Merge bitcoin/bitcoin#21664: contrib: use LIEF for macOS and Windows symbol & security checks

7fc5e865b93af59364e9c8bf75ec68b4decc7e5d test: install lief in CI (fanquake)
955140b3265d3bcb9504c61d73fbfdadfff8a2b2 contrib: consolidate PIE and NX security checks (fanquake)
2aa1631822b2fdbc6cf7a3dcd99adaf4d2745ed4 contrib: use LIEF in PE symbol checks (fanquake)
e93ac26b8563576345c13e83c777dd39e7616b1e contrib: use LIEF in macOS symbol checks (fanquake)
a632cbcee5ae982f50aba625713b7686aef29168 contrib: use f strings in symbol-check.py (fanquake)
0f5d77c8e4db691733edb455dd9e31dabe933b8d contrib: add PE PIE check to security checks (fanquake)
8e1f40dd9a5135dbdec2c25961fbd0729a42254c contrib: use LIEF for PE security checks (fanquake)
a25b2e965c93fe2a46a2f8f1e7bdf5642d453511 contrib: use LIEF for macOS security checks (fanquake)
7e7eae7aa86ab95c44eed601f8c993285a256bbc contrib: use f strings in security-check.py (fanquake)
2e7a9f7ade0c7b31e762c0ddb9e0944a0d9c798e guix: install LIEF in Guix container (fanquake)
465967b5ef4b4f02e9d6783a94eca012d4ebcdab gitian: install LIEF in gitian container (fanquake)

Pull request description:

  This PR is a proof of concept for using [LIEF](https://github.com/lief-project/LIEF) for the PE and MACHO symbol and security checks. It replaces our current approach of manually parsing the output of `objdump` & `otool`. If the consensus is that using LIEF is ok, then I also plan on replacing [pixie.py](https://github.com/bitcoin/bitcoin/blob/master/contrib/devtools/pixie.py), and using LIEF for all checks. LIEF for Linux is also currently blocked (on the next release, unless we want to build master) on one change for RISC-V that I [sent upstream](https://github.com/lief-project/LIEF/pull/562).

  LIEF is seemingly well maintained, and is the basis for a number of other tools. It also has some very nice documentation; i.e the [Python API for ELF](https://lief.quarkslab.com/doc/latest/api/python/elf.html). It also has many builtins we can take advantage of. i.e [`is_pie`](https://lief.quarkslab.com/doc/latest/api/python/macho.html#lief.MachO.Binary.is_pie), [`has_nx`](https://lief.quarkslab.com/doc/latest/api/python/macho.html#lief.MachO.Binary.has_nx) etc. This means we can [consolidate some of our checks](https://github.com/bitcoin/bitcoin/commit/9c5eeb54848f428109ec24dff55f189a5358e9bc). If/when end up using LIEF for lightning then we can consolidate further, and cleanup these scripts. i.e to not parse the binary inside the checks, but once at the start of the script.

