diff options
Diffstat (limited to 'contrib')
| -rwxr-xr-x | contrib/devtools/symbol-check.py | 34 | ||||
| -rwxr-xr-x | contrib/devtools/test-security-check.py | 34 | ||||
| -rw-r--r-- | contrib/guix/manifest.scm | 24 | ||||
| -rw-r--r-- | contrib/guix/patches/glibc-2.27-fcommon.patch | 34 | ||||
| -rw-r--r-- | contrib/guix/patches/glibc-2.27-no-librt.patch | 53 | ||||
| -rw-r--r-- | contrib/guix/patches/glibc-2.27-powerpc-ldbrx.patch | 245 | ||||
| -rw-r--r-- | contrib/guix/patches/glibc-2.27-riscv64-Use-__has_include-to-include-asm-syscalls.h.patch | 78 | ||||
| -rw-r--r-- | contrib/guix/patches/glibc-guix-prefix.patch (renamed from contrib/guix/patches/glibc-2.27-guix-prefix.patch) | 8 | ||||
| -rw-r--r-- | contrib/macdeploy/README.md | 34 | ||||
| -rwxr-xr-x | contrib/macdeploy/gen-sdk | 15 | ||||
| -rw-r--r-- | contrib/verify-binaries/README.md | 10 | ||||
| -rwxr-xr-x | contrib/verify-binaries/test.py | 15 | ||||
| -rwxr-xr-x | contrib/verify-binaries/verify.py | 26 |
13 files changed, 94 insertions, 516 deletions
diff --git a/contrib/devtools/symbol-check.py b/contrib/devtools/symbol-check.py index 6613874ce3..c4e6bc81e1 100755 --- a/contrib/devtools/symbol-check.py +++ b/contrib/devtools/symbol-check.py @@ -14,31 +14,31 @@ import sys import lief -# Debian 10 (Buster) EOL: 2024. https://wiki.debian.org/LTS +# Debian 11 (Bullseye) EOL: 2026. https://wiki.debian.org/LTS # -# - libgcc version 8.3.0 (https://packages.debian.org/search?suite=buster&arch=any&searchon=names&keywords=libgcc1) -# - libc version 2.28 (https://packages.debian.org/search?suite=buster&arch=any&searchon=names&keywords=libc6) +# - libgcc version 10.2.1 (https://packages.debian.org/bullseye/libgcc-s1) +# - libc version 2.31 (https://packages.debian.org/source/bullseye/glibc) # -# Ubuntu 18.04 (Bionic) EOL: 2028. https://wiki.ubuntu.com/ReleaseTeam +# Ubuntu 20.04 (Focal) EOL: 2030. https://wiki.ubuntu.com/ReleaseTeam # -# - libgcc version 8.4.0 (https://packages.ubuntu.com/bionic/libgcc1) -# - libc version 2.27 (https://packages.ubuntu.com/bionic/libc6) +# - libgcc version 10.5.0 (https://packages.ubuntu.com/focal/libgcc1) +# - libc version 2.31 (https://packages.ubuntu.com/focal/libc6) # -# CentOS Stream 8 EOL: 2024. https://wiki.centos.org/About/Product +# CentOS Stream 9 EOL: 2027. https://www.centos.org/cl-vs-cs/#end-of-life # -# - libgcc version 8.5.0 (http://mirror.centos.org/centos/8-stream/AppStream/x86_64/os/Packages/) -# - libc version 2.28 (http://mirror.centos.org/centos/8-stream/AppStream/x86_64/os/Packages/) +# - libgcc version 12.2.1 (https://mirror.stream.centos.org/9-stream/AppStream/x86_64/os/Packages/) +# - libc version 2.34 (https://mirror.stream.centos.org/9-stream/AppStream/x86_64/os/Packages/) # # See https://gcc.gnu.org/onlinedocs/libstdc++/manual/abi.html for more info. MAX_VERSIONS = { 'GCC': (4,3,0), 'GLIBC': { - lief.ELF.ARCH.x86_64: (2,27), - lief.ELF.ARCH.ARM: (2,27), - lief.ELF.ARCH.AARCH64:(2,27), - lief.ELF.ARCH.PPC64: (2,27), - lief.ELF.ARCH.RISCV: (2,27), + lief.ELF.ARCH.x86_64: (2,31), + lief.ELF.ARCH.ARM: (2,31), + lief.ELF.ARCH.AARCH64:(2,31), + lief.ELF.ARCH.PPC64: (2,31), + lief.ELF.ARCH.RISCV: (2,31), }, 'LIBATOMIC': (1,0), 'V': (0,5,0), # xkb (bitcoin-qt only) @@ -212,6 +212,11 @@ def check_exported_symbols(binary) -> bool: ok = False return ok +def check_RUNPATH(binary) -> bool: + assert binary.get(lief.ELF.DYNAMIC_TAGS.RUNPATH) is None + assert binary.get(lief.ELF.DYNAMIC_TAGS.RPATH) is None + return True + def check_ELF_libraries(binary) -> bool: ok: bool = True for library in binary.libraries: @@ -277,6 +282,7 @@ lief.EXE_FORMATS.ELF: [ ('LIBRARY_DEPENDENCIES', check_ELF_libraries), ('INTERPRETER_NAME', check_ELF_interpreter), ('ABI', check_ELF_ABI), + ('RUNPATH', check_RUNPATH), ], lief.EXE_FORMATS.MACHO: [ ('DYNAMIC_LIBRARIES', check_MACHO_libraries), diff --git a/contrib/devtools/test-security-check.py b/contrib/devtools/test-security-check.py index dd0cf7030a..7bfd4d98da 100755 --- a/contrib/devtools/test-security-check.py +++ b/contrib/devtools/test-security-check.py @@ -59,32 +59,32 @@ class TestSecurityChecks(unittest.TestCase): arch = get_arch(cc, source, executable) if arch == lief.ARCHITECTURES.X86: - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-zexecstack','-fno-stack-protector','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']), - (1, executable+': failed PIE NX RELRO Canary CONTROL_FLOW')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fno-stack-protector','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']), - (1, executable+': failed PIE RELRO Canary CONTROL_FLOW')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']), + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-zexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']), + (1, executable+': failed PIE NX RELRO CONTROL_FLOW')) + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']), (1, executable+': failed PIE RELRO CONTROL_FLOW')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-znorelro','-pie','-fPIE', '-Wl,-z,separate-code']), + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']), + (1, executable+': failed PIE RELRO CONTROL_FLOW')) + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-pie','-fPIE', '-Wl,-z,separate-code']), (1, executable+': failed RELRO CONTROL_FLOW')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,noseparate-code']), + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,noseparate-code']), (1, executable+': failed separate_code CONTROL_FLOW')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,separate-code']), + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,separate-code']), (1, executable+': failed CONTROL_FLOW')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,separate-code', '-fcf-protection=full']), + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,separate-code', '-fcf-protection=full']), (0, '')) else: - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-zexecstack','-fno-stack-protector','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']), - (1, executable+': failed PIE NX RELRO Canary')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fno-stack-protector','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']), - (1, executable+': failed PIE RELRO Canary')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']), + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-zexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']), + (1, executable+': failed PIE NX RELRO')) + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']), + (1, executable+': failed PIE RELRO')) + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']), (1, executable+': failed PIE RELRO')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-znorelro','-pie','-fPIE', '-Wl,-z,separate-code']), + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-pie','-fPIE', '-Wl,-z,separate-code']), (1, executable+': failed RELRO')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,noseparate-code']), + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,noseparate-code']), (1, executable+': failed separate_code')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,separate-code']), + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,separate-code']), (0, '')) clean_files(source, executable) diff --git a/contrib/guix/manifest.scm b/contrib/guix/manifest.scm index 53569d7f7d..44fbfa1c0b 100644 --- a/contrib/guix/manifest.scm +++ b/contrib/guix/manifest.scm @@ -98,7 +98,7 @@ chain for " target " development.")) #:key (base-gcc-for-libc linux-base-gcc) (base-kernel-headers base-linux-kernel-headers) - (base-libc glibc-2.27) + (base-libc glibc-2.31) (base-gcc linux-base-gcc)) "Convenience wrapper around MAKE-CROSS-TOOLCHAIN with default values desirable for building Bitcoin Core release binaries." @@ -440,24 +440,21 @@ inspecting signatures in Mach-O binaries.") (("-rpath=") "-rpath-link=")) #t)))))))) -(define-public glibc-2.27 +(define-public glibc-2.31 + (let ((commit "8e30f03744837a85e33d84ccd34ed3abe30d37c3")) (package - (inherit glibc-2.31) - (version "2.27") + (inherit glibc) ;; 2.35 + (version "2.31") (source (origin (method git-fetch) (uri (git-reference (url "https://sourceware.org/git/glibc.git") - (commit "73886db6218e613bd6d4edf529f11e008a6c2fa6"))) - (file-name (git-file-name "glibc" "73886db6218e613bd6d4edf529f11e008a6c2fa6")) + (commit commit))) + (file-name (git-file-name "glibc" commit)) (sha256 (base32 - "0azpb9cvnbv25zg8019rqz48h8i2257ngyjg566dlnp74ivrs9vq")) - (patches (search-our-patches "glibc-2.27-riscv64-Use-__has_include-to-include-asm-syscalls.h.patch" - "glibc-2.27-fcommon.patch" - "glibc-2.27-guix-prefix.patch" - "glibc-2.27-no-librt.patch" - "glibc-2.27-powerpc-ldbrx.patch")))) + "1zi0s9yy5zkisw823vivn7zlj8w6g9p3mm7lmlqiixcxdkz4dbn6")) + (patches (search-our-patches "glibc-guix-prefix.patch")))) (arguments (substitute-keyword-arguments (package-arguments glibc) ((#:configure-flags flags) @@ -473,12 +470,13 @@ inspecting signatures in Mach-O binaries.") (lambda* (#:key outputs #:allow-other-keys) ;; Install the rpc data base file under `$out/etc/rpc'. ;; Otherwise build will fail with "Permission denied." + ;; Can be removed when we are building 2.32 or later. (let ((out (assoc-ref outputs "out"))) (substitute* "sunrpc/Makefile" (("^\\$\\(inst_sysconfdir\\)/rpc(.*)$" _ suffix) (string-append out "/etc/rpc" suffix "\n")) (("^install-others =.*$") - (string-append "install-others = " out "/etc/rpc\n")))))))))))) + (string-append "install-others = " out "/etc/rpc\n"))))))))))))) (packages->manifest (append diff --git a/contrib/guix/patches/glibc-2.27-fcommon.patch b/contrib/guix/patches/glibc-2.27-fcommon.patch deleted file mode 100644 index f8d14837fc..0000000000 --- a/contrib/guix/patches/glibc-2.27-fcommon.patch +++ /dev/null @@ -1,34 +0,0 @@ -commit 264a4a0dbe1f4369db315080034b500bed66016c -Author: fanquake <fanquake@gmail.com> -Date: Fri May 6 11:03:04 2022 +0100 - - build: use -fcommon to retain legacy behaviour with GCC 10 - - GCC 10 started using -fno-common by default, which causes issues with - the powerpc builds using gibc 2.27. A patch was committed to glibc to fix - the issue, 18363b4f010da9ba459b13310b113ac0647c2fcc but is non-trvial - to backport, and was broken in at least one way, see the followup in - commit 7650321ce037302bfc2f026aa19e0213b8d02fe6. - - For now, retain the legacy GCC behaviour by passing -fcommon when - building glibc. - - https://gcc.gnu.org/onlinedocs/gcc/Code-Gen-Options.html. - https://sourceware.org/git/?p=glibc.git;a=commit;h=18363b4f010da9ba459b13310b113ac0647c2fcc - https://sourceware.org/git/?p=glibc.git;a=commit;h=7650321ce037302bfc2f026aa19e0213b8d02fe6 - - This patch can be dropped when we are building with glibc 2.31+. - -diff --git a/Makeconfig b/Makeconfig -index 86a71e5802..aa2166be60 100644 ---- a/Makeconfig -+++ b/Makeconfig -@@ -896,7 +896,7 @@ ifeq "$(strip $(+cflags))" "" - endif # $(+cflags) == "" - - +cflags += $(cflags-cpu) $(+gccwarn) $(+merge-constants) $(+math-flags) \ -- $(+stack-protector) -+ $(+stack-protector) -fcommon - +gcc-nowarn := -w - - # Don't duplicate options if we inherited variables from the parent. diff --git a/contrib/guix/patches/glibc-2.27-no-librt.patch b/contrib/guix/patches/glibc-2.27-no-librt.patch deleted file mode 100644 index 4f2092ba7e..0000000000 --- a/contrib/guix/patches/glibc-2.27-no-librt.patch +++ /dev/null @@ -1,53 +0,0 @@ -This patch can be dropped when we are building with glibc 2.30+. - -commit 6e41ef56c9baab719a02f1377b1e7ce7bff61e73 -Author: Florian Weimer <fweimer@redhat.com> -Date: Fri Feb 8 10:21:56 2019 +0100 - - rt: Turn forwards from librt to libc into compat symbols [BZ #24194] - - As the result of commit 6e6249d0b461b952d0f544792372663feb6d792a - ("BZ#14743: Move clock_* symbols from librt to libc."), in glibc 2.17, - clock_gettime, clock_getres, clock_settime, clock_getcpuclockid, - clock_nanosleep were added to libc, and the file rt/clock-compat.c - was added with forwarders to the actual implementations in libc. - These forwarders were wrapped in - - #if SHLIB_COMPAT (librt, GLIBC_2_2, GLIBC_2_17) - - so that they are not present for newer architectures (such as - powerpc64le) with a 2.17 or later ABI baseline. But the forwarders - were not marked as compatibility symbols. As a result, on older - architectures, historic configure checks such as - - AC_CHECK_LIB(rt, clock_gettime) - - still cause linking against librt, even though this is completely - unnecessary. It also creates a needless porting hazard because - architectures behave differently when it comes to symbol availability. - - Reviewed-by: Carlos O'Donell <carlos@redhat.com> - -diff --git a/rt/clock-compat.c b/rt/clock-compat.c -index f816973c05..11e71aa890 100644 ---- a/rt/clock-compat.c -+++ b/rt/clock-compat.c -@@ -30,14 +30,16 @@ - #if