['git', 'commit', '-m', 'Add '+args.version+' unsigned sigs for '+args.signer])
|
||||
os.chdir(workdir)
|
||||
|
||||
def sign():
|
||||
global args, workdir
|
||||
os.chdir('gitian-builder')
|
||||
|
||||
if args.windows:
|
||||
print('\nSigning ' + args.version + ' Windows')
|
||||
subprocess.check_call('cp inputs/dashcore-' + args.version + '-win-unsigned.tar.gz inputs/dashcore-win-unsigned.tar.gz', shell=True)
|
||||
subprocess.check_call(['bin/gbuild', '--skip-image', '--upgrade', '--commit', 'signature='+args.commit, '../dash/contrib/gitian-descriptors/gitian-win-signer.yml'])
|
||||
subprocess.check_call(['bin/gsign', '-p', args.sign_prog, '--signer', args.signer, '--release', args.version+'-win-signed', '--destination', '../gitian.sigs/', '../dash/contrib/gitian-descriptors/gitian-win-signer.yml'])
|
||||
subprocess.check_call('mv build/out/dashcore-*win64-setup.exe ../dashcore-binaries/'+args.version, shell=True)
|
||||
|
||||
if args.macos:
|
||||
print('\nSigning ' + args.version + ' MacOS')
|
||||
subprocess.check_call('cp inputs/dashcore-' + args.version + '-osx-unsigned.tar.gz inputs/dashcore-osx-unsigned.tar.gz', shell=True)
|
||||
subprocess.check_call(['bin/gbuild', '--skip-image', '--upgrade', '--commit', 'signature='+args.commit, '../dash/contrib/gitian-descriptors/gitian-osx-signer.yml'])
|
||||
subprocess.check_call(['bin/gsign', '-p', args.sign_prog, '--signer', args.signer, '--release', args.version+'-osx-signed', '--destination', '../gitian.sigs/', '../dash/contrib/gitian-descriptors/gitian-osx-signer.yml'])
|
||||
subprocess.check_call('mv build/out/dashcore-osx-signed.dmg ../dashcore-binaries/'+args.version+'/dashcore-'+args.version+'-osx.dmg', shell=True)
|
||||
|
||||
os.chdir(workdir)
|
||||
|
||||
if args.commit_files:
|
||||
print('\nCommitting '+args.version+' Signed Sigs\n')
|
||||
os.chdir('gitian.sigs')
|
||||
subprocess.check_call(['git', 'add', args.version+'-win-signed/'+args.signer])
|
||||
subprocess.check_call(['git', 'add', args.version+'-osx-signed/'+args.signer])
|
||||
subprocess.check_call(['git', 'commit', '-a', '-m', 'Add '+args.version+' signed binary sigs for '+args.signer])
|
||||
os.chdir(workdir)
|
||||
|
||||
def verify():
|
||||
global args, workdir
|
||||
rc = 0
|
||||
os.chdir('gitian-builder')
|
||||
|
||||
print('\nVerifying v'+args.version+' Linux\n')
|
||||
if subprocess.call(['bin/gverify', '-v', '-d', '../gitian.sigs/', '-r', args.version+'-linux', '../dash/contrib/gitian-descriptors/gitian-linux.yml']):
|
||||
print('Verifying v'+args.version+' Linux FAILED\n')
|
||||
rc = 1
|
||||
|
||||
print('\nVerifying v'+args.version+' Windows\n')
|
||||
if subprocess.call(['bin/gverify', '-v', '-d', '../gitian.sigs/', '-r', args.version+'-win-unsigned', '../dash/contrib/gitian-descriptors/gitian-win.yml']):
|
||||
print('Verifying v'+args.version+' Windows FAILED\n')
|
||||
rc = 1
|
||||
|
||||
print('\nVerifying v'+args.version+' MacOS\n')
|
||||
if subprocess.call(['bin/gverify', '-v', '-d', '../gitian.sigs/', '-r', args.version+'-osx-unsigned', '../dash/contrib/gitian-descriptors/gitian-osx.yml']):
|
||||
print('Verifying v'+args.version+' MacOS FAILED\n')
|
||||
rc = 1
|
||||
|
||||
print('\nVerifying v'+args.version+' Signed Windows\n')
|
||||
if subprocess.call(['bin/gverify', '-v', '-d', '../gitian.sigs/', '-r', args.version+'-win-signed', '../dash/contrib/gitian-descriptors/gitian-win-signer.yml']):
|
||||
print('Verifying v'+args.version+' Signed Windows FAILED\n')
|
||||
rc = 1
|
||||
|
||||
print('\nVerifying v'+args.version+' Signed MacOS\n')
|
||||
if subprocess.call(['bin/gverify', '-v', '-d', '../gitian.sigs/', '-r', args.version+'-osx-signed', '../dash/contrib/gitian-descriptors/gitian-osx-signer.yml']):
|
||||
print('Verifying v'+args.version+' Signed MacOS FAILED\n')
|
||||
rc = 1
|
||||
|
||||
os.chdir(workdir)
|
||||
return rc
|
||||
|
||||
def main():
|
||||
global args, workdir
|
||||
|
||||
parser = argparse.ArgumentParser(description='Script for running full Gitian builds.')
|
||||
parser.add_argument('-c', '--commit', action='store_true', dest='commit', help='Indicate that the version argument is for a commit or branch')
|
||||
parser.add_argument('-p', '--pull', action='store_true', dest='pull', help='Indicate that the version argument is the number of a github repository pull request')
|
||||
parser.add_argument('-u', '--url', dest='url', default='https://github.com/dashpay/dash', help='Specify the URL of the repository. Default is %(default)s')
|
||||
parser.add_argument('-v', '--verify', action='store_true', dest='verify', help='Verify the Gitian build')
|
||||
parser.add_argument('-b', '--build', action='store_true', dest='build', help='Do a Gitian build')
|
||||
parser.add_argument('-s', '--sign', action='store_true', dest='sign', help='Make signed binaries for Windows and MacOS')
|
||||
parser.add_argument('-B', '--buildsign', action='store_true', dest='buildsign', help='Build both signed and unsigned binaries')
|
||||
parser.add_argument('-o', '--os', dest='os', default='lwm', help='Specify which Operating Systems the build is for. Default is %(default)s. l for Linux, w for Windows, m for MacOS')
|
||||
parser.add_argument('-j', '--jobs', dest='jobs', default='2', help='Number of processes to use. Default %(default)s')
|
||||
parser.add_argument('-m', '--memory', dest='memory', default='2000', help='Memory to allocate in MiB. Default %(default)s')
|
||||
parser.add_argument('-V', '--virtualization', dest='virtualization', default='docker', help='Specify virtualization technology to use: lxc for LXC, kvm for KVM, docker for Docker. Default is %(default)s')
|
||||
parser.add_argument('-S', '--setup', action='store_true', dest='setup', help='Set up the Gitian building environment. Only works on Debian-based systems (Ubuntu, Debian)')
|
||||
parser.add_argument('-D', '--detach-sign', action='store_true', dest='detach_sign', help='Create the assert file for detached signing. Will not commit anything.')
|
||||
parser.add_argument('-n', '--no-commit', action='store_false', dest='commit_files', help='Do not commit anything to git')
|
||||
parser.add_argument('signer', nargs='?', help='GPG signer to sign each build assert file')
|
||||
parser.add_argument('version', nargs='?', help='Version number, commit, or branch to build. If building a commit or branch, the -c option must be specified')
|
||||
|
||||
args = parser.parse_args()
|
||||
workdir = os.getcwd()
|
||||
|
||||
args.is_focal = b'focal' in subprocess.check_output(['lsb_release', '-cs'])
|
||||
|
||||
args.lxc = (args.virtualization == 'lxc')
|
||||
args.kvm = (args.virtualization == 'kvm')
|
||||
args.docker = (args.virtualization == 'docker')
|
||||
|
||||
script_name = os.path.basename(sys.argv[0])
|
||||
if not args.lxc and not args.kvm and not args.docker:
|
||||
print(script_name+': Wrong virtualization option.')
|
||||
print('Try '+script_name+' --help for more information')
|
||||
sys.exit(1)
|
||||
|
||||
# Ensure no more than one environment variable for gitian-builder (USE_LXC, USE_VBOX, USE_DOCKER) is set as they
|
||||
# can interfere (e.g., USE_LXC being set shadows USE_DOCKER; for details see gitian-builder/libexec/make-clean-vm).
|
||||
os.environ['USE_LXC'] = ''
|
||||
os.environ['USE_VBOX'] = ''
|
||||
os.environ['USE_DOCKER'] = ''
|
||||
if args.docker:
|
||||
os.environ['USE_DOCKER'] = '1'
|
||||
elif not args.kvm:
|
||||
os.environ['USE_LXC'] = '1'
|
||||
if 'GITIAN_HOST_IP' not in os.environ.keys():
|
||||
os.environ['GITIAN_HOST_IP'] = '10.0.3.1'
|
||||
if 'LXC_GUEST_IP' not in os.environ.keys():
|
||||
os.environ['LXC_GUEST_IP'] = '10.0.3.5'
|
||||
|
||||
if args.setup:
|
||||
setup()
|
||||
|
||||
if args.buildsign:
|
||||
args.build = True
|
||||
args.sign = True
|
||||
|
||||
if not args.build and not args.sign and not args.verify:
|
||||
sys.exit(0)
|
||||
|
||||
args.linux = 'l' in args.os
|
||||
args.windows = 'w' in args.os
|
||||
args.macos = 'm' in args.os
|
||||
|
||||
# Disable for MacOS if no SDK found
|
||||
if args.macos and not os.path.isfile('gitian-builder/inputs/Xcode-12.2-12B45b-extracted-SDK-with-libcxx-headers.tar.gz'):
|
||||
print('Cannot build for MacOS, SDK does not exist. Will build for other OSes')
|
||||
args.macos = False
|
||||
|
||||
args.sign_prog = 'true' if args.detach_sign else 'gpg --detach-sign'
|
||||
|
||||
if not args.signer:
|
||||
print(script_name+': Missing signer')
|
||||
print('Try '+script_name+' --help for more information')
|
||||
sys.exit(1)
|
||||
if not args.version:
|
||||
print(script_name+': Missing version')
|
||||
print('Try '+script_name+' --help for more information')
|
||||
sys.exit(1)
|
||||
|
||||
# Add leading 'v' for tags
|
||||
if args.commit and args.pull:
|
||||
raise Exception('Cannot have both commit and pull')
|
||||
args.commit = ('' if args.commit else 'v') + args.version
|
||||
|
||||
os.chdir('dash')
|
||||
if args.pull:
|
||||
subprocess.check_call(['git', 'fetch', args.url, 'refs/pull/'+args.version+'/merge'])
|
||||
os.chdir('../gitian-builder/inputs/dash')
|
||||
subprocess.check_call(['git', 'fetch', args.url, 'refs/pull/'+args.version+'/merge'])
|
||||
args.commit = subprocess.check_output(['git', 'show', '-s', '--format=%H', 'FETCH_HEAD'], universal_newlines=True, encoding='utf8').strip()
|
||||
args.version = 'pull-' + args.version
|
||||
print(args.commit)
|
||||
subprocess.check_call(['git', 'fetch'])
|
||||
subprocess.check_call(['git', 'checkout', args.commit])
|
||||
os.chdir(workdir)
|
||||
|
||||
os.chdir('gitian-builder')
|
||||
subprocess.check_call(['git', 'pull'])
|
||||
os.chdir(workdir)
|
||||
|
||||
if args.build:
|
||||
build()
|
||||
|
||||
if args.sign:
|
||||
sign()
|
||||
|
||||
if args.verify:
|
||||
os.chdir('gitian.sigs')
|
||||
subprocess.check_call(['git', 'pull'])
|
||||
os.chdir(workdir)
|
||||
sys.exit(verify())