  Guix builds:
  ```bash
  # find guix-build-$(git rev-parse --short=12 HEAD)/output/ -type f -print0 | env LC_ALL=C sort -z | xargs -r0 sha256sum
  963a08638c46f9a3d75cd4b0c155d1ca091bbeba27167291adcd3dca03fd4c3d  guix-build-f51237d94d98/output/aarch64-linux-gnu/bitcoin-f51237d94d98-aarch64-linux-gnu-debug.tar.gz
  a3ce927c46b103789a010c41a6ebfafe4548d90ee7d88f2a735c9183b775da5c  guix-build-f51237d94d98/output/aarch64-linux-gnu/bitcoin-f51237d94d98-aarch64-linux-gnu.tar.gz
  2503ac8901068805d5e7251fd5cfeb7c1f8ba3528bdfcf3aa1e0c40bfd5c1cbc  guix-build-f51237d94d98/output/arm-linux-gnueabihf/bitcoin-f51237d94d98-arm-linux-gnueabihf-debug.tar.gz
  5798697e58e1788df85aa9e2e4d33fef0456169fcbd2521f13b3b5806ac0d84d  guix-build-f51237d94d98/output/arm-linux-gnueabihf/bitcoin-f51237d94d98-arm-linux-gnueabihf.tar.gz
  4185adebc6a0abe7241a3cd409a6ab7be031c26f1c4245e30bb5f87eef0925d2  guix-build-f51237d94d98/output/dist-archive/bitcoin-f51237d94d98.tar.gz
  9b4b8756c5c84295eb6b61b6b32a07a8d07723fb38aaa8f519b6133935061bda  guix-build-f51237d94d98/output/powerpc64-linux-gnu/bitcoin-f51237d94d98-powerpc64-linux-gnu-debug.tar.gz
  cbd821aa464a9c16f7979dbec1a5e66939e777a567f55f7081499a8d528d42c5  guix-build-f51237d94d98/output/powerpc64-linux-gnu/bitcoin-f51237d94d98-powerpc64-linux-gnu.tar.gz
  abed530a82e97e3cf621c90a13c0881b0e39ccce2a6f42a3ff80de76e2abc5f7  guix-build-f51237d94d98/output/powerpc64le-linux-gnu/bitcoin-f51237d94d98-powerpc64le-linux-gnu-debug.tar.gz
  8b6d2bdd8b58ff1f6072bf8693abe3ce773ff3a7d8d2b7218207e69945b9d31b  guix-build-f51237d94d98/output/powerpc64le-linux-gnu/bitcoin-f51237d94d98-powerpc64le-linux-gnu.tar.gz
  d99cc705032d22ae819975992216899ed960ba25871a05c8789d00b80418511f  guix-build-f51237d94d98/output/riscv64-linux-gnu/bitcoin-f51237d94d98-riscv64-linux-gnu-debug.tar.gz
  5240ca4f4ef7c62088185224ac319ad9a4a9b40075df10af18d8a6355bca32fb  guix-build-f51237d94d98/output/riscv64-linux-gnu/bitcoin-f51237d94d98-riscv64-linux-gnu.tar.gz
  adc16eaee4b51e8615ce8b3be9f6c018698237df4ad6e0886cf0d4ab6bc9e5c4  guix-build-f51237d94d98/output/x86_64-apple-darwin18/bitcoin-f51237d94d98-osx-unsigned.dmg
  b188af0572ee682d74cc82c7e6e464115205fc130a457cfe19d42ac9ddd267f8  guix-build-f51237d94d98/output/x86_64-apple-darwin18/bitcoin-f51237d94d98-osx-unsigned.tar.gz
  e764062fde144e6fb5d6dd776c10fc2daa8d775831f7e43247d17a6c6e060c97  guix-build-f51237d94d98/output/x86_64-apple-darwin18/bitcoin-f51237d94d98-osx64.tar.gz
  dab3d26ac94c669140f7329d14e57ef02b0fe92b8a8f9d96c32a416adea0da0f  guix-build-f51237d94d98/output/x86_64-linux-gnu/bitcoin-f51237d94d98-x86_64-linux-gnu-debug.tar.gz
  ca59d4379fbe2b9a52deebeaf88508e0eda4215f28d319aff0781289dd159712  guix-build-f51237d94d98/output/x86_64-linux-gnu/bitcoin-f51237d94d98-x86_64-linux-gnu.tar.gz
  52b7c35321a85c4f6c95bf0e687574454b71ede9bec1c9cf17f37c578c888a94  guix-build-f51237d94d98/output/x86_64-w64-mingw32/bitcoin-f51237d94d98-win-unsigned.tar.gz
  a543895a00f8ffb3ba50ca68396d52ad5a18dd8efe38730e0049dd70d283a092  guix-build-f51237d94d98/output/x86_64-w64-mingw32/bitcoin-f51237d94d98-win64-debug.zip
  aec050d03c65268a986148500f7341cceb8c5f85287e0e3cde8933ce4b4dee32  guix-build-f51237d94d98/output/x86_64-w64-mingw32/bitcoin-f51237d94d98-win64-setup-unsigned.exe
  57ba33ed6ee8d3a885e342471359301473e83037d5442895beb686921a4c50e9  guix-build-f51237d94d98/output/x86_64-w64-mingw32/bitcoin-f51237d94d98-win64.zip
  ```

