From c6a6b2d6fd4e3a01b095dc98645f819ebabf1931 Mon Sep 17 00:00:00 2001
From: fanquake <fanquake@gmail.com>
Date: Thu, 9 May 2024 19:14:13 +0800
Subject: build: add lld into macOS build environment(s)

---
 contrib/guix/manifest.scm | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'contrib')

diff --git a/contrib/guix/manifest.scm b/contrib/guix/manifest.scm
index 96818c7748..38ff08b699 100644
--- a/contrib/guix/manifest.scm
+++ b/contrib/guix/manifest.scm
@@ -534,6 +534,8 @@ inspecting signatures in Mach-O binaries.")
                  gcc-toolchain-11
                  binutils
                  clang-toolchain-17
+                 lld-17
+                 (make-lld-wrapper lld-17 #:lld-as-ld? #t)
                  python-signapple
                  zip))
           (else '())))))
-- 
cgit v1.2.3


From 4a0536c5d96688729f8c885060c83cb12d72a8c5 Mon Sep 17 00:00:00 2001
From: fanquake <fanquake@gmail.com>
Date: Thu, 9 May 2024 19:20:17 +0800
Subject: build: switch to using lld for macOS builds

Adjust the security check for:
ld64.lld: warning: Option `-allow_stack_execute' is not yet implemented.
ld64.lld: error: -fixup_chains is incompatible with -no_pie
and to account for the embedding of LLVMs version number.
---
 contrib/devtools/symbol-check.py        |  2 +-
 contrib/devtools/test-security-check.py | 24 +++++++++---------------
 2 files changed, 10 insertions(+), 16 deletions(-)

(limited to 'contrib')

diff --git a/contrib/devtools/symbol-check.py b/contrib/devtools/symbol-check.py
index b3e73bb2b9..e4a62c2072 100755
--- a/contrib/devtools/symbol-check.py
+++ b/contrib/devtools/symbol-check.py
@@ -240,7 +240,7 @@ def check_MACHO_sdk(binary) -> bool:
     return False
 
 def check_MACHO_ld64(binary) -> bool:
-    if binary.build_version.tools[0].version == [711, 0, 0]:
+    if binary.build_version.tools[0].version == [17, 0, 6]:
         return True
     return False
 
diff --git a/contrib/devtools/test-security-check.py b/contrib/devtools/test-security-check.py
index 51bca4627e..dd0cf7030a 100755
--- a/contrib/devtools/test-security-check.py
+++ b/contrib/devtools/test-security-check.py
@@ -120,21 +120,15 @@ class TestSecurityChecks(unittest.TestCase):
         arch = get_arch(cc, source, executable)
 
         if arch == lief.ARCHITECTURES.X86:
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fno-stack-protector', '-Wl,-no_fixup_chains']),
-                (1, executable+': failed NOUNDEFS Canary FIXUP_CHAINS PIE NX CONTROL_FLOW'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fno-stack-protector', '-Wl,-fixup_chains']),
-                (1, executable+': failed NOUNDEFS Canary PIE NX CONTROL_FLOW'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fstack-protector-all', '-Wl,-fixup_chains']),
-                (1, executable+': failed NOUNDEFS PIE NX CONTROL_FLOW'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-fstack-protector-all', '-Wl,-fixup_chains']),
-                (1, executable+': failed NOUNDEFS PIE CONTROL_FLOW'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all', '-Wl,-fixup_chains']),
-                (1, executable+': failed PIE CONTROL_FLOW'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all', '-Wl,-fixup_chains']),
-                (1, executable+': failed PIE CONTROL_FLOW'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all', '-fcf-protection=full', '-Wl,-fixup_chains']),
-                (1, executable+': failed PIE'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-pie','-fstack-protector-all', '-fcf-protection=full', '-Wl,-fixup_chains']),
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-fno-stack-protector', '-Wl,-no_fixup_chains']),
+                (1, executable+': failed NOUNDEFS Canary FIXUP_CHAINS PIE CONTROL_FLOW'))
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fno-stack-protector', '-Wl,-fixup_chains']),
+                (1, executable+': failed NOUNDEFS Canary CONTROL_FLOW'))
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fstack-protector-all', '-Wl,-fixup_chains']),
+                (1, executable+': failed NOUNDEFS CONTROL_FLOW'))
+            self.assertEqual(call_security_check(cc, source, executable, ['-fstack-protector-all', '-Wl,-fixup_chains']),
+                (1, executable+': failed CONTROL_FLOW'))
+            self.assertEqual(call_security_check(cc, source, executable, ['-fstack-protector-all', '-fcf-protection=full', '-Wl,-fixup_chains']),
                 (0, ''))
         else:
             # arm64 darwin doesn't support non-PIE binaries, control flow or executable stacks
-- 
cgit v1.2.3


