Merge bitcoin/bitcoin#21778: build: LLD based macOS toolchain

e8c25e8a35e333e90514945c592557615641553f guix: drop binutils from macOS env (fanquake)
555fddf646265f7e57a416dc64b171f2c9460e20 guix: use GUIX_LD_WRAPPER_DISABLE_RPATH for all HOSTS (fanquake)
9ec238d0f3c7b97aec83dbeb4c7a6950c8f5125e guix: remove ZERO_AR_DATE export (fanquake)
f836f7e9b3e091eb27cdefb624e2a6f2a921fa55 depends: remove cctools & libtapi (fanquake)
4a0536c5d96688729f8c885060c83cb12d72a8c5 build: switch to using lld for macOS builds (fanquake)
c6a6b2d6fd4e3a01b095dc98645f819ebabf1931 build: add lld into macOS build environment(s) (fanquake)
437e908ebd1bf9473ef924de5aec57bdc26de6dd depends: swap cctools-x for llvm-x (fanquake)
bab287d1bab2c02b5fab3285f2678c15316d31c2 depends: don't use -no_warning_for_no_symbols in macOS qt build (fanquake)

Pull request description:

  This switches us to using a [LLD](https://lld.llvm.org/) based toolchain for macOS builds.

  ### Benefits
  * Less complicated macOS toolchain.
  * No longer beholden to Apple releasing it's [source](https://opensource.apple.com/source/) for [cctools](https://opensource.apple.com/source/cctools/), [ld64](https://opensource.apple.com/source/ld64/) & [libtapi](https://opensource.apple.com/source/tapi/).
  * No more reliance on third parties to modify those sources for us. i.e [apple-libtapi](https://github.com/tpoechtrager/apple-libtapi), [cctools-port](https://github.com/tpoechtrager/cctools-port) (cctools + ld64).

ACKs for top commit:
  theuni:
    Tentative ACK e8c25e8a35e333e90514945c592557615641553f.

Tree-SHA512: ec73304e8a2cd4c71041f7863d7d2e4e0408787299fb4fa3745076853156e8f64e4742e16f30d65e3a27f1e9c0d19cdf802248366b72a4fcb4ea821f92bb7a00

5 files changed, 14 insertions, 55 deletions

diff --git a/contrib/devtools/symbol-check.py b/contrib/devtools/symbol-check.py
index b3e73bb2b9..e4a62c2072 100755
--- a/contrib/devtools/symbol-check.py
+++ b/contrib/devtools/symbol-check.py
@@ -240,7 +240,7 @@ def check_MACHO_sdk(binary) -> bool:
     return False
 
 def check_MACHO_ld64(binary) -> bool:
-    if binary.build_version.tools[0].version == [711, 0, 0]:
+    if binary.build_version.tools[0].version == [17, 0, 6]:
         return True
     return False
 
diff --git a/contrib/devtools/test-security-check.py b/contrib/devtools/test-security-check.py
index 51bca4627e..dd0cf7030a 100755
--- a/contrib/devtools/test-security-check.py
+++ b/contrib/devtools/test-security-check.py
@@ -120,21 +120,15 @@ class TestSecurityChecks(unittest.TestCase):
         arch = get_arch(cc, source, executable)
 
         if arch == lief.ARCHITECTURES.X86:
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fno-stack-protector', '-Wl,-no_fixup_chains']),
-                (1, executable+': failed NOUNDEFS Canary FIXUP_CHAINS PIE NX CONTROL_FLOW'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fno-stack-protector', '-Wl,-fixup_chains']),
-                (1, executable+': failed NOUNDEFS Canary PIE NX CONTROL_FLOW'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fstack-protector-all', '-Wl,-fixup_chains']),
-                (1, executable+': failed NOUNDEFS PIE NX CONTROL_FLOW'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-fstack-protector-all', '-Wl,-fixup_chains']),
-                (1, executable+': failed NOUNDEFS PIE CONTROL_FLOW'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all', '-Wl,-fixup_chains']),
-                (1, executable+': failed PIE CONTROL_FLOW'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all', '-Wl,-fixup_chains']),
-                (1, executable+': failed PIE CONTROL_FLOW'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all', '-fcf-protection=full', '-Wl,-fixup_chains']),
-                (1, executable+': failed PIE'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-pie','-fstack-protector-all', '-fcf-protection=full', '-Wl,-fixup_chains']),
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-fno-stack-protector', '-Wl,-no_fixup_chains']),
+                (1, executable+': failed NOUNDEFS Canary FIXUP_CHAINS PIE CONTROL_FLOW'))
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fno-stack-protector', '-Wl,-fixup_chains']),
+                (1, executable+': failed NOUNDEFS Canary CONTROL_FLOW'))
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fstack-protector-all', '-Wl,-fixup_chains']),
+                (1, executable+': failed NOUNDEFS CONTROL_FLOW'))
+            self.assertEqual(call_security_check(cc, source, executable, ['-fstack-protector-all', '-Wl,-fixup_chains']),
+                (1, executable+': failed CONTROL_FLOW'))
+            self.assertEqual(call_security_check(cc, source, executable, ['-fstack-protector-all', '-fcf-protection=full', '-Wl,-fixup_chains']),
                 (0, ''))
         else:
             # arm64 darwin doesn't support non-PIE binaries, control flow or executable stacks
diff --git a/contrib/guix/libexec/build.sh b/contrib/guix/libexec/build.sh
index 1e9b682f3f..f589ac7a55 100755
--- a/contrib/guix/libexec/build.sh
+++ b/contrib/guix/libexec/build.sh
@@ -133,18 +133,7 @@ for p in "${PATHS[@]}"; do
 done
 