  Gitian builds:
  ```bash
  # macOS:
  2f066e852bdd30ac46e5ecdf7619d19d408035c318a3edf0f1893ec2e25efb69  bitcoin-41a1b3d1b130-osx-unsigned.dmg
  8cf8ac4d21740f490262453c330b5f4a5c5b8139dfc1b322efefce3f3b93d1b2  bitcoin-41a1b3d1b130-osx-unsigned.tar.gz
  cf1b84efdd9d2588a1ce9513580fb56b38bfafe60e18f8adbeedf03521c6c2b2  bitcoin-41a1b3d1b130-osx64.tar.gz
  14995244b0bb3e80e7b79975c9c70fdfb3ee3c04fda3efd5358ce1c4efa3a312  src/bitcoin-41a1b3d1b130.tar.gz
  93881069d5e1dc385c08895a7b035a94eb010325afc2776c99b6aafa21096eb8  bitcoin-core-osx-22-res.yml

  # Windows:
  4d56dd7713121684b7eaa448679c65df2fd0aa5319bf8d12fb6cfa9f0b005cf7  bitcoin-f51237d94d98-win-unsigned.tar.gz
  4558f4173152b084bcba25aa1a53c605208a70fe20392141b63cefb476528c85  bitcoin-f51237d94d98-win64-debug.zip
  b63feaca010e86d514cfe38d716e3c8a8b8058e4f969b868aaaeb8a8a3d3dc81  bitcoin-f51237d94d98-win64-setup-unsigned.exe
  de7d8586cc91ba391fe911853a99d9fd15fc6f9a60f9b91a0447940173aac67a  bitcoin-f51237d94d98-win64.zip
  4185adebc6a0abe7241a3cd409a6ab7be031c26f1c4245e30bb5f87eef0925d2  src/bitcoin-f51237d94d98.tar.gz
  45efaca35b5fad0a04dfd06e44f7c00b990aa91c7bf2faea57e020d3491a6cf0  bitcoin-core-win-22-res.yml

  # Linux:
  055d646c5f8cf4708008374546176012ff758566a2645a3a01e1a33eab1002fe  bitcoin-f51237d94d98-aarch64-linux-gnu-debug.tar.gz
  bfc8b0efc36b0474c88546b12d2723c04b4dc629ae311082025c7e0b8f0d1aa9  bitcoin-f51237d94d98-aarch64-linux-gnu.tar.gz
  9dfaa5acfffadad8942b32996458013a155d12ed07be76601f232233627b5cb9  bitcoin-f51237d94d98-arm-linux-gnueabihf-debug.tar.gz
  54eb57905ff8513b9f628707b61aa4659c362fb2f6d17e0ee240b4da3674907d  bitcoin-f51237d94d98-arm-linux-gnueabihf.tar.gz
  ad98d876616eff578ad8cfd17dfbabe48ed14200823579687d66694bae3d2fe3  bitcoin-f51237d94d98-powerpc64-linux-gnu-debug.tar.gz
  fe1b421dd1cb6e04d5dc5d341459dc15fa6e15b80906e5d8e0405cf43495e0f7  bitcoin-f51237d94d98-powerpc64-linux-gnu.tar.gz
  9001d95cc7d2722d9d7dd83d9da8e5adf575fddf91b615b76b9bcfece30ecf6f  bitcoin-f51237d94d98-powerpc64le-linux-gnu-debug.tar.gz
  9e0650ad2aba70c0fd1608a077e95f335dc1bb4a79eab9b0b56ac87427a4fd4f  bitcoin-f51237d94d98-powerpc64le-linux-gnu.tar.gz
  fbfde0134944d3dbd32991455b0a8abdd334853ab8a4c1a1a4c060d9de071c50  bitcoin-f51237d94d98-riscv64-linux-gnu-debug.tar.gz
  2fa2cfddce98c44c65305326fc623a7f065129208337503d813a08d51580cb8a  bitcoin-f51237d94d98-riscv64-linux-gnu.tar.gz
  b2d6caeee0e3c350a43165c39876ebed8e588958007af0d06996e341c7060683  bitcoin-f51237d94d98-x86_64-linux-gnu-debug.tar.gz
  bfdb827e75d43d61462513c9a843620b93c9160d9d246cad13278baaa07f64ea  bitcoin-f51237d94d98-x86_64-linux-gnu.tar.gz
  4185adebc6a0abe7241a3cd409a6ab7be031c26f1c4245e30bb5f87eef0925d2  src/bitcoin-f51237d94d98.tar.gz
  34820a093916fa35b0fd98806a50092f46b20271af7422f43e2a4223ef6f9bb7  bitcoin-core-linux-22-res.yml
  ```