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
@ -1,12 +0,0 @@
|
||||
# Copyright (c) 2020 The Bitcoin Core developers
|
||||
# Distributed under the MIT software license, see the accompanying
|
||||
# file COPYING or http://www.opensource.org/licenses/mit-license.php.
|
||||
#
|
||||
# A helper script to be sourced into the gitian descriptors
|
||||
|
||||
if RECENT_TAG="$(git describe --exact-match HEAD 2> /dev/null)"; then
|
||||
VERSION="${RECENT_TAG#v}"
|
||||
else
|
||||
VERSION="$(git rev-parse --short=12 HEAD)"
|
||||
fi
|
||||
DISTNAME="dashcore-${VERSION}"
|
@ -1,190 +0,0 @@
|
||||
---
|
||||
name: "dash-linux-20"
|
||||
enable_cache: true
|
||||
distro: "ubuntu"
|
||||
suites:
|
||||
- "focal"
|
||||
architectures:
|
||||
- "amd64"
|
||||
packages:
|
||||
# Common dependencies.
|
||||
- "autoconf"
|
||||
- "automake"
|
||||
- "binutils"
|
||||
- "bison"
|
||||
- "bsdmainutils"
|
||||
- "ca-certificates"
|
||||
- "cmake"
|
||||
- "curl"
|
||||
- "faketime"
|
||||
- "g++-8"
|
||||
- "gcc-8"
|
||||
- "git"
|
||||
- "libtool"
|
||||
- "patch"
|
||||
- "pkg-config"
|
||||
- "python3"
|
||||
- "python3-pip"
|
||||
- "python3-setuptools"
|
||||
- "libxkbcommon0"
|
||||
- "ccache"
|
||||
# Cross compilation HOSTS:
|
||||
# - aarch64-linux-gnu
|
||||
- "binutils-aarch64-linux-gnu"
|
||||
- "g++-8-aarch64-linux-gnu"
|
||||
# - riscv64-linux-gnu
|
||||
- "binutils-riscv64-linux-gnu"
|
||||
- "g++-8-riscv64-linux-gnu"
|
||||
remotes:
|
||||
- "url": "https://github.com/dashpay/dash.git"
|
||||
"dir": "dash"
|
||||
files: []
|
||||
script: |
|
||||
set -e -o pipefail
|
||||
|
||||
WRAP_DIR=$HOME/wrapped
|
||||
HOSTS="x86_64-linux-gnu aarch64-linux-gnu riscv64-linux-gnu"
|
||||
CONFIGFLAGS="--enable-reduce-exports --disable-bench --disable-gui-tests --disable-fuzz-binary --enable-crash-hooks"
|
||||
FAKETIME_HOST_PROGS="gcc g++"
|
||||
FAKETIME_PROGS="date ar ranlib nm"
|
||||
HOST_CFLAGS="-O2 -g"
|
||||
HOST_CXXFLAGS="-O2 -g"
|
||||
HOST_LDFLAGS_BASE="-static-libstdc++ -Wl,-O2"
|
||||
|
||||
export TZ="UTC"
|
||||
export BUILD_DIR="$PWD"
|
||||
mkdir -p ${WRAP_DIR}
|
||||
if test -n "$GBUILD_CACHE_ENABLED"; then
|
||||
export SOURCES_PATH=${GBUILD_COMMON_CACHE}
|
||||
export BASE_CACHE=${GBUILD_PACKAGE_CACHE}/depends
|
||||
mkdir -p ${BASE_CACHE} ${SOURCES_PATH}
|
||||
|
||||
# Setup ccache to use correct cache directories and fix the compiler check of ccache
|
||||
CONFIGFLAGS="${CONFIGFLAGS} --enable-ccache"
|
||||
export CCACHE_DIR=${GBUILD_PACKAGE_CACHE}/ccache
|
||||
# As we later wrap the gcc binaries, this is fast
|
||||
export CCACHE_COMPILERCHECK="content"
|
||||
if [ -f ${GBUILD_PACKAGE_CACHE}/ccache.tar ]; then
|
||||
pushd ${GBUILD_PACKAGE_CACHE}
|
||||
tar xf ccache.tar
|
||||
rm ccache.tar
|
||||
popd
|
||||
fi
|
||||
# instead of compressing ccache.tar, we let ccache handle it by itself
|
||||
# Otherwise we end up uncompressing/compressing a lot of cache files which we actually never use
|
||||
export CCACHE_COMPRESS=1
|
||||
else
|
||||
CONFIGFLAGS="${CONFIGFLAGS} --disable-ccache"
|
||||
fi
|
||||
|
||||
# We include the GCC version in all wrappers so that ccache can detect compiler upgrades when hashing the wrappers
|
||||
GCCVERSION=$(gcc --version | head -1)
|
||||
|
||||
# Use $LIB in LD_PRELOAD to avoid hardcoding the dir (See `man ld.so`)
|
||||
function create_global_faketime_wrappers {
|
||||
for prog in ${FAKETIME_PROGS}; do
|
||||
echo '#!/usr/bin/env bash' > ${WRAP_DIR}/${prog}
|
||||
echo "# GCCVERSION=${GCCVERSION}" >> ${WRAP_DIR}/${prog}
|
||||
echo "REAL=\`which -a ${prog} | grep -v ${WRAP_DIR}/${prog} | head -1\`" >> ${WRAP_DIR}/${prog}
|
||||
echo "export LD_PRELOAD='/usr/\$LIB/faketime/libfaketime.so.1'" >> ${WRAP_DIR}/${prog}
|
||||
echo "export FAKETIME=\"$1\"" >> ${WRAP_DIR}/${prog}
|
||||
echo "exec \"\$REAL\" \"\$@\"" >> $WRAP_DIR/${prog}
|
||||
chmod +x ${WRAP_DIR}/${prog}
|
||||
touch -d "${REFERENCE_DATETIME}" ${WRAP_DIR}/${prog}
|
||||
done
|
||||
}
|
||||
|
||||
function create_per-host_faketime_wrappers {
|
||||
for i in $HOSTS; do
|
||||
for prog in ${FAKETIME_HOST_PROGS}; do
|
||||
if which ${i}-${prog}-8
|
||||
then
|
||||
echo '#!/usr/bin/env bash' > ${WRAP_DIR}/${i}-${prog}
|
||||
echo "# GCCVERSION=${GCCVERSION}" >> ${WRAP_DIR}/${i}-${prog}
|
||||
echo "REAL=\`which -a ${i}-${prog}-8 | grep -v ${WRAP_DIR}/${i}-${prog} | head -1\`" >> ${WRAP_DIR}/${i}-${prog}
|
||||
echo "export LD_PRELOAD='/usr/\$LIB/faketime/libfaketime.so.1'" >> ${WRAP_DIR}/${i}-${prog}
|
||||
echo "export FAKETIME=\"$1\"" >> ${WRAP_DIR}/${i}-${prog}
|
||||
echo "exec \"\$REAL\" \"\$@\"" >> $WRAP_DIR/${i}-${prog}
|
||||
chmod +x ${WRAP_DIR}/${i}-${prog}
|
||||
touch -d "${REFERENCE_DATETIME}" ${WRAP_DIR}/${i}-${prog}
|
||||
fi
|
||||
done
|
||||
done
|
||||
}
|
||||
|
||||
pip3 install --upgrade pip setuptools wheel
|
||||
pip3 install lief==0.12.1
|
||||
|
||||
# Faketime for depends so intermediate results are comparable
|
||||
export PATH_orig=${PATH}
|
||||
create_global_faketime_wrappers "2000-01-01 12:00:00"
|
||||
create_per-host_faketime_wrappers "2000-01-01 12:00:00"
|
||||
export PATH=${WRAP_DIR}:${PATH}
|
||||
|
||||
cd dash
|
||||
BASEPREFIX="${PWD}/depends"
|
||||
# Build dependencies for each host
|
||||
for i in $HOSTS; do
|
||||
make ${MAKEOPTS} -C ${BASEPREFIX} HOST="${i}" CC=${i}-gcc-8 CXX=${i}-g++-8
|
||||
done
|
||||
|
||||
# Faketime for binaries
|
||||
export PATH=${PATH_orig}
|
||||
create_global_faketime_wrappers "${REFERENCE_DATETIME}"
|
||||
create_per-host_faketime_wrappers "${REFERENCE_DATETIME}"