HAVE_IFUNC - # undef INIT_ARCH - # define INIT_ARCH() --# define COMPAT_REDIRECT(name, proto, arglist) libc_ifunc (name, &__##name) -+# define COMPAT_REDIRECT(name, proto, arglist) libc_ifunc (name, &__##name) \ -+ compat_symbol (librt, name, name, GLIBC_2_2); - #else - # define COMPAT_REDIRECT(name, proto, arglist) \ - int \ - name proto \ - { \ - return __##name arglist; \ -- } -+ } \ -+ compat_symbol (librt, name, name, GLIBC_2_2); - #endif - - COMPAT_REDIRECT (clock_getres, diff --git a/contrib/guix/patches/glibc-2.27-powerpc-ldbrx.patch b/contrib/guix/patches/glibc-2.27-powerpc-ldbrx.patch deleted file mode 100644 index 26716054c8..0000000000 --- a/contrib/guix/patches/glibc-2.27-powerpc-ldbrx.patch +++ /dev/null @@ -1,245 +0,0 @@ -From 50b0b3c9ff71ffd7ebbd74ae46844c3566478123 Mon Sep 17 00:00:00 2001 -From: "Gabriel F. T. Gomes" <gabrielftg@linux.ibm.com> -Date: Mon, 27 May 2019 15:21:22 -0300 -Subject: [PATCH] powerpc: Fix build failures with current GCC - -Since GCC commit 271500 (svn), also known as the following commit on the -git mirror: - -commit e154242724b084380e3221df7c08fcdbd8460674 -Author: amodra <amodra@138bc75d-0d04-0410-961f-82ee72b054a4> -Date: Wed May 22 04:34:26 2019 +0000 - - [RS6000] Don't pass -many to the assembler - -glibc builds are failing when an assembly implementation does not -declare the correct '.machine' directive, or when no such directive is -declared at all. For example, when a POWER6 instruction is used, but -'.machine power6' is not declared, the assembler will fail with an error -similar to the following: - - ../sysdeps/powerpc/powerpc64/power8/strcmp.S: Assembler messages: - 24 ../sysdeps/powerpc/powerpc64/power8/strcmp.S:55: Error: unrecognized opcode: `cmpb' - -This patch adds '.machine powerN' directives where none existed, as well -as it updates '.machine power7' directives on POWER8 files, because the -minimum binutils version required to build glibc (binutils 2.25) now -provides this machine version. It also adds '-many' to the assembler -command used to build tst-set_ppr.c. - -Tested for powerpc, powerpc64, and powerpc64le, as well as with -build-many-glibcs.py for powerpc targets. - -Reviewed-by: Tulio Magno Quites Machado Filho <tuliom@linux.ibm.com> ---- - sysdeps/powerpc/Makefile | 5 +++ - sysdeps/powerpc/powerpc64/power4/memcmp.S | 7 ++++ - sysdeps/powerpc/powerpc64/power7/strncmp.S | 1 + - .../powerpc/powerpc64/power8/fpu/s_llround.S | 1 + - sysdeps/powerpc/powerpc64/power8/strcasecmp.S | 36 ++++++------------- - sysdeps/powerpc/powerpc64/power8/strcasestr.S | 14 ++------ - sysdeps/powerpc/powerpc64/power8/strcmp.S | 1 + - 7 files changed, 28 insertions(+), 37 deletions(-) - -diff --git a/sysdeps/powerpc/Makefile b/sysdeps/powerpc/Makefile -index 6aa683b03f..23126147df 100644 ---- a/sysdeps/powerpc/Makefile -+++ b/sysdeps/powerpc/Makefile -@@ -45,6 +45,11 @@ ifeq ($(subdir),misc) - sysdep_headers += sys/platform/ppc.h - tests += test-gettimebase - tests += tst-set_ppr -+ -+# This test is expected to run and exit with EXIT_UNSUPPORTED on -+# processors that do not implement the Power ISA 2.06 or greater. -+# But the test makes use of instructions from Power ISA 2.06 and 2.07. -+CFLAGS-tst-set_ppr.c += -Wa,-many - endif - - ifneq (,$(filter %le,$(config-machine))) -diff --git a/sysdeps/powerpc/powerpc64/power4/memcmp.S b/sysdeps/powerpc/powerpc64/power4/memcmp.S -index e5319f101f..38dcf4c9a1 100644 ---- a/sysdeps/powerpc/powerpc64/power4/memcmp.S -+++ b/sysdeps/powerpc/powerpc64/power4/memcmp.S -@@ -26,7 +26,14 @@ - # define MEMCMP memcmp - #endif - -+#ifndef __LITTLE_ENDIAN__ - .machine power4 -+#else -+/* Little endian is only available since POWER8, so it's safe to -+ specify .machine as power8 (or older), even though this is a POWER4 -+ file. Since the little-endian code uses 'ldbrx', power7 is enough. */ -+ .machine power7 -+#endif - ENTRY_TOCLESS (MEMCMP, 4) - CALL_MCOUNT 3 - -diff --git a/sysdeps/powerpc/powerpc64/power7/strncmp.S b/sysdeps/powerpc/powerpc64/power7/strncmp.S -index 0c7429d19f..10f898c5a3 100644 ---- a/sysdeps/powerpc/powerpc64/power7/strncmp.S -+++ b/sysdeps/powerpc/powerpc64/power7/strncmp.S -@@ -28,6 +28,7 @@ - const char *s2 [r4], - size_t size [r5]) */ - -+ .machine power7 - ENTRY_TOCLESS (STRNCMP, 5) - CALL_MCOUNT 