ACKs for top commit:
  laanwj:
    re-ACK 7fc5e865b93af59364e9c8bf75ec68b4decc7e5d

Tree-SHA512: 0c30838413448ecfcf55e6273f607fdb01cb1acafa1d2762afad59360fca7d8efa78ec55064f50cba56cb2c9e98741e13665cba8e9b4b8e5b62b8a53f9bf8990

9 files changed, 90 insertions, 135 deletions

diff --git a/ci/test/00_setup_env_mac_host.sh b/ci/test/00_setup_env_mac_host.sh
index e54e78add4..898c1530a1 100644
--- a/ci/test/00_setup_env_mac_host.sh
+++ b/ci/test/00_setup_env_mac_host.sh
@@ -7,12 +7,11 @@
 export LC_ALL=C.UTF-8
 
 export HOST=x86_64-apple-darwin18
-export PIP_PACKAGES="zmq"
+export PIP_PACKAGES="zmq lief"
 export GOAL="install"
 export BITCOIN_CONFIG="--with-gui --enable-reduce-exports --enable-external-signer"
 export CI_OS_NAME="macos"
 export NO_DEPENDS=1
 export OSX_SDK=""
 export CCACHE_SIZE=300M
-
 export RUN_SECURITY_TESTS="true"
diff --git a/ci/test/00_setup_env_native_multiprocess.sh b/ci/test/00_setup_env_native_multiprocess.sh
index b8fa5c8854..37d714400b 100644
--- a/ci/test/00_setup_env_native_multiprocess.sh
+++ b/ci/test/00_setup_env_native_multiprocess.sh
@@ -8,9 +8,10 @@ export LC_ALL=C.UTF-8
 
 export CONTAINER_NAME=ci_native_multiprocess
 export DOCKER_NAME_TAG=ubuntu:20.04
-export PACKAGES="cmake python3 llvm clang"
+export PACKAGES="cmake python3 python3-pip llvm clang"
 export DEP_OPTS="DEBUG=1 MULTIPROCESS=1"
 export GOAL="install"
 export BITCOIN_CONFIG="--enable-external-signer --enable-debug CC=clang CXX=clang++"  # Use clang to avoid OOM
 export TEST_RUNNER_ENV="BITCOIND=bitcoin-node"
 export RUN_SECURITY_TESTS="true"
+export PIP_PACKAGES="lief"
diff --git a/ci/test/04_install.sh b/ci/test/04_install.sh
index 8accecef66..01dbfe221b 100755
--- a/ci/test/04_install.sh
+++ b/ci/test/04_install.sh
@@ -67,6 +67,9 @@ if [[ $DOCKER_NAME_TAG == centos* ]]; then
 elif [ "$CI_USE_APT_INSTALL" != "no" ]; then
   ${CI_RETRY_EXE} DOCKER_EXEC apt-get update
   ${CI_RETRY_EXE} DOCKER_EXEC apt-get install --no-install-recommends --no-upgrade -y $PACKAGES $DOCKER_PACKAGES
+  if [ -n "$PIP_PACKAGES" ]; then
+    ${CI_RETRY_EXE} pip3 install --user $PIP_PACKAGES
+  fi
 fi
 
 if [ "$CI_OS_NAME" == "macos" ]; then
diff --git a/contrib/devtools/security-check.py b/contrib/devtools/security-check.py
index 7b09c42fde..b6628c2ad5 100755
--- a/contrib/devtools/security-check.py
+++ b/contrib/devtools/security-check.py
@@ -6,22 +6,13 @@
 Perform basic security checks on a series of executables.
 Exit status will be 0 if successful, and the program will be silent.
 Otherwise the exit status will be 1 and it will log which executables failed which checks.
-Needs `objdump` (for PE) and `otool` (for MACHO).
 '''
-import subprocess
 import sys
-import os
 from typing import List, Optional
 