From f836f7e9b3e091eb27cdefb624e2a6f2a921fa55 Mon Sep 17 00:00:00 2001
From: fanquake <fanquake@gmail.com>
Date: Thu, 9 May 2024 19:41:58 +0800
Subject: depends: remove cctools & libtapi

---
 contrib/macdeploy/README.md | 14 +-------------
 1 file changed, 1 insertion(+), 13 deletions(-)

(limited to 'contrib')

diff --git a/contrib/macdeploy/README.md b/contrib/macdeploy/README.md
index d1df3062f8..ed945b72d1 100644
--- a/contrib/macdeploy/README.md
+++ b/contrib/macdeploy/README.md
@@ -56,28 +56,16 @@ The `sha256sum` should be `c0c2e7bb92c1fee0c4e9f3a485e4530786732d6c6dd9e9f418c28
 
 ## Deterministic macOS App Notes
 
-macOS Applications are created in Linux by combining a recent `clang` and the Apple
-`binutils` (`ld`, `ar`, etc).
+macOS Applications are created in Linux using a recent LLVM.
 
 Apple uses `clang` extensively for development and has upstreamed the necessary
 functionality so that a vanilla clang can take advantage. It supports the use of `-F`,
 `-target`, `-mmacosx-version-min`, and `-isysroot`, which are all necessary when
 building for macOS.
 
-Apple's version of `binutils` (called `cctools`) contains lots of functionality missing in the
-FSF's `binutils`. In addition to extra linker options for frameworks and sysroots, several
-other tools are needed as well. These do not build under Linux, so they have been patched to
-do so. The work here was used as a starting point: [mingwandroid/toolchain4](https://github.com/mingwandroid/toolchain4).
-
-In order to build a working toolchain, the following source packages are needed from
-Apple: `cctools`, `dyld`, and `ld64`.
-
 These tools inject timestamps by default, which produce non-deterministic binaries. The
 `ZERO_AR_DATE` environment variable is used to disable that.
 
-This version of `cctools` has been patched to use the current version of `clang`'s headers
-and its `libLTO.so` rather than those from `llvmgcc`, as it was originally done in `toolchain4`.
-
 To complicate things further, all builds must target an Apple SDK. These SDKs are free to
 download, but not redistributable. See the SDK Extraction notes above for how to obtain it.
 
-- 
cgit v1.2.3


From 9ec238d0f3c7b97aec83dbeb4c7a6950c8f5125e Mon Sep 17 00:00:00 2001
From: fanquake <fanquake@gmail.com>
Date: Fri, 22 Dec 2023 10:42:58 +0000
Subject: guix: remove ZERO_AR_DATE export

LLD enables ZERO_AR_DATE by default, setting it to zero would enable
non-determinism, setting it to any other value is ignored.

See:
https://github.com/llvm/llvm-project/blob/main/lld/docs/MachO/ld64-vs-lld.rst.
---
 contrib/guix/libexec/build.sh | 10 ----------
 contrib/macdeploy/README.md   |  3 ---
 2 files changed, 13 deletions(-)