|
||||
export PATH=${WRAP_DIR}:${PATH}
|
||||
|
||||
# Define DISTNAME variable.
|
||||
# shellcheck source=contrib/gitian-descriptors/assign_DISTNAME
|
||||
source contrib/gitian-descriptors/assign_DISTNAME
|
||||
|
||||
GIT_ARCHIVE="${OUTDIR}/src/${DISTNAME}.tar.gz"
|
||||
|
||||
# Create the source tarball
|
||||
mkdir -p "$(dirname "$GIT_ARCHIVE")"
|
||||
git archive --prefix="${DISTNAME}/" --output="$GIT_ARCHIVE" HEAD
|
||||
|
||||
ORIGPATH="$PATH"
|
||||
# Extract the git archive into a dir for each host and build
|
||||
for i in ${HOSTS}; do
|
||||
export PATH=${BASEPREFIX}/${i}/native/bin:${ORIGPATH}
|
||||
if [ "${i}" = "riscv64-linux-gnu" ] || [ "${i}" = "powerpc64-linux-gnu" ] || [ "${i}" = "powerpc64le-linux-gnu" ]; then
|
||||
# Workaround for https://bugs.launchpad.net/ubuntu/+source/gcc-8-cross-ports/+bug/1853740
|
||||
# TODO: remove this when no longer needed
|
||||
HOST_LDFLAGS="${HOST_LDFLAGS_BASE} -Wl,-z,noexecstack"
|
||||
else
|
||||
HOST_LDFLAGS="${HOST_LDFLAGS_BASE}"
|
||||
fi
|
||||
mkdir -p distsrc-${i}
|
||||
cd distsrc-${i}
|
||||
INSTALLPATH="${PWD}/installed/${DISTNAME}"
|
||||
mkdir -p ${INSTALLPATH}
|
||||
tar --strip-components=1 -xf "${GIT_ARCHIVE}"
|
||||
|
||||
./autogen.sh
|
||||
CONFIG_SITE=${BASEPREFIX}/${i}/share/config.site ./configure --prefix=/ --disable-maintainer-mode --disable-dependency-tracking ${CONFIGFLAGS} CFLAGS="${HOST_CFLAGS}" CXXFLAGS="${HOST_CXXFLAGS}" LDFLAGS="${HOST_LDFLAGS}" CC=${i}-gcc-8 CXX=${i}-g++-8
|
||||
make ${MAKEOPTS}
|
||||
make ${MAKEOPTS} -C src check-security
|
||||
make ${MAKEOPTS} -C src check-symbols
|
||||
make install DESTDIR=${INSTALLPATH}
|
||||
cd installed
|
||||
find . -name "lib*.la" -delete
|
||||
find . -name "lib*.a" -delete
|
||||
rm -rf ${DISTNAME}/lib/pkgconfig
|
||||
find ${DISTNAME}/bin -type f -executable -print0 | xargs -0 -n1 -I{} ../contrib/devtools/split-debug.sh {} {} {}.dbg
|
||||
find ${DISTNAME}/lib -type f -print0 | xargs -0 -n1 -I{} ../contrib/devtools/split-debug.sh {} {} {}.dbg
|
||||
cp ../README.md ${DISTNAME}/
|
||||
find ${DISTNAME} -not -name "*.dbg" | sort | tar --mtime="$REFERENCE_DATETIME" --no-recursion --mode='u+rw,go+r-w,a+X' --owner=0 --group=0 -c -T - | gzip -9n > ${OUTDIR}/${DISTNAME}-${i}.tar.gz
|
||||
find ${DISTNAME} -name "*.dbg" | sort | tar --mtime="$REFERENCE_DATETIME" --no-recursion --mode='u+rw,go+r-w,a+X' --owner=0 --group=0 -c -T - | gzip -9n > ${OUTDIR}/${DISTNAME}-${i}-debug.tar.gz
|
||||
cd ../../
|
||||
rm -rf distsrc-${i}
|
||||
done
|
||||
|
||||
# Compress ccache (otherwise the assert file will get too huge)
|
||||
if [ "$CCACHE_DIR" != "" ]; then
|
||||
pushd ${GBUILD_PACKAGE_CACHE}
|
||||
tar cf ccache.tar ccache
|
||||
rm -rf ccache
|
||||
popd
|
||||
fi
|
||||
|
@ -1,53 +0,0 @@
|
||||
---
|
||||
name: "dash-dmg-signer"
|
||||
distro: "ubuntu"
|
||||
suites:
|
||||
- "focal"
|
||||
architectures:
|
||||
- "amd64"
|
||||
packages:
|
||||
- "faketime"
|
||||
- "xorriso"
|
||||
- "python3-pip"
|
||||
remotes:
|
||||
- "url": "https://github.com/dashpay/dash-detached-sigs.git"
|
||||
"dir": "signature"
|
||||
- "url": "https://github.com/achow101/signapple.git"
|
||||
"dir": "signapple"
|
||||
"commit": "8a945a2e7583be2665cf3a6a89d665b70ecd1ab6"
|
||||
files:
|
||||
- "dashcore-osx-unsigned.tar.gz"
|
||||
script: |
|
||||
set -e -o pipefail
|
||||
|
||||
WRAP_DIR=$HOME/wrapped
|
||||
mkdir -p ${WRAP_DIR}
|
||||
export PATH="$PWD":$PATH
|
||||
FAKETIME_PROGS="dmg xorrisofs"
|
||||
|
||||
# Create global faketime wrappers
|
||||
for prog in ${FAKETIME_PROGS}; do
|
||||
echo '#!/usr/bin/env bash' > ${WRAP_DIR}/${prog}
|
||||
echo "REAL=\`which -a ${prog} | grep -v ${WRAP_DIR}/${prog} | head -1\`" >> ${WRAP_DIR}/${prog}
|
||||
echo "export LD_PRELOAD='/usr/\$LIB/faketime/libfaketime.so.1'" >> ${WRAP_DIR}/${prog}
|
||||
echo "export FAKETIME=\"${REFERENCE_DATETIME}\"" >> ${WRAP_DIR}/${prog}
|
||||
echo "exec \"\$REAL\" \"\$@\"" >> $WRAP_DIR/${prog}
|
||||
chmod +x ${WRAP_DIR}/${prog}
|
||||
done
|
||||
|
||||
# Install signapple
|
||||
cd signapple
|
||||
python3 -m pip install -U pip setuptools
|
||||
python3 -m pip install .
|
||||
export PATH="$HOME/.local/bin":$PATH
|
||||
cd ..
|
||||
|
||||
UNSIGNED_TARBALL=dashcore-osx-unsigned.tar.gz
|
||||
UNSIGNED_APP=dist/Dash-Qt.app
|
||||
SIGNED=dashcore-osx-signed.dmg
|
||||
|
||||
tar -xf ${UNSIGNED_TARBALL}
|
||||
OSX_VOLNAME="$(cat osx_volname)"
|
||||
./detached-sig-apply.sh ${UNSIGNED_APP} signature/osx/dist
|
||||
${WRAP_DIR}/xorrisofs -D -l -V "${OSX_VOLNAME}" -no-pad -r -dir-mode 0755 -o uncompressed.dmg signed-app
|
||||
${WRAP_DIR}/dmg dmg uncompressed.dmg ${OUTDIR}/${SIGNED}
|
@ -1,184 +0,0 @@
|
||||
---
|
||||
name: "dash-osx-20"
|
||||
enable_cache: true
|
||||
distro: "ubuntu"
|
||||
suites:
|
||||
- "focal"
|
||||
architectures:
|
||||
- "amd64"
|
||||
packages:
|
||||
- "ca-certificates"
|
||||
- "curl"
|
||||
- "g++"
|
||||
- "git"
|
||||
- "pkg-config"
|
||||
- "autoconf"
|
||||
- "libtool"
|
||||
- "automake"
|
||||
- "faketime"
|
||||
- "bsdmainutils"
|
||||
- "libcap-dev"
|
||||
- "libz-dev"
|
||||
- "libbz2-dev"
|
||||
- "python3"
|
||||
- "python3-setuptools"
|
||||
- "python3-pip"
|
||||
- "fonts-tuffy"
|
||||
- "ccache"
|
||||
- "cmake"
|
||||
- "xorriso"
|
||||
- "libtinfo5"
|
||||
remotes:
|
||||
- "url": "https://github.com/dashpay/dash.git"
|
||||
"dir": "dash"
|
||||
files:
|
||||
- "Xcode-12.2-12B45b-extracted-SDK-with-libcxx-headers.tar.gz"
|
||||
script: |
|
||||
set -e -o pipefail
|
||||
|
||||
WRAP_DIR=$HOME/wrapped
|
||||
HOSTS="x86_64-apple-darwin"
|
||||
CONFIGFLAGS="--enable-reduce-exports --disable-miner --disable-bench --disable-gui-tests --disable-fuzz-binary XORRISOFS=${WRAP_DIR}/xorrisofs DMG=${WRAP_DIR}/dmg --enable-crash-hooks"
|
||||
FAKETIME_HOST_PROGS=""
|
||||
FAKETIME_PROGS="ar ranlib date dmg xorrisofs"
|
||||
|
||||
export TZ="UTC"
|
||||
export BUILD_DIR="$PWD"
|
||||
mkdir -p ${WRAP_DIR}
|
||||
if test -n "$GBUILD_CACHE_ENABLED"; then
|
||||
export SOURCES_PATH=${GBUILD_COMMON_CACHE}
|
||||
export BASE_CACHE=${GBUILD_PACKAGE_CACHE}/depends
|
||||
mkdir -p ${BASE_CACHE} ${SOURCES_PATH}
|
||||
|
||||
# Setup ccache to use correct cache directories
|
||||
CONFIGFLAGS="${CONFIGFLAGS} --enable-ccache"
|
||||
export CCACHE_DIR=${GBUILD_PACKAGE_CACHE}/ccache
|
||||
if [ -f ${GBUILD_PACKAGE_CACHE}/ccache.tar ]; then
|
||||
pushd ${GBUILD_PACKAGE_CACHE}
|
||||
tar xf ccache.tar
|
||||
rm ccache.tar
|
||||
popd
|
||||
fi
|
||||
# instead of compressing ccache.tar, we let ccache handle it by itself
|
||||
# Otherwise we end up uncompressing/compressing a lot of cache files which we actually never use
|
||||
export CCACHE_COMPRESS=1
|
||||
else
|
||||
CONFIGFLAGS="${CONFIGFLAGS} --disable-ccache"
|
||||
fi
|
||||
|
||||
export ZERO_AR_DATE=1
|
||||
|
||||
# Use $LIB in LD_PRELOAD to avoid hardcoding the dir (See `man ld.so`)
|
||||
function create_global_faketime_wrappers {
|
||||
for prog in ${FAKETIME_PROGS}; do
|
||||
echo '#!/usr/bin/env bash' > ${WRAP_DIR}/${prog}
|
||||
echo "REAL=\`which -a ${prog} | grep -v ${WRAP_DIR}/${prog} | head -1\`" >> ${WRAP_DIR}/${prog}
|
||||
echo "export LD_PRELOAD='/usr/\$LIB/faketime/libfaketime.so.1'" >> ${WRAP_DIR}/${prog}
|
||||
echo "export FAKETIME=\"$1\"" >> ${WRAP_DIR}/${prog}
|
||||