+import lief
 import pixie
 
-OBJDUMP_CMD = os.getenv('OBJDUMP', '/usr/bin/objdump')
-OTOOL_CMD = os.getenv('OTOOL', '/usr/bin/otool')
-
-def run_command(command) -> str:
-    p = subprocess.run(command, stdout=subprocess.PIPE, check=True, universal_newlines=True)
-    return p.stdout
-
 def check_ELF_PIE(executable) -> bool:
     '''
     Check for position independent executable (PIE), allowing for address space randomization.
@@ -143,112 +134,59 @@ def check_ELF_separate_code(executable):
                 return False
     return True
 
-def get_PE_dll_characteristics(executable) -> int:
-    '''Get PE DllCharacteristics bits'''
-    stdout = run_command([OBJDUMP_CMD, '-x',  executable])
-
-    bits = 0
-    for line in stdout.splitlines():
-        tokens = line.split()
-        if len(tokens)>=2 and tokens[0] == 'DllCharacteristics':
-            bits = int(tokens[1],16)
-    return bits
-
-IMAGE_DLL_CHARACTERISTICS_HIGH_ENTROPY_VA = 0x0020
-IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE    = 0x0040
-IMAGE_DLL_CHARACTERISTICS_NX_COMPAT       = 0x0100
-
 def check_PE_DYNAMIC_BASE(executable) -> bool:
     '''PIE: DllCharacteristics bit 0x40 signifies dynamicbase (ASLR)'''
-    bits = get_PE_dll_characteristics(executable)
-    return (bits & IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE) == IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE
+    binary = lief.parse(executable)
+    return lief.PE.DLL_CHARACTERISTICS.DYNAMIC_BASE in binary.optional_header.dll_characteristics_lists
 
 # Must support high-entropy 64-bit address space layout randomization
 # in addition to DYNAMIC_BASE to have secure ASLR.
 def check_PE_HIGH_ENTROPY_VA(executable) -> bool:
     '''PIE: DllCharacteristics bit 0x20 signifies high-entropy ASLR'''
-    bits = get_PE_dll_characteristics(executable)
-    return (bits & IMAGE_DLL_CHARACTERISTICS_HIGH_ENTROPY_VA) == IMAGE_DLL_CHARACTERISTICS_HIGH_ENTROPY_VA
+    binary = lief.parse(executable)
+    return lief.PE.DLL_CHARACTERISTICS.HIGH_ENTROPY_VA in binary.optional_header.dll_characteristics_lists
 
 def check_PE_RELOC_SECTION(executable) -> bool:
     '''Check for a reloc section. This is required for functional ASLR.'''
-    stdout = run_command([OBJDUMP_CMD, '-h',  executable])
-
-    for line in stdout.splitlines():
-        if '.reloc' in line:
-            return True
-    return False
-
-def check_PE_NX(executable) -> bool:
-    '''NX: DllCharacteristics bit 0x100 signifies nxcompat (DEP)'''
-    bits = get_PE_dll_characteristics(executable)
-    return (bits & IMAGE_DLL_CHARACTERISTICS_NX_COMPAT) == IMAGE_DLL_CHARACTERISTICS_NX_COMPAT
-
-def get_MACHO_executable_flags(executable) -> List[str]:
-    stdout = run_command([OTOOL_CMD, '-vh', executable])
-
-    flags: List[str] = []
-    for line in stdout.splitlines():
-        tokens = line.split()
-        # filter first two header lines
-        if 'magic' in tokens or 'Mach' in tokens:
-            continue
-        # filter ncmds and sizeofcmds values
-        flags += [t for t in tokens if not t.isdigit()]
-    return flags
-
-def check_MACHO_PIE(executable) -> bool:
-    '''
-    Check for position independent executable (PIE), allowing for address space randomization.
-    '''
-    flags = get_MACHO_executable_flags(executable)
-    if 'PIE' in flags:
-        return True
-    return False
+    binary = lief.parse(executable)
+    return binary.has_relocations
 