 # Disable Guix ld auto-rpath behavior
-case "$HOST" in
-    *darwin*)
-        # The auto-rpath behavior is necessary for darwin builds as some native
-        # tools built by depends refer to and depend on Guix-built native
-        # libraries
-        #
-        # After the native packages in depends are built, the ld wrapper should
-        # no longer affect our build, as clang would instead reach for
-        # x86_64-apple-darwin-ld from cctools
-        ;;
-    *) export GUIX_LD_WRAPPER_DISABLE_RPATH=yes ;;
-esac
+export GUIX_LD_WRAPPER_DISABLE_RPATH=yes
 
 # Make /usr/bin if it doesn't exist
 [ -e /usr/bin ] || mkdir -p /usr/bin
@@ -173,16 +162,6 @@ esac
 # Environment variables for determinism
 export TAR_OPTIONS="--owner=0 --group=0 --numeric-owner --mtime='@${SOURCE_DATE_EPOCH}' --sort=name"
 export TZ="UTC"
-case "$HOST" in
-    *darwin*)
-        # cctools AR, unlike GNU binutils AR, does not have a deterministic mode
-        # or a configure flag to enable determinism by default, it only
-        # understands if this env-var is set or not. See:
-        #
-        # https://github.com/tpoechtrager/cctools-port/blob/55562e4073dea0fbfd0b20e0bf69ffe6390c7f97/cctools/ar/archive.c#L334
-        export ZERO_AR_DATE=yes
-        ;;
-esac
 
 ####################
 # Depends Building #
diff --git a/contrib/guix/manifest.scm b/contrib/guix/manifest.scm
index 96818c7748..40500ccb88 100644
--- a/contrib/guix/manifest.scm
+++ b/contrib/guix/manifest.scm
@@ -532,8 +532,9 @@ inspecting signatures in Mach-O binaries.")
           ((string-contains target "darwin")
            (list ;; Native GCC 11 toolchain
                  gcc-toolchain-11
-                 binutils
                  clang-toolchain-17
+                 lld-17
+                 (make-lld-wrapper lld-17 #:lld-as-ld? #t)
                  python-signapple
                  zip))
           (else '())))))
diff --git a/contrib/macdeploy/README.md b/contrib/macdeploy/README.md
index d1df3062f8..78f61685e1 100644
--- a/contrib/macdeploy/README.md
+++ b/contrib/macdeploy/README.md
@@ -56,28 +56,13 @@ The `sha256sum` should be `c0c2e7bb92c1fee0c4e9f3a485e4530786732d6c6dd9e9f418c28
 
 ## Deterministic macOS App Notes
 
-macOS Applications are created in Linux by combining a recent `clang` and the Apple
-`binutils` (`ld`, `ar`, etc).
+macOS Applications are created in Linux using a recent LLVM.
 
 Apple uses `clang` extensively for development and has upstreamed the necessary
 functionality so that a vanilla clang can take advantage. It supports the use of `-F`,
 `-target`, `-mmacosx-version-min`, and `-isysroot`, which are all necessary when
 building for macOS.
 
-Apple's version of `binutils` (called `cctools`) contains lots of functionality missing in the
-FSF's `binutils`. In addition to extra linker options for frameworks and sysroots, several
-other tools are needed as well. These do not build under Linux, so they have been patched to
-do so. The work here was used as a starting point: [mingwandroid/toolchain4](https://github.com/mingwandroid/toolchain4).
-
-In order to build a working toolchain, the following source packages are needed from
-Apple: `cctools`, `dyld`, and `ld64`.
-
-These tools inject timestamps by default, which produce non-deterministic binaries. The
-`ZERO_AR_DATE` environment variable is used to disable that.
-
-This version of `cctools` has been patched to use the current version of `clang`'s headers
-and its `libLTO.so` rather than those from `llvmgcc`, as it was originally done in `toolchain4`.
-
 To complicate things further, all builds must target an Apple SDK. These SDKs are free to
 download, but not redistributable. See the SDK Extraction notes above for how to obtain it.