echo "exec \"\$REAL\" \"\$@\"" >> $WRAP_DIR/${prog}
|
||||
chmod +x ${WRAP_DIR}/${prog}
|
||||
touch -d "${REFERENCE_DATETIME}" ${WRAP_DIR}/${prog}
|
||||
done
|
||||
}
|
||||
|
||||
function create_per-host_faketime_wrappers {
|
||||
for i in $HOSTS; do
|
||||
for prog in ${FAKETIME_HOST_PROGS}; do
|
||||
echo '#!/usr/bin/env bash' > ${WRAP_DIR}/${i}-${prog}
|
||||
echo "REAL=\`which -a ${i}-${prog} | grep -v ${WRAP_DIR}/${i}-${prog} | head -1\`" >> ${WRAP_DIR}/${i}-${prog}
|
||||
echo "export LD_PRELOAD='/usr/\$LIB/faketime/libfaketime.so.1'" >> ${WRAP_DIR}/${i}-${prog}
|
||||
echo "export FAKETIME=\"$1\"" >> ${WRAP_DIR}/${i}-${prog}
|
||||
echo "exec \"\$REAL\" \"\$@\"" >> $WRAP_DIR/${i}-${prog}
|
||||
chmod +x ${WRAP_DIR}/${i}-${prog}
|
||||
touch -d "${REFERENCE_DATETIME}" ${WRAP_DIR}/${i}-${prog}
|
||||
done
|
||||
done
|
||||
}
|
||||
|
||||
pip3 install --upgrade pip setuptools wheel
|
||||
pip3 install lief==0.12.1
|
||||
|
||||
# Faketime for depends so intermediate results are comparable
|
||||
export PATH_orig=${PATH}
|
||||
create_global_faketime_wrappers "2000-01-01 12:00:00"
|
||||
create_per-host_faketime_wrappers "2000-01-01 12:00:00"
|
||||
export PATH=${WRAP_DIR}:${PATH}
|
||||
|
||||
cd dash
|
||||
BASEPREFIX="${PWD}/depends"
|
||||
|
||||
mkdir -p ${BASEPREFIX}/SDKs
|
||||
tar -C ${BASEPREFIX}/SDKs -xf ${BUILD_DIR}/Xcode-12.2-12B45b-extracted-SDK-with-libcxx-headers.tar.gz
|
||||
|
||||
# Build dependencies for each host
|
||||
for i in $HOSTS; do
|
||||
make ${MAKEOPTS} -C ${BASEPREFIX} HOST="${i}"
|
||||
done
|
||||
|
||||
# Faketime for binaries
|
||||
export PATH=${PATH_orig}
|
||||
create_global_faketime_wrappers "${REFERENCE_DATETIME}"
|
||||
create_per-host_faketime_wrappers "${REFERENCE_DATETIME}"
|
||||
export PATH=${WRAP_DIR}:${PATH}
|
||||
|
||||
# Define DISTNAME variable.
|
||||
# shellcheck source=contrib/gitian-descriptors/assign_DISTNAME
|
||||
source contrib/gitian-descriptors/assign_DISTNAME
|
||||
|
||||
GIT_ARCHIVE="${OUTDIR}/src/${DISTNAME}.tar.gz"
|
||||
|
||||
# Create the source tarball
|
||||
mkdir -p "$(dirname "$GIT_ARCHIVE")"
|
||||
git archive --prefix="${DISTNAME}/" --output="$GIT_ARCHIVE" HEAD
|
||||
|
||||
ORIGPATH="$PATH"
|
||||
# Extract the git archive into a dir for each host and build
|
||||
for i in ${HOSTS}; do
|
||||
export PATH=${BASEPREFIX}/${i}/native/bin:${ORIGPATH}
|
||||
mkdir -p distsrc-${i}
|
||||
cd distsrc-${i}
|
||||
INSTALLPATH="${PWD}/installed/${DISTNAME}"
|
||||
mkdir -p ${INSTALLPATH}
|
||||
tar --strip-components=1 -xf "${GIT_ARCHIVE}"
|
||||
|
||||
./autogen.sh
|
||||
CONFIG_SITE=${BASEPREFIX}/${i}/share/config.site ./configure --prefix=/ --disable-maintainer-mode --disable-dependency-tracking ${CONFIGFLAGS}
|
||||
make ${MAKEOPTS}
|
||||
make -C src osx_debug
|
||||
make ${MAKEOPTS} -C src check-security
|
||||
make ${MAKEOPTS} -C src check-symbols
|
||||
make install-strip DESTDIR=${INSTALLPATH}
|
||||
|
||||
make osx_volname
|
||||
make deploydir
|
||||
mkdir -p unsigned-app-${i}
|
||||
cp osx_volname unsigned-app-${i}/
|
||||
cp contrib/macdeploy/detached-sig-apply.sh unsigned-app-${i}
|
||||
cp contrib/macdeploy/detached-sig-create.sh unsigned-app-${i}
|
||||
cp ${BASEPREFIX}/${i}/native/bin/dmg unsigned-app-${i}
|
||||
mv dist unsigned-app-${i}
|
||||
pushd unsigned-app-${i}
|
||||
find . | sort | tar --mtime="$REFERENCE_DATETIME" --no-recursion --mode='u+rw,go+r-w,a+X' --owner=0 --group=0 -c -T - | gzip -9n > ${OUTDIR}/${DISTNAME}-osx-unsigned.tar.gz
|
||||
popd
|
||||
|
||||
make deploy OSX_DMG="${OUTDIR}/${DISTNAME}-osx-unsigned.dmg"
|
||||
|
||||
cd installed
|
||||
find . -name "lib*.la" -delete
|
||||
find . -name "lib*.a" -delete
|
||||
rm -rf ${DISTNAME}/lib/pkgconfig
|
||||
find .. -name "*.dSYM" -exec cp -ra {} ${DISTNAME}/bin \;
|
||||
find ${DISTNAME} -not -path '*.dSYM*' | sort | tar --mtime="$REFERENCE_DATETIME" --no-recursion --mode='u+rw,go+r-w,a+X' --owner=0 --group=0 -c -T - | gzip -9n > ${OUTDIR}/${DISTNAME}-${i}.tar.gz
|
||||
find ${DISTNAME} -path '*.dSYM*' | sort | tar --mtime="$REFERENCE_DATETIME" --no-recursion --mode='u+rw,go+r-w,a+X' --owner=0 --group=0 -c -T - | gzip -9n > ${OUTDIR}/${DISTNAME}-${i}-debug.tar.gz
|
||||
cd ../../
|
||||
done
|
||||
mv ${OUTDIR}/${DISTNAME}-x86_64-apple-darwin.tar.gz ${OUTDIR}/${DISTNAME}-osx64.tar.gz
|
||||
mv ${OUTDIR}/${DISTNAME}-x86_64-apple-darwin-debug.tar.gz ${OUTDIR}/${DISTNAME}-osx64-debug.tar.gz
|
||||
|
||||
# Compress ccache (otherwise the assert file will get too huge)
|
||||
if [ "$CCACHE_DIR" != "" ]; then
|
||||
pushd ${GBUILD_PACKAGE_CACHE}
|
||||
tar cf ccache.tar ccache
|
||||
rm -rf ccache
|
||||
popd
|
||||
fi
|
@ -1,42 +0,0 @@
|
||||
---
|
||||
name: "dash-win-signer"
|
||||
distro: "ubuntu"
|
||||
suites:
|
||||
- "focal"
|
||||
architectures:
|
||||
- "amd64"
|
||||
packages:
|
||||
- "libssl-dev" # do not merge bitcoin#13782, see https://github.com/dashpay/dash/pull/3894
|
||||
- "autoconf"
|
||||
- "automake"
|
||||
- "libtool"
|
||||
- "pkg-config"
|
||||
remotes:
|
||||
- "url": "https://github.com/dashpay/dash-detached-sigs.git"
|
||||
"dir": "signature"
|
||||
files:
|
||||
- "osslsigncode-2.0.tar.gz"
|
||||
- "dashcore-win-unsigned.tar.gz"
|
||||
script: |
|
||||
set -e -o pipefail
|
||||
|
||||
BUILD_DIR="$PWD"
|
||||
SIGDIR=${BUILD_DIR}/signature/win
|
||||
UNSIGNED_DIR=${BUILD_DIR}/unsigned
|
||||
|
||||
echo "5a60e0a4b3e0b4d655317b2f12a810211c50242138322b16e7e01c6fbb89d92f osslsigncode-2.0.tar.gz" | sha256sum -c
|
||||
|
||||
mkdir -p ${UNSIGNED_DIR}
|
||||
tar -C ${UNSIGNED_DIR} -xf dashcore-win-unsigned.tar.gz
|
||||
|
||||
tar xf osslsigncode-2.0.tar.gz
|
||||
cd osslsigncode-2.0
|
||||
|
||||
./autogen.sh
|
||||
./configure --without-gsf --without-curl --disable-dependency-tracking
|
||||
make
|
||||
find ${UNSIGNED_DIR} -name "*-unsigned.exe" | while read i; do
|
||||
INFILE="$(basename "${i}")"
|
||||
OUTFILE="${INFILE/-unsigned}"
|
||||
./osslsigncode attach-signature -in "${i}" -out "${OUTDIR}/${OUTFILE}" -sigin "${SIGDIR}/${INFILE}.pem"
|
||||
done
|
@ -1,197 +0,0 @@
|
||||
---
|
||||
name: "dash-win-20"
|
||||
enable_cache: true
|
||||
distro: "ubuntu"
|
||||
suites:
|
||||
- "focal"
|
||||
architectures:
|
||||
- "amd64"
|
||||
packages:
|
||||
- "curl"
|
||||
- "cmake"
|
||||
- "g++"
|
||||
- "git"
|
||||
- "pkg-config"
|
||||
- "autoconf"
|
||||
- "libtool"
|
||||
- "automake"
|
||||
- "faketime"
|
||||
- "bsdmainutils"
|
||||
- "mingw-w64"
|
||||
- "g++-mingw-w64"
|
||||
- "nsis"
|
||||
- "zip"
|
||||
- "ca-certificates"
|
||||
- "python3"
|
||||
- "python3-pip"
|
||||
- "python3-setuptools"
|
||||
- "ccache"
|
||||
remotes:
|
||||
- "url": "https://github.com/dashpay/dash.git"
|
||||
"dir": "dash"
|
||||
files: []
|
||||
script: |
|
||||
set -e -o pipefail
|
||||
|
||||
WRAP_DIR=$HOME/wrapped
|
||||
HOSTS="x86_64-w64-mingw32"
|
||||
CONFIGFLAGS="--enable-reduce-exports --disable-miner --disable-bench --disable-gui-tests --disable-fuzz-binary --enable-crash-hooks"
|
||||
FAKETIME_HOST_PROGS="ar ranlib nm windres strip objcopy"
|
||||
FAKETIME_PROGS="date makensis zip"
|
||||
HOST_CFLAGS="-O2 -g -fno-ident"
|
||||
HOST_CXXFLAGS="-O2 -g -fno-ident"
|
||||
|
||||
export TZ="UTC"
|
||||
export BUILD_DIR="$PWD"
|
||||
mkdir -p ${WRAP_DIR}
|
||||