 def check_MACHO_NOUNDEFS(executable) -> bool:
     '''
     Check for no undefined references.
     '''
-    flags = get_MACHO_executable_flags(executable)
-    if 'NOUNDEFS' in flags:
-        return True
-    return False
-
-def check_MACHO_NX(executable) -> bool:
-    '''
-    Check for no stack execution
-    '''
-    flags = get_MACHO_executable_flags(executable)
-    if 'ALLOW_STACK_EXECUTION' in flags:
-        return False
-    return True
+    binary = lief.parse(executable)
+    return binary.header.has(lief.MachO.HEADER_FLAGS.NOUNDEFS)
 
 def check_MACHO_LAZY_BINDINGS(executable) -> bool:
     '''
     Check for no lazy bindings.
     We don't use or check for MH_BINDATLOAD. See #18295.
     '''
-    stdout = run_command([OTOOL_CMD, '-l', executable])
-
-    for line in stdout.splitlines():
-        tokens = line.split()
-        if 'lazy_bind_off' in tokens or 'lazy_bind_size' in tokens:
-            if tokens[1] != '0':
-                return False
-    return True
+    binary = lief.parse(executable)
+    return binary.dyld_info.lazy_bind == (0,0)
 
 def check_MACHO_Canary(executable) -> bool:
     '''
     Check for use of stack canary
     '''
-    stdout = run_command([OTOOL_CMD, '-Iv', executable])
+    binary = lief.parse(executable)
+    return binary.has_symbol('___stack_chk_fail')
 
-    ok = False
-    for line in stdout.splitlines():
-        if '___stack_chk_fail' in line:
-            ok = True
-    return ok
+def check_PIE(executable) -> bool:
+    '''
+    Check for position independent executable (PIE),
+    allowing for address space randomization.
+    '''
+    binary = lief.parse(executable)
+    return binary.is_pie
+
+def check_NX(executable) -> bool:
+    '''
+    Check for no stack execution
+    '''
+    binary = lief.parse(executable)
+    return binary.has_nx
 
 CHECKS = {
 'ELF': [
@@ -259,15 +197,16 @@ CHECKS = {
     ('separate_code', check_ELF_separate_code),
 ],
 'PE': [
+    ('PIE', check_PIE),
     ('DYNAMIC_BASE', check_PE_DYNAMIC_BASE),
     ('HIGH_ENTROPY_VA', check_PE_HIGH_ENTROPY_VA),
-    ('NX', check_PE_NX),
+    ('NX', check_NX),
     ('RELOC_SECTION', check_PE_RELOC_SECTION)
 ],
 'MACHO': [
-    ('PIE', check_MACHO_PIE),
+    ('PIE', check_PIE),
     ('NOUNDEFS', check_MACHO_NOUNDEFS),
-    ('NX', check_MACHO_NX),
+    ('NX', check_NX),
     ('LAZY_BINDINGS', check_MACHO_LAZY_BINDINGS),
     ('Canary', check_MACHO_Canary)
 ]
@@ -285,24 +224,24 @@ def identify_executable(executable) -> Optional[str]:
     return None
 
 if __name__ == '__main__':
-    retval = 0
+    retval: int = 0
     for filename in sys.argv[1:]:
         try:
             etype = identify_executable(filename)
             if etype is None:
-                print('%s: unknown format' % filename)
+                print(f'{filename}: unknown format')
                 retval = 1
                 continue
 
-            failed = []
+            failed: List[str] = []
             for (name, func) in CHECKS[etype]:
                 if not func(filename):
                     failed.append(name)
             if failed:
-                print('%s: failed %s' % (filename, ' '.join(failed)))
+                print(f'{filename}: failed {" ".join(failed)}')
                 retval = 1
         except IOError:
-            print('%s: cannot open' % filename)
+            print(f'{filename}: cannot open')
             retval = 1
     sys.exit(retval)
 
diff --git a/contrib/devtools/symbol-check.py b/contrib/devtools/symbol-check.py
index 436f179d61..d740a94560 100755
--- a/contrib/devtools/symbol-check.py
+++ b/contrib/devtools/symbol-check.py
@@ -15,6 +15,7 @@ import sys
 import os
 from typing import List, Optional
 
