diff options
| -rw-r--r-- | ci/test/00_setup_env_mac_host.sh | 2 | ||||
| -rwxr-xr-x | contrib/devtools/security-check.py | 14 | ||||
| -rwxr-xr-x | contrib/devtools/test-security-check.py | 16 | ||||
| -rw-r--r-- | contrib/gitian-descriptors/gitian-linux.yml | 27 | ||||
| -rw-r--r-- | contrib/gitian-descriptors/gitian-osx.yml | 25 | ||||
| -rw-r--r-- | contrib/gitian-descriptors/gitian-win.yml | 31 | ||||
| -rwxr-xr-x | contrib/gitian-descriptors/make_git_archive | 20 | ||||
| -rwxr-xr-x | share/genbuild.sh | 6 | ||||
| -rw-r--r-- | src/qt/coincontroldialog.cpp | 8 | ||||
| -rw-r--r-- | src/wallet/rpcdump.cpp | 2 | ||||
| -rwxr-xr-x | test/lint/lint-shell.sh | 10 |
11 files changed, 71 insertions, 90 deletions
diff --git a/ci/test/00_setup_env_mac_host.sh b/ci/test/00_setup_env_mac_host.sh index 67fbd1438a..9ef4ba038f 100644 --- a/ci/test/00_setup_env_mac_host.sh +++ b/ci/test/00_setup_env_mac_host.sh @@ -8,8 +8,6 @@ export LC_ALL=C.UTF-8 export HOST=x86_64-apple-darwin16 export PIP_PACKAGES="zmq" -export RUN_UNIT_TESTS=true -export RUN_FUNCTIONAL_TESTS=false export GOAL="install" export BITCOIN_CONFIG="--enable-gui --enable-reduce-exports --enable-werror" # Run without depends diff --git a/contrib/devtools/security-check.py b/contrib/devtools/security-check.py index 65a80b4102..9444271bdc 100755 --- a/contrib/devtools/security-check.py +++ b/contrib/devtools/security-check.py @@ -158,6 +158,17 @@ def check_PE_HIGH_ENTROPY_VA(executable): reqbits = 0 return (bits & reqbits) == reqbits +def check_PE_RELOC_SECTION(executable) -> bool: + '''Check for a reloc section. This is required for functional ASLR.''' + p = subprocess.Popen([OBJDUMP_CMD, '-h', executable], stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE, universal_newlines=True) + (stdout, stderr) = p.communicate() + if p.returncode: + raise IOError('Error opening file') + for line in stdout.splitlines(): + if '.reloc' in line: + return True + return False + def check_PE_NX(executable): '''NX: DllCharacteristics bit 0x100 signifies nxcompat (DEP)''' (arch,bits) = get_PE_dll_characteristics(executable) @@ -247,7 +258,8 @@ CHECKS = { 'PE': [ ('DYNAMIC_BASE', check_PE_DYNAMIC_BASE), ('HIGH_ENTROPY_VA', check_PE_HIGH_ENTROPY_VA), - ('NX', check_PE_NX) + ('NX', check_PE_NX), + ('RELOC_SECTION', check_PE_RELOC_SECTION) ], 'MACHO': [ ('PIE', check_MACHO_PIE), diff --git a/contrib/devtools/test-security-check.py b/contrib/devtools/test-security-check.py index d09f1d0064..ea70b27941 100755 --- a/contrib/devtools/test-security-check.py +++ b/contrib/devtools/test-security-check.py @@ -49,13 +49,15 @@ class TestSecurityChecks(unittest.TestCase): cc = 'x86_64-w64-mingw32-gcc' write_testcode(source) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--no-nxcompat','-Wl,--no-dynamicbase','-Wl,--no-high-entropy-va']), - (1, executable+': failed DYNAMIC_BASE HIGH_ENTROPY_VA NX')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--no-dynamicbase','-Wl,--no-high-entropy-va']), - (1, executable+': failed DYNAMIC_BASE HIGH_ENTROPY_VA')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--dynamicbase','-Wl,--no-high-entropy-va']), - (1, executable+': failed