3 - -diff --git a/sysdeps/powerpc/powerpc64/power8/fpu/s_llround.S b/sysdeps/powerpc/powerpc64/power8/fpu/s_llround.S -index a22fc63bb3..84c76ba0f9 100644 ---- a/sysdeps/powerpc/powerpc64/power8/fpu/s_llround.S -+++ b/sysdeps/powerpc/powerpc64/power8/fpu/s_llround.S -@@ -26,6 +26,7 @@ - - /* long long [r3] llround (float x [fp1]) */ - -+ .machine power8 - ENTRY_TOCLESS (__llround) - CALL_MCOUNT 0 - frin fp1,fp1 /* Round to nearest +-0.5. */ -diff --git a/sysdeps/powerpc/powerpc64/power8/strcasecmp.S b/sysdeps/powerpc/powerpc64/power8/strcasecmp.S -index 3a2efe2a64..eeacd40c7f 100644 ---- a/sysdeps/powerpc/powerpc64/power8/strcasecmp.S -+++ b/sysdeps/powerpc/powerpc64/power8/strcasecmp.S -@@ -91,21 +91,7 @@ - 3: \ - TOLOWER() - --#ifdef _ARCH_PWR8 --# define VCLZD_V8_v7 vclzd v8, v7; --# define MFVRD_R3_V1 mfvrd r3, v1; --# define VSUBUDM_V9_V8 vsubudm v9, v9, v8; --# define VPOPCNTD_V8_V8 vpopcntd v8, v8; --# define VADDUQM_V7_V8 vadduqm v9, v7, v8; --#else --# define VCLZD_V8_v7 .long 0x11003fc2 --# define MFVRD_R3_V1 .long 0x7c230067 --# define VSUBUDM_V9_V8 .long 0x112944c0 --# define VPOPCNTD_V8_V8 .long 0x110047c3 --# define VADDUQM_V7_V8 .long 0x11274100 --#endif -- -- .machine power7 -+ .machine power8 - - ENTRY (__STRCASECMP) - #ifdef USE_AS_STRNCASECMP -@@ -265,15 +251,15 @@ L(different): - #ifdef __LITTLE_ENDIAN__ - /* Count trailing zero. */ - vspltisb v8, -1 -- VADDUQM_V7_V8 -+ vadduqm v9, v7, v8 - vandc v8, v9, v7 -- VPOPCNTD_V8_V8 -+ vpopcntd v8, v8 - vspltb v6, v8, 15 - vcmpequb. v6, v6, v1 - blt cr6, L(shift8) - #else - /* Count leading zero. */ -- VCLZD_V8_v7 -+ vclzd v8, v7 - vspltb v6, v8, 7 - vcmpequb. v6, v6, v1 - blt cr6, L(shift8) -@@ -291,7 +277,7 @@ L(skipsum): - /* Merge and move to GPR. */ - vmrglb v6, v6, v7 - vslo v1, v6, v1 -- MFVRD_R3_V1 -+ mfvrd r3, v1 - /* Place the characters that are different in first position. */ - sldi rSTR2, rRTN, 56 - srdi rSTR2, rSTR2, 56 -@@ -301,7 +287,7 @@ L(skipsum): - vslo v6, v5, v8 - vslo v7, v4, v8 - vmrghb v1, v6, v7 -- MFVRD_R3_V1 -+ mfvrd r3, v1 - srdi rSTR2, rRTN, 48 - sldi rSTR2, rSTR2, 56 - srdi rSTR2, rSTR2, 56 -@@ -320,15 +306,15 @@ L(null_found): - #ifdef __LITTLE_ENDIAN__ - /* Count trailing zero. */ - vspltisb v8, -1 -- VADDUQM_V7_V8 -+ vadduqm v9, v7, v8 - vandc v8, v9, v7 -- VPOPCNTD_V8_V8 -+ vpopcntd v8, v8 - vspltb v6, v8, 15 - vcmpequb. v6, v6, v10 - blt cr6, L(shift_8) - #else - /* Count leading zero. */ -- VCLZD_V8_v7 -+ vclzd v8, v7 - vspltb v6, v8, 7 - vcmpequb. v6, v6, v10 - blt cr6, L(shift_8) -@@ -343,10 +329,10 @@ L(skipsum1): - vspltisb v10, 7 - vslb v10, v10, v10 - vsldoi v9, v0, v10, 1 -- VSUBUDM_V9_V8 -+ vsubudm v9, v9, v8 - vspltisb v8, 8 - vsldoi v8, v0, v8, 1 -- VSUBUDM_V9_V8 -+ vsubudm v9, v9, v8 - /* Shift and remove junk after null character. */ - #ifdef __LITTLE_ENDIAN__ - vslo v5, v5, v9 -diff --git a/sysdeps/powerpc/powerpc64/power8/strcasestr.S b/sysdeps/powerpc/powerpc64/power8/strcasestr.S -index 9fc24c29f9..e10f06fd86 100644 ---- a/sysdeps/powerpc/powerpc64/power8/strcasestr.S -+++ b/sysdeps/powerpc/powerpc64/power8/strcasestr.S -@@ -73,18 +73,8 @@ - vor reg, v8, reg; \ - vcmpequb. v6, reg, v4; - --/* TODO: change these to the actual instructions when the minimum required -- binutils allows it. */ --#ifdef _ARCH_PWR8 --#define VCLZD_V8_v7 vclzd v8, v7; --#else --#define VCLZD_V8_v7 .long 0x11003fc2 --#endif -- - #define FRAMESIZE (FRAME_MIN_SIZE+48) --/* TODO: change this to .machine power8 when the minimum required binutils -- allows it. */ -- .machine power7 -+ .machine power8 - ENTRY (STRCASESTR, 4) - CALL_MCOUNT 2 - mflr r0 /* Load link register LR to r0. */ -@@ -291,7 +281,7 @@ L(nullchk1): - vcmpequb. v6, v0, v7 - /* Shift r3 by 16 bytes and proceed. */ - blt cr6, L(shift16) -- VCLZD_V8_v7 -+ vclzd v8, v7 - #ifdef __LITTLE_ENDIAN__ - vspltb v6, v8, 15 - #else -diff --git a/sysdeps/powerpc/powerpc64/power8/strcmp.S b/sysdeps/powerpc/powerpc64/power8/strcmp.S -index 15e7351d1b..d592266d1d 100644 ---- a/sysdeps/powerpc/powerpc64/power8/strcmp.S -+++ b/sysdeps/powerpc/powerpc64/power8/strcmp.S -@@ -31,6 +31,7 @@ - 64K as default, the page cross handling assumes minimum page size of - 4k. */ - -+ .machine power8 - ENTRY_TOCLESS (STRCMP, 4) - li r0,0 - --- -2.41.0 diff --git