+import lief
 import pixie
 
 # Debian 8 (Jessie) EOL: 2020. https://wiki.debian.org/DebianReleases#Production_Releases
@@ -52,8 +53,6 @@ IGNORE_EXPORTS = {
 'environ', '_environ', '__environ',
 }
 CPPFILT_CMD = os.getenv('CPPFILT', '/usr/bin/c++filt')
-OBJDUMP_CMD = os.getenv('OBJDUMP', '/usr/bin/objdump')
-OTOOL_CMD = os.getenv('OTOOL', '/usr/bin/otool')
 
 # Allowed NEEDED libraries
 ELF_ALLOWED_LIBRARIES = {
@@ -203,44 +202,22 @@ def check_ELF_libraries(filename) -> bool:
             ok = False
     return ok
 
-def macho_read_libraries(filename) -> List[str]:
-    p = subprocess.Popen([OTOOL_CMD, '-L', filename], stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE, universal_newlines=True)
-    (stdout, stderr) = p.communicate()
-    if p.returncode:
-        raise IOError('Error opening file')
-    libraries = []
-    for line in stdout.splitlines():
-        tokens = line.split()
-        if len(tokens) == 1: # skip executable name
-            continue
-        libraries.append(tokens[0].split('/')[-1])
-    return libraries
-
 def check_MACHO_libraries(filename) -> bool:
     ok: bool = True
-    for dylib in macho_read_libraries(filename):
-        if dylib not in MACHO_ALLOWED_LIBRARIES:
-            print('{} is not in ALLOWED_LIBRARIES!'.format(dylib))
+    binary = lief.parse(filename)
+    for dylib in binary.libraries:
+        split = dylib.name.split('/')
+        if split[-1] not in MACHO_ALLOWED_LIBRARIES:
+            print(f'{split[-1]} is not in ALLOWED_LIBRARIES!')
             ok = False
     return ok
 
-def pe_read_libraries(filename) -> List[str]:
-    p = subprocess.Popen([OBJDUMP_CMD, '-x', filename], stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE, universal_newlines=True)
-    (stdout, stderr) = p.communicate()
-    if p.returncode:
-        raise IOError('Error opening file')
-    libraries = []
-    for line in stdout.splitlines():
-        if 'DLL Name:' in line:
-            tokens = line.split(': ')
-            libraries.append(tokens[1])
-    return libraries
-
 def check_PE_libraries(filename) -> bool:
     ok: bool = True
-    for dylib in pe_read_libraries(filename):
+    binary = lief.parse(filename)
+    for dylib in binary.libraries:
         if dylib not in PE_ALLOWED_LIBRARIES:
-            print('{} is not in ALLOWED_LIBRARIES!'.format(dylib))
+            print(f'{dylib} is not in ALLOWED_LIBRARIES!')
             ok = False
     return ok
 
@@ -275,7 +252,7 @@ if __name__ == '__main__':
         try:
             etype = identify_executable(filename)
             if etype is None:
-                print('{}: unknown format'.format(filename))
+                print(f'{filename}: unknown format')
                 retval = 1
                 continue
 
@@ -284,9 +261,9 @@ if __name__ == '__main__':
                 if not func(filename):
                     failed.append(name)
             if failed:
-                print('{}: failed {}'.format(filename, ' '.join(failed)))
+                print(f'{filename}: failed {" ".join(failed)}')
                 retval = 1
         except IOError:
-            print('{}: cannot open'.format(filename))
+            print(f'{filename}: cannot open')
             retval = 1
     sys.exit(retval)
diff --git a/contrib/gitian-descriptors/gitian-linux.yml b/contrib/gitian-descriptors/gitian-linux.yml
index 9b5f5d7e07..103e249e33 100644
--- a/contrib/gitian-descriptors/gitian-linux.yml
+++ b/contrib/gitian-descriptors/gitian-linux.yml
@@ -23,6 +23,7 @@ packages:
 - "patch"
 - "pkg-config"
 - "python3"
+- "python3-pip"
 # Cross compilation HOSTS:
 #  - arm-linux-gnueabihf
 - "binutils-arm-linux-gnueabihf"
@@ -99,6 +100,8 @@ script: |
   done
   }
 