if test -n "$GBUILD_CACHE_ENABLED"; then
|
||||
export SOURCES_PATH=${GBUILD_COMMON_CACHE}
|
||||
export BASE_CACHE=${GBUILD_PACKAGE_CACHE}/depends
|
||||
mkdir -p ${BASE_CACHE} ${SOURCES_PATH}
|
||||
|
||||
# Setup ccache to use correct cache directories and fix the compiler check of ccache
|
||||
CONFIGFLAGS="${CONFIGFLAGS} --enable-ccache"
|
||||
export CCACHE_DIR=${GBUILD_PACKAGE_CACHE}/ccache
|
||||
# As we later wrap the gcc binaries, this is fast
|
||||
export CCACHE_COMPILERCHECK="content"
|
||||
if [ -f ${GBUILD_PACKAGE_CACHE}/ccache.tar ]; then
|
||||
pushd ${GBUILD_PACKAGE_CACHE}
|
||||
tar xf ccache.tar
|
||||
rm ccache.tar
|
||||
popd
|
||||
fi
|
||||
# instead of compressing ccache.tar, we let ccache handle it by itself
|
||||
# Otherwise we end up uncompressing/compressing a lot of cache files which we actually never use
|
||||
export CCACHE_COMPRESS=1
|
||||
else
|
||||
CONFIGFLAGS="${CONFIGFLAGS} --disable-ccache"
|
||||
fi
|
||||
|
||||
# We include the GCC version in all wrappers so that ccache can detect compiler upgrades when hashing the wrappers
|
||||
GCCVERSION=$(gcc --version | head -1)
|
||||
|
||||
# Use $LIB in LD_PRELOAD to avoid hardcoding the dir (See `man ld.so`)
|
||||
function create_global_faketime_wrappers {
|
||||
for prog in ${FAKETIME_PROGS}; do
|
||||
echo '#!/usr/bin/env bash' > ${WRAP_DIR}/${prog}
|
||||
echo "# GCCVERSION=${GCCVERSION}" >> ${WRAP_DIR}/${prog}
|
||||
echo "REAL=\`which -a ${prog} | grep -v ${WRAP_DIR}/${prog} | head -1\`" >> ${WRAP_DIR}/${prog}
|
||||
echo "export LD_PRELOAD='/usr/\$LIB/faketime/libfaketime.so.1'" >> ${WRAP_DIR}/${prog}
|
||||
echo "export FAKETIME=\"$1\"" >> ${WRAP_DIR}/${prog}
|
||||
echo "exec \"\$REAL\" \"\$@\"" >> $WRAP_DIR/${prog}
|
||||
chmod +x ${WRAP_DIR}/${prog}
|
||||
touch -d "${REFERENCE_DATETIME}" ${WRAP_DIR}/${prog}
|
||||
done
|
||||
}
|
||||
|
||||
function create_per-host_faketime_wrappers {
|
||||
for i in $HOSTS; do
|
||||
for prog in ${FAKETIME_HOST_PROGS}; do
|
||||
echo '#!/usr/bin/env bash' > ${WRAP_DIR}/${i}-${prog}
|
||||
echo "# GCCVERSION=${GCCVERSION}" >> ${WRAP_DIR}/${i}-${prog}
|
||||
echo "REAL=\`which -a ${i}-${prog} | grep -v ${WRAP_DIR}/${i}-${prog} | head -1\`" >> ${WRAP_DIR}/${i}-${prog}
|
||||
echo "export LD_PRELOAD='/usr/\$LIB/faketime/libfaketime.so.1'" >> ${WRAP_DIR}/${i}-${prog}
|
||||
echo "export FAKETIME=\"$1\"" >> ${WRAP_DIR}/${i}-${prog}
|
||||
echo "exec \"\$REAL\" \"\$@\"" >> $WRAP_DIR/${i}-${prog}
|
||||
chmod +x ${WRAP_DIR}/${i}-${prog}
|
||||
touch -d "${REFERENCE_DATETIME}" ${WRAP_DIR}/${i}-${prog}
|
||||
done
|
||||
done
|
||||
}
|
||||
|
||||
function create_per-host_compiler_wrapper {
|
||||
# -posix variant is required for c++11 threading.
|
||||
for i in $HOSTS; do
|
||||
for prog in gcc g++; do
|
||||
echo '#!/usr/bin/env bash' > ${WRAP_DIR}/${i}-${prog}
|
||||
echo "# GCCVERSION=${GCCVERSION}" >> ${WRAP_DIR}/${i}-${prog}
|
||||
echo "REAL=\`which -a ${i}-${prog}-posix | grep -v ${WRAP_DIR}/${i}-${prog} | head -1\`" >> ${WRAP_DIR}/${i}-${prog}
|
||||
echo '# Add the gcc version to the wrapper so that ccache takes this into account (we use CCACHE_COMPILERCHECK=content)' >> ${WRAP_DIR}/${i}-${prog}
|
||||
echo "# $(${prog} --version | head -1)" >> ${WRAP_DIR}/${i}-${prog}
|
||||
echo "export LD_PRELOAD='/usr/\$LIB/faketime/libfaketime.so.1'" >> ${WRAP_DIR}/${i}-${prog}
|
||||
echo "export FAKETIME=\"$1\"" >> ${WRAP_DIR}/${i}-${prog}
|
||||
echo "exec \"\$REAL\" \"\$@\"" >> $WRAP_DIR/${i}-${prog}
|
||||
chmod +x ${WRAP_DIR}/${i}-${prog}
|
||||
touch -d "${REFERENCE_DATETIME}" ${WRAP_DIR}/${i}-${prog}
|
||||
done
|
||||
done
|
||||
}
|
||||
|
||||
pip3 install --upgrade pip setuptools wheel
|
||||
pip3 install lief==0.12.1
|
||||
|
||||
# Faketime for depends so intermediate results are comparable
|
||||
export PATH_orig=${PATH}
|
||||
create_global_faketime_wrappers "2000-01-01 12:00:00"
|
||||
create_per-host_faketime_wrappers "2000-01-01 12:00:00"
|
||||
create_per-host_compiler_wrapper "2000-01-01 12:00:00"
|
||||
export PATH=${WRAP_DIR}:${PATH}
|
||||
|
||||
cd dash
|
||||
BASEPREFIX="${PWD}/depends"
|
||||
# Build dependencies for each host
|
||||
for i in $HOSTS; do
|
||||
make ${MAKEOPTS} -C ${BASEPREFIX} HOST="${i}"
|
||||
done
|
||||
|
||||
# Faketime for binaries
|
||||
export PATH=${PATH_orig}
|
||||
create_global_faketime_wrappers "${REFERENCE_DATETIME}"
|
||||
create_per-host_faketime_wrappers "${REFERENCE_DATETIME}"
|
||||
create_per-host_compiler_wrapper "${REFERENCE_DATETIME}"
|
||||
export PATH=${WRAP_DIR}:${PATH}
|
||||
|
||||
# Define DISTNAME variable.
|
||||
# shellcheck source=contrib/gitian-descriptors/assign_DISTNAME
|
||||
source contrib/gitian-descriptors/assign_DISTNAME
|
||||
|
||||
GIT_ARCHIVE="${OUTDIR}/src/${DISTNAME}.tar.gz"
|
||||
|
||||
# Create the source tarball
|
||||
mkdir -p "$(dirname "$GIT_ARCHIVE")"
|
||||
git archive --prefix="${DISTNAME}/" --output="$GIT_ARCHIVE" HEAD
|
||||
|
||||
ORIGPATH="$PATH"
|
||||
# Extract the git archive into a dir for each host and build
|
||||
for i in ${HOSTS}; do
|
||||
export PATH=${BASEPREFIX}/${i}/native/bin:${ORIGPATH}
|
||||
mkdir -p distsrc-${i}
|
||||
cd distsrc-${i}
|
||||
INSTALLPATH="${PWD}/installed/${DISTNAME}"
|
||||
mkdir -p ${INSTALLPATH}
|
||||
tar --strip-components=1 -xf "${GIT_ARCHIVE}"
|
||||
|
||||
./autogen.sh
|
||||
CONFIG_SITE=${BASEPREFIX}/${i}/share/config.site ./configure --prefix=/ --disable-maintainer-mode --disable-dependency-tracking ${CONFIGFLAGS} CFLAGS="${HOST_CFLAGS}" CXXFLAGS="${HOST_CXXFLAGS}"
|
||||
make ${MAKEOPTS}
|
||||
make ${MAKEOPTS} -C src check-security
|
||||
make ${MAKEOPTS} -C src check-symbols
|
||||
make deploy BITCOIN_WIN_INSTALLER="${OUTDIR}/${DISTNAME}-win64-setup-unsigned.exe"
|
||||
make install DESTDIR=${INSTALLPATH}
|
||||
cd installed
|
||||
mv ${DISTNAME}/bin/*.dll ${DISTNAME}/lib/
|
||||
find . -name "lib*.la" -delete
|
||||
find . -name "lib*.a" -delete
|
||||
rm -rf ${DISTNAME}/lib/pkgconfig
|
||||
find ${DISTNAME}/bin -type f -executable -print0 | xargs -0 -n1 -I{} ../contrib/devtools/split-debug.sh {} {} {}.dbg
|
||||
find ${DISTNAME}/lib -type f -print0 | xargs -0 -n1 -I{} ../contrib/devtools/split-debug.sh {} {} {}.dbg
|
||||
cp ../doc/README_windows.txt ${DISTNAME}/readme.txt
|
||||
find ${DISTNAME} -not -name "*.dbg" -type f | sort | zip -X@ ${OUTDIR}/${DISTNAME}-${i//x86_64-w64-mingw32/win64}.zip
|
||||
find ${DISTNAME} -name "*.dbg" -type f | sort | zip -X@ ${OUTDIR}/${DISTNAME}-${i//x86_64-w64-mingw32/win64}-debug.zip
|
||||
cd ../../
|
||||
rm -rf distsrc-${i}
|
||||
done
|
||||
|
||||
cp -rf contrib/windeploy $BUILD_DIR
|
||||
cd $BUILD_DIR/windeploy
|
||||
mkdir unsigned
|
||||
cp ${OUTDIR}/${DISTNAME}-win64-setup-unsigned.exe unsigned/
|
||||
find . | sort | tar --mtime="$REFERENCE_DATETIME" --no-recursion --mode='u+rw,go+r-w,a+X' --owner=0 --group=0 -c -T - | gzip -9n > ${OUTDIR}/${DISTNAME}-win-unsigned.tar.gz
|
||||
|
||||
# Compress ccache (otherwise the assert file will get too huge)
|
||||
if [ "$CCACHE_DIR" != "" ]; then
|
||||
pushd ${GBUILD_PACKAGE_CACHE}
|
||||
tar cf ccache.tar ccache
|
||||
rm -rf ccache
|
||||
popd
|
||||
fi
|
@ -90,9 +90,9 @@ Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk
|
||||
|
||||
See the SDK Extraction notes above for how to obtain it.