HIGH_ENTROPY_VA')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--dynamicbase','-Wl,--high-entropy-va']), + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--no-nxcompat','-Wl,--no-dynamicbase','-Wl,--no-high-entropy-va','-no-pie','-fno-PIE']), + (1, executable+': failed DYNAMIC_BASE HIGH_ENTROPY_VA NX RELOC_SECTION')) + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--no-dynamicbase','-Wl,--no-high-entropy-va','-no-pie','-fno-PIE']), + (1, executable+': failed DYNAMIC_BASE HIGH_ENTROPY_VA RELOC_SECTION')) + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--dynamicbase','-Wl,--no-high-entropy-va','-no-pie','-fno-PIE']), + (1, executable+': failed HIGH_ENTROPY_VA RELOC_SECTION')) + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--dynamicbase','-Wl,--high-entropy-va','-no-pie','-fno-PIE']), + (1, executable+': failed RELOC_SECTION')) + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--dynamicbase','-Wl,--high-entropy-va','-pie','-fPIE']), (0, '')) def test_MACHO(self): diff --git a/contrib/gitian-descriptors/gitian-linux.yml b/contrib/gitian-descriptors/gitian-linux.yml index 6f79d10e68..f421372e10 100644 --- a/contrib/gitian-descriptors/gitian-linux.yml +++ b/contrib/gitian-descriptors/gitian-linux.yml @@ -140,18 +140,12 @@ script: | create_per-host_faketime_wrappers "${REFERENCE_DATETIME}" export PATH=${WRAP_DIR}:${PATH} - # Create the release tarball using (arbitrarily) the first host - ./autogen.sh - CONFIG_SITE=${BASEPREFIX}/$(echo "${HOSTS}" | awk '{print $1;}')/share/config.site ./configure --prefix=/ - make dist - SOURCEDIST=$(echo bitcoin-*.tar.gz) - DISTNAME=${SOURCEDIST/%.tar.gz} - - # Workaround for tarball not building with the bare tag version (prep) - make -C src obj/build.h + # Create the git archive, and define DISTNAME and GIT_ARCHIVE variables. + # shellcheck source=contrib/gitian-descriptors/make_git_archive + source contrib/gitian-descriptors/make_git_archive ORIGPATH="$PATH" - # Extract the release tarball into a dir for each host and build + # Extract the git archive into a dir for each host and build for i in ${HOSTS}; do export PATH=${BASEPREFIX}/${i}/native/bin:${ORIGPATH} if [ "${i}" = "riscv64-linux-gnu" ]; then @@ -165,13 +159,9 @@ script: | cd distsrc-${i} INSTALLPATH="${PWD}/installed/${DISTNAME}" mkdir -p ${INSTALLPATH} - tar --strip-components=1 -xf ../$SOURCEDIST - - # Workaround for tarball not building with the bare tag version - echo '#!/bin/true' >share/genbuild.sh - mkdir src/obj - cp ../src/obj/build.h src/obj/ + tar -xf $GIT_ARCHIVE + ./autogen.sh CONFIG_SITE=${BASEPREFIX}/${i}/share/config.site ./configure --prefix=/ --disable-ccache --disable-maintainer-mode --disable-dependency-tracking ${CONFIGFLAGS} CFLAGS="${HOST_CFLAGS}" CXXFLAGS="${HOST_CXXFLAGS}" LDFLAGS="${HOST_LDFLAGS}" make ${MAKEOPTS} make ${MAKEOPTS} -C src check-security @@ -183,12 +173,9 @@ script: | rm -rf ${DISTNAME}/lib/pkgconfig find ${DISTNAME}/bin -type f -executable -print0 | xargs -0 -n1 -I{} ../contrib/devtools/split-debug.sh {} {} {}.dbg find ${DISTNAME}/lib -type f -print0 | xargs -0 -n1 -I{} ../contrib/devtools/split-debug.sh {} {} {}.dbg - cp ../../README.md ${DISTNAME}/ + cp ../README.md ${DISTNAME}/ find ${DISTNAME} -not -name "*.dbg" | sort | tar --mtime="$REFERENCE_DATETIME" --no-recursion --mode='u+rw,go+r-w,a+X' --owner=0 --group=0 -c -T - | gzip -9n > ${OUTDIR}/${DISTNAME}-${i}.tar.gz find ${DISTNAME} -name "*.dbg" | sort | tar --mtime="$REFERENCE_DATETIME" --no-recursion --mode='u+rw,go+r-w,a+X' --owner=0 --group=0 -c -T - | gzip -9n > ${OUTDIR}/${DISTNAME}-${i}-debug.tar.gz cd ../../ rm -rf distsrc-${i} done - - mkdir -p ${OUTDIR}/src - git archive --output=${OUTDIR}/src/${DISTNAME}.tar.gz HEAD diff --git a/contrib/gitian-descriptors/gitian-osx.yml b/contrib/gitian-descriptors/gitian-osx.yml index 37f2a534b8..82f8f194fc 100644 --- a/contrib/gitian-descriptors/gitian-osx.yml +++ b/contrib/gitian-descriptors/gitian-osx.yml @@ -103,31 +103,21 @@ script: | create_per-host_faketime_wrappers "${REFERENCE_DATETIME}" export PATH=${WRAP_DIR}:${PATH} - # Create the release tarball using (arbitrarily) the first host - ./autogen.sh - CONFIG_SITE=${BASEPREFIX}/$(echo "${HOSTS}" | awk '{print $1;}')/share/config.site ./configure --prefix=/ - make dist - SOURCEDIST=$(echo bitcoin-*.tar.gz) - DISTNAME=${SOURCEDIST/%.tar.gz} - - # Workaround for tarball not building with the bare tag version (prep) - make -C src obj/build.h + # Create the git archive, and define DISTNAME and GIT_ARCHIVE variables. + # shellcheck source=contrib/gitian-descriptors/make_git_archive + source contrib/gitian-descriptors/make_git_archive ORIGPATH="$PATH" - # Extract the release tarball into a dir for each host and build + # Extract the git archive into a dir for each host and build for i in ${HOSTS}; do export PATH=${BASEPREFIX}/${i}/native/bin:${ORIGPATH} mkdir -p distsrc-${i} cd distsrc-${i} INSTALLPATH="${PWD}/installed/${DISTNAME}" mkdir -p ${INSTALLPATH} - tar --strip-components=1 -xf ../$SOURCEDIST - - # Workaround for tarball not building with the bare tag version - echo '#!/bin/true' >share/genbuild.sh - mkdir src/obj - cp ../src/obj/build.h src/obj/ + tar -xf $GIT_ARCHIVE + ./autogen.sh CONFIG_SITE=${BASEPREFIX}/${i}/share/config.site ./configure --prefix=/ --disable-ccache --disable-maintainer-mode --disable-dependency-tracking ${CONFIGFLAGS} make ${MAKEOPTS} make ${MAKEOPTS} -C src check-security @@ -160,7 +150,4 @@ script: | cd ../../ done - mkdir -p ${OUTDIR}/src - git archive --output=${OUTDIR}/src/${DISTNAME}.tar.gz HEAD - mv ${OUTDIR}/${DISTNAME}-x86_64-*.tar.gz ${OUTDIR}/${DISTNAME}-osx64.tar.gz diff --git a/contrib/gitian-descriptors/gitian-win.yml b/contrib/gitian-descriptors/gitian-win.yml index 0cc1adc557..54ad68a2a3 100644 --- a/contrib/gitian-descriptors/gitian-win.yml +++ b/contrib/gitian-descriptors/gitian-win.yml @@ -76,13 +76,11 @@ script: | function create_per-host_compiler_wrapper { # -posix variant is required for c++11 threading. for i in $HOSTS; do - mkdir -p ${WRAP_DIR}/${i} for prog in gcc g++; do echo '#!