(limited to 'contrib')

diff --git a/contrib/guix/libexec/build.sh b/contrib/guix/libexec/build.sh
index 1e9b682f3f..e0c8baf3fe 100755
--- a/contrib/guix/libexec/build.sh
+++ b/contrib/guix/libexec/build.sh
@@ -173,16 +173,6 @@ esac
 # Environment variables for determinism
 export TAR_OPTIONS="--owner=0 --group=0 --numeric-owner --mtime='@${SOURCE_DATE_EPOCH}' --sort=name"
 export TZ="UTC"
-case "$HOST" in
-    *darwin*)
-        # cctools AR, unlike GNU binutils AR, does not have a deterministic mode
-        # or a configure flag to enable determinism by default, it only
-        # understands if this env-var is set or not. See:
-        #
-        # https://github.com/tpoechtrager/cctools-port/blob/55562e4073dea0fbfd0b20e0bf69ffe6390c7f97/cctools/ar/archive.c#L334
-        export ZERO_AR_DATE=yes
-        ;;
-esac
 
 ####################
 # Depends Building #
diff --git a/contrib/macdeploy/README.md b/contrib/macdeploy/README.md
index ed945b72d1..78f61685e1 100644
--- a/contrib/macdeploy/README.md
+++ b/contrib/macdeploy/README.md
@@ -63,9 +63,6 @@ functionality so that a vanilla clang can take advantage. It supports the use of
 `-target`, `-mmacosx-version-min`, and `-isysroot`, which are all necessary when
 building for macOS.
 
-These tools inject timestamps by default, which produce non-deterministic binaries. The
-`ZERO_AR_DATE` environment variable is used to disable that.
-
 To complicate things further, all builds must target an Apple SDK. These SDKs are free to
 download, but not redistributable. See the SDK Extraction notes above for how to obtain it.
 
-- 
cgit v1.2.3


From 555fddf646265f7e57a416dc64b171f2c9460e20 Mon Sep 17 00:00:00 2001
From: fanquake <fanquake@gmail.com>
Date: Thu, 21 Apr 2022 10:24:59 +0100
Subject: guix: use GUIX_LD_WRAPPER_DISABLE_RPATH for all HOSTS

---
 contrib/guix/libexec/build.sh | 13 +------------
 1 file changed, 1 insertion(+), 12 deletions(-)

(limited to 'contrib')

diff --git a/contrib/guix/libexec/build.sh b/contrib/guix/libexec/build.sh
index e0c8baf3fe..f589ac7a55 100755
--- a/contrib/guix/libexec/build.sh
+++ b/contrib/guix/libexec/build.sh
@@ -133,18 +133,7 @@ for p in "${PATHS[@]}"; do
 done
 
 # Disable Guix ld auto-rpath behavior
-case "$HOST" in
-    *darwin*)
-        # The auto-rpath behavior is necessary for darwin builds as some native
-        # tools built by depends refer to and depend on Guix-built native
-        # libraries
-        #
-        # After the native packages in depends are built, the ld wrapper should
-        # no longer affect our build, as clang would instead reach for
-        # x86_64-apple-darwin-ld from cctools
-        ;;
-    *) export GUIX_LD_WRAPPER_DISABLE_RPATH=yes ;;
-esac
+export GUIX_LD_WRAPPER_DISABLE_RPATH=yes
 
 # Make /usr/bin if it doesn't exist
 [ -e /usr/bin ] || mkdir -p /usr/bin
-- 
cgit v1.2.3


From e8c25e8a35e333e90514945c592557615641553f Mon Sep 17 00:00:00 2001
From: fanquake <fanquake@gmail.com>
Date: Fri, 10 May 2024 14:04:18 +0800
Subject: guix: drop binutils from macOS env

---
 contrib/guix/manifest.scm | 1 -
 1 file changed, 1 deletion(-)

(limited to 'contrib')

diff --git a/contrib/guix/manifest.scm b/contrib/guix/manifest.scm
index 38ff08b699..40500ccb88 100644
--- a/contrib/guix/manifest.scm
+++ b/contrib/guix/manifest.scm
@@ -532,7 +532,6 @@ inspecting signatures in Mach-O binaries.")
           ((string-contains target "darwin")
            (list ;; Native GCC 11 toolchain
                  gcc-toolchain-11
-                 binutils
                  clang-toolchain-17
                  lld-17
                  (make-lld-wrapper lld-17 #:lld-as-ld? #t)
-- 
cgit v1.2.3