|
||||
|
||||
The Gitian descriptors build 2 sets of files: Linux tools, then Apple binaries which are
|
||||
The Guix process build 2 sets of files: Linux tools, then Apple binaries which are
|
||||
created using these tools. The build process has been designed to avoid including the
|
||||
SDK's files in Gitian's outputs. All interim tarballs are fully deterministic and may be freely
|
||||
SDK's files in Guix's outputs. All interim tarballs are fully deterministic and may be freely
|
||||
redistributed.
|
||||
|
||||
[`xorrisofs`](https://www.gnu.org/software/xorriso/) is used to create the DMG.
|
||||
@ -113,11 +113,12 @@ order to satisfy the new Gatekeeper requirements. Because this private key canno
|
||||
shared, we'll have to be a bit creative in order for the build process to remain somewhat
|
||||
deterministic. Here's how it works:
|
||||
|
||||
- Builders use Gitian to create an unsigned release. This outputs an unsigned DMG which
|
||||
- Builders use Guix to create an unsigned release. This outputs an unsigned DMG which
|
||||
users may choose to bless and run. It also outputs an unsigned app structure in the form
|
||||
of a tarball, which also contains all of the tools that have been previously (deterministically)
|
||||
built in order to create a final DMG.
|
||||
- The Apple keyholder uses this unsigned app to create a detached signature, using the
|
||||
script that is also included there. Detached signatures are available
|
||||
- Builders feed the unsigned app + detached signature back into Gitian. It uses the
|
||||
script that is also included there. Detached signatures are available from this [repository](https://github.com/dashpay/dash-detached-sigs).
|
||||
|
||||
- Builders feed the unsigned app + detached signature back into Guix. It uses the
|
||||
pre-built tools to recombine the pieces into a deterministic DMG.
|
||||
|
@ -39,7 +39,7 @@ The following are developer notes on how to build Dash Core on your native platf
|
||||
- [Windows Build Notes](build-windows.md)
|
||||
- [OpenBSD Build Notes](build-openbsd.md)
|
||||
- [NetBSD Build Notes](build-netbsd.md)
|
||||
- [Gitian Building Guide](gitian-building.md)
|
||||
- [Android Build Notes](build-android.md)
|
||||
|
||||
Development
|
||||
---------------------
|
||||
|
@ -1,494 +0,0 @@
|
||||
Gitian building
|
||||
================
|
||||
|
||||
*Setup instructions for a Gitian build of Dash Core using a Debian VM or physical system.*
|
||||
|
||||
Gitian is the deterministic build process that is used to build the Dash
|
||||
Core executables. It provides a way to be reasonably sure that the
|
||||
executables are really built from the source on GitHub. It also makes sure that
|
||||
the same, tested dependencies are used and statically built into the executable.
|
||||
|
||||
Multiple developers build the source code by following a specific descriptor
|
||||
("recipe"), cryptographically sign the result, and upload the resulting signature.
|
||||
These results are compared and only if they match, the build is accepted and uploaded
|
||||
to dash.org.
|
||||
|
||||
More independent Gitian builders are needed, which is why this guide exists.
|
||||
It is preferred you follow these steps yourself instead of using someone else's
|
||||
VM image to avoid 'contaminating' the build.
|
||||
|
||||
Table of Contents
|
||||
------------------
|
||||
|
||||
- [Create a new VirtualBox VM](#create-a-new-virtualbox-vm)
|
||||
- [Connecting to the VM](#connecting-to-the-vm)
|
||||
- [Setting up Debian for Gitian building](#setting-up-debian-for-gitian-building)
|
||||
- [Installing Gitian](#installing-gitian)
|
||||
- [Setting up the Gitian image](#setting-up-the-gitian-image)
|
||||
- [Getting and building the inputs](#getting-and-building-the-inputs)
|
||||
- [Building Dash Core](#building-dash-core)
|
||||
- [Building an alternative repository](#building-an-alternative-repository)
|
||||
- [Signing externally](#signing-externally)
|
||||
- [Uploading signatures](#uploading-signatures)
|
||||
|
||||
Preparing the Gitian builder host
|
||||
---------------------------------
|
||||
|
||||
The first step is to prepare the host environment that will be used to perform the Gitian builds.
|
||||
This guide explains how to set up the environment, and how to start the builds.
|
||||
|
||||
Debian Linux was chosen as the host distribution because it has a lightweight install (in contrast to Ubuntu) and is readily available.
|
||||
Any kind of virtualization can be used, for example:
|
||||
- [VirtualBox](https://www.virtualbox.org/) (covered by this guide)
|
||||
- [KVM](http://www.linux-kvm.org/page/Main_Page)
|
||||
- [LXC](https://linuxcontainers.org/), see also [Gitian host docker container](https://github.com/gdm85/tenku/tree/master/docker/gitian-bitcoin-host/README.md).
|
||||
|
||||
You can also install Gitian on actual hardware instead of using virtualization.
|
||||
|
||||
Create a new VirtualBox VM
|
||||
---------------------------
|
||||
In the VirtualBox GUI click "New" and choose the following parameters in the wizard:
|
||||
|
||||
![](gitian-building/create_new_vm.png)
|
||||
|
||||
- Type: Linux, Debian (64-bit)
|
||||
|
||||
![](gitian-building/create_vm_memsize.png)
|
||||
|
||||
- Memory Size: at least 3000MB, anything less and the build might not complete.
|
||||
|
||||
![](gitian-building/create_vm_hard_disk.png)
|
||||
|
||||
- Hard Disk: Create a virtual hard disk now
|
||||
|
||||
![](gitian-building/create_vm_hard_disk_file_type.png)
|
||||
|
||||
- Hard Disk file type: Use the default, VDI (VirtualBox Disk Image)
|
||||
|
||||
![](gitian-building/create_vm_storage_physical_hard_disk.png)
|
||||
|
||||
- Storage on physical hard disk: Dynamically Allocated
|
||||
|
||||
![](gitian-building/create_vm_file_location_size.png)
|
||||
|
||||
- File location and size: at least 40GB; as low as 20GB *may* be possible, but better to err on the safe side
|
||||
- Click `Create`
|
||||
|
||||
After creating the VM, we need to configure it.
|
||||
|
||||
- Click the `Settings` button, then go to `System` tab and `Processor` sub-tab. Increase the number of processors to the number of cores on your machine if you want builds to be faster.
|
||||
|
||||
![](gitian-building/system_settings.png)
|
||||
|
||||
- Go to the `Network` tab. Adapter 1 should be attached to `NAT`.
|
||||
|
||||
![](gitian-building/network_settings.png)
|
||||
|
||||
- Click `Advanced`, then `Port Forwarding`. We want to set up a port through which we can reach the VM to get files in and out.
|
||||
- Create a new rule by clicking the plus icon.
|
||||
|
||||
![](gitian-building/port_forwarding_rules.png)
|
||||
|
||||
- Set up the new rule the following way:
|
||||
- Name: `SSH`
|
||||
- Protocol: `TCP`
|
||||
- Leave Host IP empty
|
||||
- Host Port: `22222`
|
||||
- Leave Guest IP empty
|
||||
- Guest Port: `22`
|
||||
|
||||
- Click `Ok` twice to save.
|
||||
|
||||
Get the [Debian 8.x net installer](http://cdimage.debian.org/mirror/cdimage/archive/8.5.0/amd64/iso-cd/debian-8.5.0-amd64-netinst.iso) (a more recent minor version should also work, see also [Debian Network installation](https://www.debian.org/CD/netinst/)).
|
||||
This DVD image can be [validated](https://www.debian.org/CD/verify) using a SHA256 hashing tool, for example on
|
||||
Unixy OSes by entering the following in a terminal:
|
||||
|
||||
echo "ad4e8c27c561ad8248d5ebc1d36eb172f884057bfeb2c22ead823f59fa8c3dff debian-8.5.0-amd64-netinst.iso" | sha256sum -c
|
||||
# (must return OK)
|
||||
|
||||
Then start the VM. On the first launch you will be asked for a CD or DVD image. Choose the downloaded ISO.
|
||||
|
||||
![](gitian-building/select_startup_disk.png)
|
||||
|
||||
Installing Debian
|
||||
------------------
|
||||
|
||||
This section will explain how to install Debian on the newly created VM.
|
||||
|
||||
- Choose the non-graphical installer. We do not need the graphical environment; it will only increase installation time and disk usage.
|
||||
|
||||
![](gitian-building/debian_install_1_boot_menu.png)
|
||||
|
||||
**Note**: Navigating in the Debian installer:
|
||||
To keep a setting at the default and proceed, just press `Enter`.
|
||||
To select a different button, press `Tab`.