/usr/bin/env bash' > ${WRAP_DIR}/${i}-${prog} echo "REAL=\`which -a ${i}-${prog}-posix | grep -v ${WRAP_DIR}/${i}-${prog} | head -1\`" >> ${WRAP_DIR}/${i}-${prog} echo "export LD_PRELOAD='/usr/\$LIB/faketime/libfaketime.so.1'" >> ${WRAP_DIR}/${i}-${prog} echo "export FAKETIME=\"$1\"" >> ${WRAP_DIR}/${i}-${prog} - echo "export COMPILER_PATH=${WRAP_DIR}/${i}" >> ${WRAP_DIR}/${i}-${prog} echo "\$REAL \$@" >> $WRAP_DIR/${i}-${prog} chmod +x ${WRAP_DIR}/${i}-${prog} done @@ -110,38 +108,28 @@ script: | create_per-host_compiler_wrapper "${REFERENCE_DATETIME}" export PATH=${WRAP_DIR}:${PATH} - # Create the release tarball using (arbitrarily) the first host - ./autogen.sh - CONFIG_SITE=${BASEPREFIX}/$(echo "${HOSTS}" | awk '{print $1;}')/share/config.site ./configure --prefix=/ - make dist - SOURCEDIST=$(echo bitcoin-*.tar.gz) - DISTNAME=${SOURCEDIST/%.tar.gz} - - # Workaround for tarball not building with the bare tag version (prep) - make -C src obj/build.h + # Create the git archive, and define DISTNAME and GIT_ARCHIVE variables. + # shellcheck source=contrib/gitian-descriptors/make_git_archive + source contrib/gitian-descriptors/make_git_archive ORIGPATH="$PATH" - # Extract the release tarball into a dir for each host and build + # Extract the git archive into a dir for each host and build for i in ${HOSTS}; do export PATH=${BASEPREFIX}/${i}/native/bin:${ORIGPATH} mkdir -p distsrc-${i} cd distsrc-${i} INSTALLPATH="${PWD}/installed/${DISTNAME}" mkdir -p ${INSTALLPATH} - tar --strip-components=1 -xf ../$SOURCEDIST - - # Workaround for tarball not building with the bare tag version - echo '#!/bin/true' >share/genbuild.sh - mkdir src/obj - cp ../src/obj/build.h src/obj/ + tar -xf $GIT_ARCHIVE + ./autogen.sh CONFIG_SITE=${BASEPREFIX}/${i}/share/config.site ./configure --prefix=/ --disable-ccache --disable-maintainer-mode --disable-dependency-tracking ${CONFIGFLAGS} CFLAGS="${HOST_CFLAGS}" CXXFLAGS="${HOST_CXXFLAGS}" make ${MAKEOPTS} make ${MAKEOPTS} -C src check-security make ${MAKEOPTS} -C src check-symbols make deploy make install DESTDIR=${INSTALLPATH} - cp -f --target-directory="${OUTDIR}" ./bitcoin-*-setup-unsigned.exe + cp -f ./bitcoin-*-win64-setup-unsigned.exe ${OUTDIR}/${DISTNAME}-win64-setup-unsigned.exe cd installed mv ${DISTNAME}/bin/*.dll ${DISTNAME}/lib/ find . -name "lib*.la" -delete @@ -156,11 +144,8 @@ script: | rm -rf distsrc-${i} done - mkdir -p ${OUTDIR}/src - git archive --output=${OUTDIR}/src/${DISTNAME}.tar.gz HEAD - cp -rf contrib/windeploy $BUILD_DIR cd $BUILD_DIR/windeploy mkdir unsigned - cp $OUTDIR/bitcoin-*setup-unsigned.exe unsigned/ + cp ${OUTDIR}/${DISTNAME}-win64-setup-unsigned.exe unsigned/ find . | sort | tar --mtime="$REFERENCE_DATETIME" --no-recursion --mode='u+rw,go+r-w,a+X' --owner=0 --group=0 -c -T - | gzip -9n > ${OUTDIR}/${DISTNAME}-win-unsigned.tar.gz diff --git a/contrib/gitian-descriptors/make_git_archive b/contrib/gitian-descriptors/make_git_archive new file mode 100755 index 0000000000..d922c94c60 --- /dev/null +++ b/contrib/gitian-descriptors/make_git_archive @@ -0,0 +1,20 @@ +# Copyright (c) 2020 The Bitcoin Core developers +# Distributed under the MIT software license, see the accompanying +# file COPYING or http://www.opensource.org/licenses/mit-license.php. +# +# A helper script to be sourced into the gitian descriptors + +mkdir -p ${OUTDIR}/src +RECENT_TAG=$(git describe --abbrev=0 HEAD) +if [ $RECENT_TAG = $(git describe HEAD) ]; then + if [[ $RECENT_TAG == v* ]]; then + VERSION=${RECENT_TAG:1} + else + VERSION=$RECENT_TAG + fi +else + VERSION=$(git rev-parse --short HEAD) +fi +DISTNAME=bitcoin-${VERSION} +GIT_ARCHIVE="${OUTDIR}/src/${DISTNAME}.tar.gz" +git archive --output=$GIT_ARCHIVE