a/contrib/guix/patches/glibc-2.27-riscv64-Use-__has_include-to-include-asm-syscalls.h.patch b/contrib/guix/patches/glibc-2.27-riscv64-Use-__has_include-to-include-asm-syscalls.h.patch deleted file mode 100644 index ab8ae9c023..0000000000 --- a/contrib/guix/patches/glibc-2.27-riscv64-Use-__has_include-to-include-asm-syscalls.h.patch +++ /dev/null @@ -1,78 +0,0 @@ -Note that this has been modified from the original commit, to use __has_include -instead of __has_include__, as the later was causing build failures with GCC 10. -See also: http://lists.busybox.net/pipermail/buildroot/2020-July/590376.html. - -https://sourceware.org/git/?p=glibc.git;a=commit;h=0b9c84906f653978fb8768c7ebd0ee14a47e662e - -This patch can be dropped when we are building with glibc 2.28+. - -From 562c52cc81a4e456a62e6455feb32732049e9070 Mon Sep 17 00:00:00 2001 -From: "H.J. Lu" <hjl.tools@gmail.com> -Date: Mon, 31 Dec 2018 09:26:42 -0800 -Subject: [PATCH] riscv: Use __has_include__ to include <asm/syscalls.h> [BZ - #24022] - -<asm/syscalls.h> has been removed by - -commit 27f8899d6002e11a6e2d995e29b8deab5aa9cc25 -Author: David Abdurachmanov <david.abdurachmanov@gmail.com> -Date: Thu Nov 8 20:02:39 2018 +0100 - - riscv: add asm/unistd.h UAPI header - - Marcin Juszkiewicz reported issues while generating syscall table for riscv - using 4.20-rc1. The patch refactors our unistd.h files to match some other - architectures. - - - Add asm/unistd.h UAPI header, which has __ARCH_WANT_NEW_STAT only for 64-bit - - Remove asm/syscalls.h UAPI header and merge to asm/unistd.h - - Adjust kernel asm/unistd.h - - So now asm/unistd.h UAPI header should show all syscalls for riscv. - -<asm/syscalls.h> may be restored by - -Subject: [PATCH] riscv: restore asm/syscalls.h UAPI header -Date: Tue, 11 Dec 2018 09:09:35 +0100 - -UAPI header asm/syscalls.h was merged into UAPI asm/unistd.h header, -which did resolve issue with missing syscalls macros resulting in -glibc (2.28) build failure. It also broke glibc in a different way: -asm/syscalls.h is being used by glibc. I noticed this while doing -Fedora 30/Rawhide mass rebuild. - -The patch returns asm/syscalls.h header and incl. it into asm/unistd.h. -I plan to send a patch to glibc to use asm/unistd.h instead of -asm/syscalls.h - -In the meantime, we use __has_include__, which was added to GCC 5, to -check if <asm/syscalls.h> exists before including it. Tested with -build-many-glibcs.py for riscv against kernel 4.19.12 and 4.20-rc7. - - [BZ #24022] - * sysdeps/unix/sysv/linux/riscv/flush-icache.c: Check if - <asm/syscalls.h> exists with __has_include__ before including it. ---- - sysdeps/unix/sysv/linux/riscv/flush-icache.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/sysdeps/unix/sysv/linux/riscv/flush-icache.c b/sysdeps/unix/sysv/linux/riscv/flush-icache.c -index d612ef4c6c..0b2042620b 100644 ---- a/sysdeps/unix/sysv/linux/riscv/flush-icache.c -+++ b/sysdeps/unix/sysv/linux/riscv/flush-icache.c -@@ -21,7 +21,11 @@ - #include <stdlib.h> - #include <atomic.h> - #include <sys/cachectl.h> --#include <asm/syscalls.h> -+#if __has_include (<asm/syscalls.h>) -+# include <asm/syscalls.h> -+#else -+# include <asm/unistd.h> -+#endif - - typedef int (*func_type) (void *, void *, unsigned long int); - --- -2.31.1 - diff --git a/contrib/guix/patches/glibc-2.27-guix-prefix.patch b/contrib/guix/patches/glibc-guix-prefix.patch index dc515907ff..60e12ca525 100644 --- a/contrib/guix/patches/glibc-2.27-guix-prefix.patch +++ b/contrib/guix/patches/glibc-guix-prefix.patch @@ -4,19 +4,13 @@ hash for the same package will differ when on different architectures. In order to be reproducible regardless of the architecture used to build the package, map all guix store prefixes to something fixed, e.g. /usr. -We might be able to drop this in favour of using --with-nonshared-cflags -when we begin using newer versions of glibc. - --- a/Makeconfig +++ b/Makeconfig -@@ -992,6 +992,10 @@ object-suffixes := +@@ -1007,6 +1007,7 @@ object-suffixes := CPPFLAGS-.o = $(pic-default) # libc.a must be compiled with -fPIE/-fpie for static PIE. CFLAGS-.o = $(filter %frame-pointer,$(+cflags)) $(pie-default) -+ -+# Map Guix store paths to /usr +CFLAGS-.o += `find /gnu/store -maxdepth 1 -mindepth 1 -type d -exec echo -n " -ffile-prefix-map={}=/usr" \;` -+ libtype.o := lib%.a object-suffixes += .o ifeq (yes,$(build-shared)) diff --git a/contrib/macdeploy/README.md b/contrib/macdeploy/README.md index 78f61685e1..d47ee6774e 100644 --- a/contrib/macdeploy/README.md +++ b/contrib/macdeploy/README.md @@ -56,30 +56,22 @@ The `sha256sum` should be `c0c2e7bb92c1fee0c4e9f3a485e4530786732d6c6dd9e9f418c28 ## Deterministic macOS App Notes -macOS Applications are created in Linux using a recent LLVM. +macOS Applications are created on Linux using a recent LLVM. -Apple uses `clang` extensively for development and has upstreamed the necessary -functionality so that a vanilla clang can take advantage. It supports the use of `-F`, -`-target`, `-mmacosx-version-min`, and `-isysroot`, which are all necessary when -building for macOS. +All builds must target an Apple SDK. These SDKs are free to download, but not redistributable. +See the SDK Extraction notes above for how to obtain it. -To complicate things further, all builds must target an Apple SDK. These SDKs are free to -download, but not redistributable. See the SDK Extraction notes above for how to obtain it. +The Guix build process has been designed to avoid including the SDK's files in Guix's outputs. +All interim tarballs are fully deterministic and may be freely redistributed. -The Guix process builds 2 sets of files: Linux tools, then Apple binaries which are -created using these tools. The build process has been designed to avoid including the -SDK's files in Guix's outputs. All interim tarballs are fully deterministic and may be freely -redistributed. - -As of OS X 10.9 Mavericks, using an Apple-blessed key to sign binaries is a requirement in -order to satisfy the new Gatekeeper requirements. Because this private key cannot be -shared, we'll have to be a bit creative in order for the build process to remain somewhat -deterministic. Here's how it works: +Using an Apple-blessed key to sign binaries is a requirement to produce (distributable) macOS +binaries. Because this private key cannot be shared, we'll have to be a bit creative in order +for the build process to remain somewhat deterministic. Here's how it works: - Builders use Guix to create an unsigned release. This outputs an unsigned ZIP which - users may choose to bless and run. It also outputs an unsigned app structure in the form - of a tarball. + users may choose to bless, self-codesign, and run. It also outputs an unsigned app structure + in the form of a tarball. - The Apple keyholder uses this unsigned app to create a detached signature, using the - script that is also included there. Detached signatures are available from this [repository](https://github.com/bitcoin-core/bitcoin-detached-sigs). -- Builders feed the unsigned app + detached signature back into Guix. It uses the - pre-built tools to recombine the pieces into a deterministic ZIP. + included script. Detached signatures are available from this [repository](https://github.com/bitcoin-core/bitcoin-detached-sigs). +- Builders feed the unsigned app + detached signature back into Guix, which combines the + pieces into a deterministic ZIP. diff --git a/contrib/macdeploy/gen-sdk b/contrib/macdeploy/gen-sdk index b73f5cba14..86a6262b5c 100755 --- a/contrib/macdeploy/gen-sdk +++ b/contrib/macdeploy/gen-sdk @@ -8,21 +8,6 @@ import gzip import os import contextlib -# monkey-patch Python 3.8 and older to fix wrong TAR header handling -# see https://github.com/bitcoin/bitcoin/pull/24534 -# and https://github.com/python/cpython/pull/18080 for more info -if sys.version_info < (3, 9): - _old_create_header = tarfile.TarInfo._create_header - def _create_header(info, format, encoding, errors): - buf = _old_create_header(info, format, encoding, errors) - # replace devmajor/devminor with binary zeroes - buf = buf[:329] + bytes(16) + buf[345:] - # recompute checksum - chksum = tarfile.calc_chksums(buf)[0] - buf = buf[:-364] + bytes("%06o\0" % chksum, "ascii") + buf[-357:] - return buf - tarfile.TarInfo._create_header = staticmethod(_create_header) - @contextlib.contextmanager def cd(path): """Context manager that restores PWD even if an exception was raised.""" diff --git a/contrib/verify-binaries/README.md b/contrib/verify-binaries/README.md index 04d683e69b..0f3e16a5bc 100644 --- a/contrib/verify-binaries/README.md +++ b/contrib/verify-binaries/README.md @@ -50,6 +50,7 @@ Get JSON output and don't prompt for user input (no auto key import): ```sh ./contrib/verify-binaries/verify.py --json pub 22.0-x86 +./contrib/verify-binaries/verify.py --json pub 23.0-rc5-linux-gnu ``` Rely only on local GPG state and manually specified keys, while requiring a @@ -57,14 +58,15 @@ threshold of at least 10 trusted signatures: ```sh ./contrib/verify-binaries/verify.py \ --trusted-keys 74E2DEF5D77260B98BC19438099BAD163C70FBFA,9D3CC86A72F8494342EA5FD10A41BDC3F4FAFF1C \ - --min-good-sigs 10 pub 22.0-x86 + --min-good-sigs 10 pub 22.0-linux ``` -If you only want to download the binaries for a certain platform, add the corresponding suffix, e.g.: +If you only want to download the binaries for a certain architecture and/or platform, add the corresponding suffix, e.g.: ```sh -./contrib/verify-binaries/verify.py pub 24.0.1-darwin -./contrib/verify-binaries/verify.py pub 23.1-rc1-win64 +./contrib/verify-binaries/verify.py pub 25.2-x86_64-linux +./contrib/verify-binaries/verify.py pub 24.1-rc1-darwin +./contrib/verify-binaries/verify.py pub 27.0-win64-setup.exe ``` If you do not want to keep the downloaded binaries, specify the cleanup option. diff --git a/contrib/verify-binaries/test.py b/contrib/verify-binaries/test.py index 22d718ece3..875606ec22 100755 --- a/contrib/verify-binaries/test.py +++ b/contrib/verify-binaries/test.py @@ -12,6 +12,21 @@ def main(): expect_code(run_verify("", "pub", '0.32.awefa.12f9h'), 11, "Malformed version should fail") expect_code(run_verify('--min-good-sigs 20', "pub", "22.0"), 9, "--min-good-sigs 20 should fail") + print("- testing verification (22.0-x86_64-linux-gnu.tar.gz)", flush=True) + _220_x86_64_linux_gnu = run_verify("--json", "pub", "22.0-x86_64-linux-gnu.tar.gz") + try: + result = json.loads(_220_x86_64_linux_gnu.stdout.decode()) + except Exception: + print("failed on 22.0-x86_64-linux-gnu.tar.gz --json:") + print_process_failure(_220_x86_64_linux_gnu) + raise + + expect_code(_220_x86_64_linux_gnu, 0, "22.0-x86_64-linux-gnu.tar.gz should succeed") + v = result['verified_binaries'] + assert result['good_trusted_sigs'] + assert len(v) == 1 + assert v['bitcoin-22.0-x86_64-linux-gnu.tar.gz'] == '59ebd25dd82a51638b7a6bb914586201e67db67b919b2a1ff08925a7936d1b16' + print("- testing verification (22.0)", flush=True) _220 = run_verify("--json", "pub", "22.0") try: diff --git a/contrib/verify-binaries/verify.py b/contrib/verify-binaries/verify.py index 12e6e10d8a..6c07b36c9d 100755 --- a/contrib/verify-binaries/verify.py +++ b/contrib/verify-binaries/verify.py @@ -97,23 +97,17 @@ def bool_from_env(key, default=False) -> bool: VERSION_FORMAT = "<major>.<minor>[.<patch>][-rc[0-9]][-platform]" -VERSION_EXAMPLE = "22.0-x86_64 or 23.1-rc1-darwin" +VERSION_EXAMPLE = "22.0 or 23.1-rc1-darwin.dmg or 27.0-x86_64-linux-gnu" def parse_version_string(version_str): - parts = version_str.split('-') - version_base = parts[0] - version_rc = "" - version_os = "" - if len(parts) == 2: # "<version>-rcN" or "version-platform" - if "rc" in parts[1]: - version_rc = parts[1] - else: - version_os = parts[1] - elif len(parts) == 3: # "<version>-rcN-platform" - version_rc = parts[1] - version_os = parts[2] + # "<version>[-rcN][-platform]" + version_base, _, platform = version_str.partition('-') + rc = "" + if platform.startswith("rc"): # "<version>-rcN[-platform]" + rc, _, platform = platform.partition('-') + # else "<version>" or "<version>-platform" - return version_base, version_rc, version_os + return version_base, rc, platform def download_with_wget(remote_file, local_file): @@ -514,7 +508,9 @@ def verify_published_handler(args: argparse.Namespace) -> ReturnCode: # Extract hashes and filenames hashes_to_verify = parse_sums_file(SUMS_FILENAME, [os_filter]) if not hashes_to_verify: - log.error("no files matched the platform specified") + available_versions = ["-".join(line[1].split("-")[2:]) for line in parse_sums_file(SUMS_FILENAME, [])] + closest_match = difflib.get_close_matches(os_filter, available_versions, cutoff=0, n=1)[0] + log.error(f"No files matched the platform specified. Did you mean: {closest_match}") return ReturnCode.NO_BINARIES_MATCH # remove binaries that are known not to be hosted by bitcoincore.org |