|
||||
|
||||
- Choose locale and keyboard settings (doesn't matter, you can just go with the defaults or select your own information)
|
||||
|
||||
![](gitian-building/debian_install_2_select_a_language.png)
|
||||
![](gitian-building/debian_install_3_select_location.png)
|
||||
![](gitian-building/debian_install_4_configure_keyboard.png)
|
||||
|
||||
- The VM will detect network settings using DHCP, this should all proceed automatically
|
||||
- Configure the network:
|
||||
- Hostname `debian`.
|
||||
- Leave domain name empty.
|
||||
|
||||
![](gitian-building/debian_install_5_configure_the_network.png)
|
||||
![](gitian-building/debian_install_6_domain_name.png)
|
||||
|
||||
- Choose a root password and enter it twice (remember it for later)
|
||||
|
||||
![](gitian-building/debian_install_6a_set_up_root_password.png)
|
||||
|
||||
- Name the new user `debian` (the full name doesn't matter, you can leave it empty)
|
||||
- Set the account username as `debian`
|
||||
|
||||
![](gitian-building/debian_install_7_set_up_user_fullname.png)
|
||||
![](gitian-building/debian_install_8_set_up_username.png)
|
||||
|
||||
- Choose a user password and enter it twice (remember it for later)
|
||||
|
||||
![](gitian-building/debian_install_9_user_password.png)
|
||||
|
||||
- The installer will set up the clock using a time server; this process should be automatic
|
||||
- Set up the clock: choose a time zone (depends on the locale settings that you picked earlier; specifics don't matter)
|
||||
|
||||
![](gitian-building/debian_install_10_configure_clock.png)
|
||||
|
||||
- Disk setup
|
||||
- Partitioning method: Guided - Use the entire disk
|
||||
|
||||
![](gitian-building/debian_install_11_partition_disks.png)
|
||||
|
||||
- Select disk to partition: SCSI1 (0,0,0)
|
||||
|
||||
![](gitian-building/debian_install_12_choose_disk.png)
|
||||
|
||||
- Partition Disks -> *All files in one partition*
|
||||
|
||||
![](gitian-building/all_files_in_one_partition.png)
|
||||
|
||||
- Finish partitioning and write changes to disk -> *Yes* (`Tab`, `Enter` to select the `Yes` button)
|
||||
|
||||
![](gitian-building/debian_install_14_finish.png)
|
||||
![](gitian-building/debian_install_15_write_changes.png)
|
||||
|
||||
- The base system will be installed, this will take a minute or so
|
||||
- Choose a mirror (any will do)
|
||||
|
||||
![](gitian-building/debian_install_16_choose_a_mirror.png)
|
||||
|
||||
- Enter proxy information (unless you are on an intranet, leave this empty)
|
||||
|
||||
![](gitian-building/debian_install_18_proxy_settings.png)
|
||||
|
||||
- Wait a bit while 'Select and install software' runs
|
||||
- Participate in popularity contest -> *No*
|
||||
- Choose software to install. We need just the base system.
|
||||
- Make sure only 'SSH server' and 'Standard System Utilities' are checked
|
||||
- Uncheck 'Debian Desktop Environment' and 'Print Server'
|
||||
|
||||
![](gitian-building/debian_install_19_software_selection.png)
|
||||
|
||||
- Install the GRUB boot loader to the master boot record? -> Yes
|
||||
|
||||
![](gitian-building/debian_install_20_install_grub.png)
|
||||
|
||||
- Device for boot loader installation -> ata-VBOX_HARDDISK
|
||||
|
||||
![](gitian-building/debian_install_21_install_grub_bootloader.png)
|
||||
|
||||
- Installation Complete -> *Continue*
|
||||
- After installation, the VM will reboot and you will have a working Debian VM. Congratulations!
|
||||
|
||||
![](gitian-building/debian_install_22_finish_installation.png)
|
||||
|
||||
|
||||
After Installation
|
||||
-------------------
|
||||
The next step in the guide involves logging in as root via SSH.
|
||||
SSH login for root users is disabled by default, so we'll enable that now.
|
||||
|
||||
Login to the VM using username `root` and the root password you chose earlier.
|
||||
You'll be presented with a screen similar to this.
|
||||
|
||||
![](gitian-building/debian_root_login.png)
|
||||
|
||||
Type:
|
||||
|
||||
```
|
||||
sed -i 's/^PermitRootLogin.*/PermitRootLogin yes/' /etc/ssh/sshd_config
|
||||
```
|
||||
and press enter. Then,
|
||||
```
|
||||
/etc/init.d/ssh restart
|
||||
```
|
||||
and enter to restart SSH. Logout by typing 'logout' and pressing 'enter'.
|
||||
|
||||
Connecting to the VM
|
||||
----------------------
|
||||
|
||||
After the VM has booted you can connect to it using SSH, and files can be copied from and to the VM using a SFTP utility.
|
||||
Connect to `localhost`, port `22222` (or the port configured when installing the VM).
|
||||
On Windows you can use [putty](http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html) and [WinSCP](http://winscp.net/eng/index.php).
|
||||
|
||||
For example, to connect as `root` from a Linux command prompt use
|
||||
|
||||
$ ssh root@localhost -p 22222
|
||||
The authenticity of host '[localhost]:22222 ([127.0.0.1]:22222)' can't be established.
|
||||
RSA key fingerprint is ae:f5:c8:9f:17:c6:c7:1b:c2:1b:12:31:1d:bb:d0:c7.
|
||||
Are you sure you want to continue connecting (yes/no)? yes
|
||||
Warning: Permanently added '[localhost]:22222' (RSA) to the list of known hosts.
|
||||
root@localhost's password: (enter root password configured during install)
|
||||
|
||||
The programs included with the Debian GNU/Linux system are free software;
|
||||
the exact distribution terms for each program are described in the
|
||||
individual files in /usr/share/doc/*/copyright.
|
||||
|
||||
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
|
||||
permitted by applicable law.
|
||||
root@debian:~#
|
||||
|
||||
Replace `root` with `debian` to log in as user.
|
||||
|
||||
Setting up Debian for Gitian building
|
||||
--------------------------------------
|
||||
|
||||
In this section we will be setting up the Debian installation for Gitian building.
|
||||
|
||||
First we need to log in as `root` to set up dependencies and make sure that our
|
||||
user can use the sudo command. Type/paste the following in the terminal:
|
||||
|
||||
```bash
|
||||
apt-get install git ruby sudo apt-cacher-ng qemu-utils debootstrap lxc python-cheetah parted kpartx bridge-utils make ubuntu-archive-keyring curl
|
||||
adduser debian sudo
|
||||
```
|
||||
|
||||
Then set up LXC and the rest with the following, which is a complex jumble of settings and workarounds:
|
||||
|
||||
```bash
|
||||
# the version of lxc-start in Debian needs to run as root, so make sure
|
||||
# that the build script can execute it without providing a password
|
||||
echo "%sudo ALL=NOPASSWD: /usr/bin/lxc-start" > /etc/sudoers.d/gitian-lxc
|
||||
echo "%sudo ALL=NOPASSWD: /usr/bin/lxc-execute" >> /etc/sudoers.d/gitian-lxc
|
||||
# make /etc/rc.local script that sets up bridge between guest and host
|
||||
echo '#!/bin/sh -e' > /etc/rc.local
|
||||
echo 'brctl addbr lxcbr0' >> /etc/rc.local
|
||||
echo 'ifconfig lxcbr0 10.0.3.1/24 up' >> /etc/rc.local
|
||||
echo 'iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE' >> /etc/rc.local
|
||||
echo 'echo 1 > /proc/sys/net/ipv4/ip_forward' >> /etc/rc.local
|
||||
echo 'exit 0' >> /etc/rc.local
|
||||
# make sure that USE_LXC is always set when logging in as debian,
|
||||
# and configure LXC IP addresses
|
||||
echo 'export USE_LXC=1' >> /home/debian/.profile
|
||||
echo 'export GITIAN_HOST_IP=10.0.3.1' >> /home/debian/.profile
|
||||
echo 'export LXC_GUEST_IP=10.0.3.5' >> /home/debian/.profile
|
||||
reboot
|
||||
```
|
||||
|
||||
At the end the VM is rebooted to make sure that the changes take effect. The steps in this
|
||||
section only need to be performed once.
|
||||
|
||||
Installing Gitian
|
||||
------------------
|
||||
|
||||
Re-login as the user `debian` that was created during installation.
|
||||
The rest of the steps in this guide will be performed as that user.
|
||||
|
||||
There is no `python-vm-builder` package in Debian, so we need to install it from source ourselves,
|
||||
|
||||
```bash
|
||||
wget http://archive.ubuntu.com/ubuntu/pool/universe/v/vm-builder/vm-builder_0.12.4+bzr494.orig.tar.gz
|
||||
echo "76cbf8c52c391160b2641e7120dbade5afded713afaa6032f733a261f13e6a8e vm-builder_0.12.4+bzr494.orig.tar.gz" | sha256sum -c
|
||||
# (verification -- must return OK)
|
||||
tar -zxvf vm-builder_0.12.4+bzr494.orig.tar.gz
|
||||
cd vm-builder-0.12.4+bzr494
|
||||
sudo python setup.py install
|
||||
cd ..
|
||||
```
|
||||
|
||||
**Note**: When sudo asks for a password, enter the password for the user *debian* not for *root*.
|
||||
|
||||
Clone the git repositories for Dash Core and Gitian.
|
||||
|
||||
```bash
|
||||
git clone https://github.com/devrandom/gitian-builder.git
|
||||
git clone https://github.com/dashpay/dash
|
||||
git clone https://github.com/dashpay/gitian.sigs.git
|
||||
```
|
||||
|
||||
Setting up the Gitian image
|
||||
-------------------------
|
||||
|
||||
Gitian needs a virtual image of the operating system to build in.
|
||||
Currently this is Ubuntu Trusty x86_64.
|
||||
This image will be copied and used every time that a build is started to
|
||||
make sure that the build is deterministic.
|
||||
Creating the image will take a while, but only has to be done once.
|
||||
|
||||
Execute the following as user `debian`:
|
||||
|
||||
```bash
|
||||
cd gitian-builder
|
||||
bin/make-base-vm --lxc --arch amd64 --suite focal
|
||||
```
|
||||
|
||||
There will be a lot of warnings printed during the build of the image. These can be ignored.