HEAD diff --git a/share/genbuild.sh b/share/genbuild.sh index 197787d5e0..81fa2ed5d0 100755 --- a/share/genbuild.sh +++ b/share/genbuild.sh @@ -18,13 +18,9 @@ else exit 1 fi -git_check_in_repo() { - ! { git status --porcelain -uall --ignored "$@" 2>/dev/null || echo '??'; } | grep -q '?' -} - DESC="" SUFFIX="" -if [ "${BITCOIN_GENBUILD_NO_GIT}" != "1" ] && [ -e "$(command -v git)" ] && [ "$(git rev-parse --is-inside-work-tree 2>/dev/null)" = "true" ] && git_check_in_repo share/genbuild.sh; then +if [ "${BITCOIN_GENBUILD_NO_GIT}" != "1" ] && [ -e "$(command -v git)" ] && [ "$(git rev-parse --is-inside-work-tree 2>/dev/null)" = "true" ]; then # clean 'dirty' status of touched files that haven't been modified git diff >/dev/null 2>/dev/null diff --git a/src/qt/coincontroldialog.cpp b/src/qt/coincontroldialog.cpp index 9495ba389a..1889f5e056 100644 --- a/src/qt/coincontroldialog.cpp +++ b/src/qt/coincontroldialog.cpp @@ -379,14 +379,6 @@ void CoinControlDialog::viewItemChanged(QTreeWidgetItem* item, int column) if (ui->treeWidget->isEnabled()) // do not update on every click for (un)select all CoinControlDialog::updateLabels(model, this); } - - // TODO: Remove this temporary qt5 fix after Qt5.3 and Qt5.4 are no longer used. - // Fixed in Qt5.5 and above: https://bugreports.qt.io/browse/QTBUG-43473 - else if (column == COLUMN_CHECKBOX && item->childCount() > 0) - { - if (item->checkState(COLUMN_CHECKBOX) == Qt::PartiallyChecked && item->child(0)->checkState(COLUMN_CHECKBOX) == Qt::PartiallyChecked) - item->setCheckState(COLUMN_CHECKBOX, Qt::Checked); - } } // shows count of locked unspent outputs diff --git a/src/wallet/rpcdump.cpp b/src/wallet/rpcdump.cpp index 128de52b58..9417e2bd58 100644 --- a/src/wallet/rpcdump.cpp +++ b/src/wallet/rpcdump.cpp @@ -735,7 +735,7 @@ UniValue dumpwallet(const JSONRPCRequest& request) "Note that if your wallet contains keys which are not derived from your HD seed (e.g. imported keys), these are not covered by\n" "only backing up the seed itself, and must be backed up too (e.g. ensure you back up the whole dumpfile).\n", { - {"filename", RPCArg::Type::STR, RPCArg::Optional::NO, "The filename with path (either absolute or relative to bitcoind)"}, + {"filename", RPCArg::Type::STR, RPCArg::Optional::NO, "The filename with path (absolute path recommended)"}, }, RPCResult{ RPCResult::Type::OBJ, "", "", diff --git a/test/lint/lint-shell.sh b/test/lint/lint-shell.sh index 5540a0f74f..2bb76ec286 100755 --- a/test/lint/lint-shell.sh +++ b/test/lint/lint-shell.sh @@ -46,15 +46,17 @@ if ! command -v yq > /dev/null; then fi EXCLUDE_GITIAN=${EXCLUDE}",$(IFS=','; echo "${disabled_gitian[*]}")" +SHELLCHECK_CMD="shellcheck --external-sources --check-sourced $EXCLUDE_GITIAN" for descriptor in $(git ls-files -- 'contrib/gitian-descriptors/*.yml') do - echo - echo "$descriptor" + script=$(basename "$descriptor") # Use #!/bin/bash as gitian-builder/bin/gbuild does to complete a script. - SCRIPT=$'#!/bin/bash\n'$(yq -r .script "$descriptor") - if ! echo "$SCRIPT" | shellcheck "$EXCLUDE_GITIAN" -; then + echo "#!/bin/bash" > $script + yq -r .script "$descriptor" >> $script + if ! $SHELLCHECK_CMD $script; then EXIT_CODE=1 fi + rm $script done exit $EXIT_CODE |