+  pip3 install lief==0.11.4
+
   # Faketime for depends so intermediate results are comparable
   export PATH_orig=${PATH}
   create_global_faketime_wrappers "2000-01-01 12:00:00"
diff --git a/contrib/gitian-descriptors/gitian-osx.yml b/contrib/gitian-descriptors/gitian-osx.yml
index 5bc8a37bdc..d6c41b2c43 100644
--- a/contrib/gitian-descriptors/gitian-osx.yml
+++ b/contrib/gitian-descriptors/gitian-osx.yml
@@ -23,6 +23,7 @@ packages:
 - "imagemagick"
 - "libz-dev"
 - "python3"
+- "python3-pip"
 - "python3-setuptools"
 - "fonts-tuffy"
 - "xorriso"
@@ -78,6 +79,8 @@ script: |
   done
   }
 
+  pip3 install lief==0.11.4
+
   # Faketime for depends so intermediate results are comparable
   export PATH_orig=${PATH}
   create_global_faketime_wrappers "2000-01-01 12:00:00"
diff --git a/contrib/gitian-descriptors/gitian-win.yml b/contrib/gitian-descriptors/gitian-win.yml
index dbf1e8cc67..eabcdaa79d 100644
--- a/contrib/gitian-descriptors/gitian-win.yml
+++ b/contrib/gitian-descriptors/gitian-win.yml
@@ -22,6 +22,7 @@ packages:
 - "zip"
 - "ca-certificates"
 - "python3"
+- "python3-pip"
 remotes:
 - "url": "https://github.com/bitcoin/bitcoin.git"
   "dir": "bitcoin"
@@ -86,6 +87,8 @@ script: |
   done
   }
 
+  pip3 install lief==0.11.4
+
   # Faketime for depends so intermediate results are comparable
   export PATH_orig=${PATH}
   create_global_faketime_wrappers "2000-01-01 12:00:00"
diff --git a/contrib/guix/manifest.scm b/contrib/guix/manifest.scm
index 90f4121d43..f98f2b9422 100644
--- a/contrib/guix/manifest.scm
+++ b/contrib/guix/manifest.scm
@@ -27,9 +27,11 @@
              (gnu packages version-control)
              (guix build-system font)
              (guix build-system gnu)
+             (guix build-system python)
              (guix build-system trivial)
              (guix download)
              (guix gexp)
+             (guix git-download)
              ((guix licenses) #:prefix license:)
              (guix packages)
              (guix profiles)
@@ -192,6 +194,29 @@ chain for " target " development."))
     "Thatcher Ulrich's first outline font design. He started with the goal of producing a neutral, readable sans-serif text font. There are lots of \"expressive\" fonts out there, but he wanted to start with something very plain and clean, something he might want to actually use. ")
    (license license:public-domain)))
 
+(define-public lief
+  (package
+   (name "python-lief")
+   (version "0.11.4")
+   (source
+    (origin
+     (method git-fetch)
+     (uri (git-reference
+           (url "https://github.com/lief-project/LIEF.git")
+           (commit version)))
+     (file-name (git-file-name name version))
+     (sha256
+      (base32
+       "0h4kcwr9z478almjqhmils8imfpflzk0r7d05g4xbkdyknn162qf"))))
+   (build-system python-build-system)
+   (native-inputs
+    `(("cmake" ,cmake)))
+   (home-page "https://github.com/lief-project/LIEF")
+   (synopsis "Library to Instrument Executable Formats")
+   (description "Python library to to provide a cross platform library which can
+parse, modify and abstract ELF, PE and MachO formats.")
+   (license license:asl2.0)))
+
 (packages->manifest
  (append
   (list ;; The Basics
@@ -227,6 +252,8 @@ chain for " target " development."))
         python-3
         ;; Git
         git
+        ;; Tests
+        lief
         ;; Native gcc 7 toolchain
         gcc-toolchain-7
         (list gcc-toolchain-7 "static"))