|
||||
|
||||
**Note**: When sudo asks for a password, enter the password for the user *debian* not for *root*.
|
||||
|
||||
**Note**: Repeat this step when you have upgraded to a newer version of Gitian.
|
||||
|
||||
**Note**: if you get the error message *"bin/make-base-vm: mkfs.ext4: not found"* during this process you have to make the following change in file *"gitian-builder/bin/make-base-vm"* at line 117:
|
||||
```bash
|
||||
# mkfs.ext4 -F $OUT-lxc
|
||||
/sbin/mkfs.ext4 -F $OUT-lxc # (some Gitian environents do NOT find mkfs.ext4. Some do...)
|
||||
```
|
||||
|
||||
Getting and building the inputs
|
||||
--------------------------------
|
||||
|
||||
At this point you have two options, you can either use the automated script (found in [contrib/gitian-build.py](/contrib/gitian-build.py)) or you could manually do everything by following this guide. If you're using the automated script, then run it with the "--setup" command. Afterwards, run it with the "--build" command (example: "contrib/gitian-building.sh -b signer 0.13.0"). Otherwise ignore this.
|
||||
|
||||
Follow the instructions in [doc/release-process.md](release-process.md#fetch-and-create-inputs-first-time-or-when-dependency-versions-change)
|
||||
in the Dash Core repository under 'Fetch and create inputs' to install sources which require
|
||||
manual intervention. Also optionally follow the next step: 'Seed the Gitian sources cache
|
||||
and offline git repositories' which will fetch the remaining files required for building
|
||||
offline.
|
||||
|
||||
Building Dash Core
|
||||
----------------
|
||||
|
||||
To build Dash Core (for Linux, macOS and Windows) just follow the steps under 'perform
|
||||
Gitian builds' in [doc/release-process.md](release-process.md#setup-and-perform-gitian-builds) in the Dash Core repository.
|
||||
|
||||
This may take some time as it will build all the dependencies needed for each descriptor.
|
||||
These dependencies will be cached after a successful build to avoid rebuilding them when possible.
|
||||
|
||||
At any time you can check the package installation and build progress with
|
||||
|
||||
```bash
|
||||
tail -f var/install.log
|
||||
tail -f var/build.log
|
||||
```
|
||||
|
||||
Output from `gbuild` will look something like
|
||||
|
||||
```bash
|
||||
Initialized empty Git repository in /home/debian/gitian-builder/inputs/dash/.git/
|
||||
remote: Counting objects: 57959, done.
|
||||
remote: Total 57959 (delta 0), reused 0 (delta 0), pack-reused 57958
|
||||
Receiving objects: 100% (57959/57959), 53.76 MiB | 484.00 KiB/s, done.
|
||||
Resolving deltas: 100% (41590/41590), done.
|
||||
From https://github.com/dashpay/dash
|
||||
... (new tags, new branch etc)
|
||||
--- Building for focal amd64 ---
|
||||
Stopping target if it is up
|
||||
Making a new image copy
|
||||
stdin: is not a tty
|
||||
Starting target
|
||||
Checking if target is up
|
||||
Preparing build environment
|
||||
Updating apt-get repository (log in var/install.log)
|
||||
Installing additional packages (log in var/install.log)
|
||||
Grabbing package manifest
|
||||
stdin: is not a tty
|
||||
Creating build script (var/build-script)
|
||||
lxc-start: Connection refused - inotify event with no name (mask 32768)
|
||||
Running build script (log in var/build.log)
|
||||
```
|
||||
Building an alternative repository
|
||||
-----------------------------------
|
||||
|
||||
If you want to do a test build of a pull on GitHub it can be useful to point
|
||||
the Gitian builder at an alternative repository, using the same descriptors
|
||||
and inputs.
|
||||
|
||||
For example:
|
||||
```bash
|
||||
URL=https://github.com/crowning-/dash.git
|
||||
COMMIT=b616fb8ef0d49a919b72b0388b091aaec5849b96
|
||||
./bin/gbuild --commit dash=${COMMIT} --url dash=${URL} ../dash/contrib/gitian-descriptors/gitian-linux.yml
|
||||
./bin/gbuild --commit dash=${COMMIT} --url dash=${URL} ../dash/contrib/gitian-descriptors/gitian-win.yml
|
||||
./bin/gbuild --commit dash=${COMMIT} --url dash=${URL} ../dash/contrib/gitian-descriptors/gitian-osx.yml
|
||||
```
|
||||
|
||||
Building fully offline
|
||||
-----------------------
|
||||
|
||||
For building fully offline including attaching signatures to unsigned builds, the detached-sigs repository
|
||||
and the dash git repository with the desired tag must both be available locally, and then gbuild must be
|
||||
told where to find them. It also requires an apt-cacher-ng which is fully-populated but set to offline mode, or
|
||||
manually disabling gitian-builder's use of apt-get to update the VM build environment.
|
||||
|
||||
To configure apt-cacher-ng as an offline cacher, you will need to first populate its cache with the relevant
|
||||
files. You must additionally patch target-bin/bootstrap-fixup to set its apt sources to something other than
|
||||
plain archive.ubuntu.com: us.archive.ubuntu.com works.
|
||||
|
||||
So, if you use LXC:
|
||||
|
||||
```bash
|
||||
export PATH="$PATH":/path/to/gitian-builder/libexec
|
||||
export USE_LXC=1
|
||||
cd /path/to/gitian-builder
|
||||
./libexec/make-clean-vm --suite focal --arch amd64
|
||||
|
||||
LXC_ARCH=amd64 LXC_SUITE=focal on-target -u root apt-get update
|
||||
LXC_ARCH=amd64 LXC_SUITE=focal on-target -u root \
|
||||
-e DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends -y install \
|
||||
$( sed -ne '/^packages:/,/[^-] .*/ {/^- .*/{s/"//g;s/- //;p}}' ../dash/contrib/gitian-descriptors/*|sort|uniq )
|
||||
LXC_ARCH=amd64 LXC_SUITE=focal on-target -u root apt-get -q -y purge grub
|
||||
LXC_ARCH=amd64 LXC_SUITE=focal on-target -u root -e DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade
|
||||
```
|
||||
|
||||
And then set offline mode for apt-cacher-ng:
|
||||
|
||||
```
|
||||
/etc/apt-cacher-ng/acng.conf
|
||||
[...]
|
||||
Offlinemode: 1
|
||||
[...]
|
||||
|
||||
service apt-cacher-ng restart
|
||||
```
|
||||
|
||||
Then when building, override the remote URLs that gbuild would otherwise pull from the Gitian descriptors::
|
||||
```bash
|
||||
|
||||
cd /some/root/path/
|
||||
git clone https://github.com/dashpay/dash-detached-sigs.git
|
||||
|
||||
BTCPATH=/some/root/path/dash
|
||||
SIGPATH=/some/root/path/dash-detached-sigs
|
||||
|
||||
./bin/gbuild --url dash=${BTCPATH},signature=${SIGPATH} ../dash/contrib/gitian-descriptors/gitian-win-signer.yml
|
||||
```
|
||||
|
||||
Signing externally
|
||||
-------------------
|
||||
|
||||
If you want to do the PGP signing on another device, that's also possible; just define `SIGNER` as mentioned
|
||||
and follow the steps in the build process as normal.
|
||||
|
||||
gpg: skipped "crowning-": secret key not available
|
||||
|
||||
When you execute `gsign` you will get an error from GPG, which can be ignored. Copy the resulting `.assert` files
|
||||
in `gitian.sigs` to your signing machine and do
|
||||
|
||||
```bash
|
||||
gpg --detach-sign ${VERSION}-linux/${SIGNER}/dash-linux-build.assert
|
||||
gpg --detach-sign ${VERSION}-win/${SIGNER}/dash-win-build.assert
|
||||
gpg --detach-sign ${VERSION}-osx-unsigned/${SIGNER}/dash-osx-build.assert
|
||||
```
|
||||
|
||||
This will create the `.sig` files that can be committed together with the `.assert` files to assert your
|
||||
Gitian build.
|
||||
|
||||
Uploading signatures (not yet implemented)
|
||||
---------------------
|
||||
|
||||
In the future it will be possible to push your signatures (both the `.assert` and `.assert.sig` files) to the
|
||||
[dash/gitian.sigs](https://github.com/dashpay/gitian.sigs/) repository, or if that's not possible to create a pull
|
||||
request.
|
||||
There will be an official announcement when this repository is online.
|
@ -22,10 +22,6 @@ disabled=(
|
||||
SC2086 # Double quote to prevent globbing and word splitting.
|
||||
SC2162 # read without -r will mangle backslashes.
|
||||
)
|
||||
disabled_gitian=(
|
||||
SC2094 # Make sure not to read and write the same file in the same pipeline.
|
||||
SC2129 # Consider using { cmd1; cmd2; } >> file instead of individual redirects.
|
||||
)
|
||||
|
||||
EXIT_CODE=0
|
||||
|
||||
@ -46,27 +42,4 @@ if ! "${SHELLCHECK_CMD[@]}" "$EXCLUDE" $SOURCED_FILES $(git ls-files -- '*.sh' |
|
||||
EXIT_CODE=1
|
||||
fi
|
||||
|
||||
if ! command -v yq > /dev/null; then
|
||||
echo "Skipping Gitian descriptor scripts checking since yq is not installed."
|
||||
exit $EXIT_CODE
|
||||
fi
|
||||
|
||||
if ! command -v jq > /dev/null; then
|
||||
echo "Skipping Gitian descriptor scripts checking since jq is not installed."
|
||||
exit $EXIT_CODE
|
||||
fi
|
||||
|
||||
EXCLUDE_GITIAN=${EXCLUDE}",$(IFS=','; echo "${disabled_gitian[*]}")"
|
||||
for descriptor in $(git ls-files -- 'contrib/gitian-descriptors/*.yml')
|
||||
do
|
||||
script=$(basename "$descriptor")
|
||||
# Use #!/bin/bash as gitian-builder/bin/gbuild does to complete a script.
|
||||
echo "#!/bin/bash" > $script
|
||||
yq -r .script "$descriptor" >> $script
|
||||
if ! "${SHELLCHECK_CMD[@]}" "$EXCLUDE_GITIAN" $script; then
|
||||
EXIT_CODE=1
|
||||
fi
|
||||
rm $script
|
||||
done
|
||||
|
||||
exit $EXIT_CODE
|
||||
|
Loading…
Reference in New Issue
Block a user