Changeset View
Changeset View
Standalone View
Standalone View
doc/README_osx.md
Deterministic OS X DMG Notes. | Deterministic macOS DMG Notes. | ||||
Working OS X DMGs are created in Linux by combining a recent clang, | Working macOS DMGs are created in Linux by combining a recent clang, | ||||
the Apple binutils (ld, ar, etc) and DMG authoring tools. | the Apple binutils (ld, ar, etc) and DMG authoring tools. | ||||
Apple uses clang extensively for development and has upstreamed the necessary | Apple uses clang extensively for development and has upstreamed the necessary | ||||
functionality so that a vanilla clang can take advantage. It supports the use | functionality so that a vanilla clang can take advantage. It supports the use | ||||
of -F, -target, -mmacosx-version-min, and --sysroot, which are all necessary | of -F, -target, -mmacosx-version-min, and --sysroot, which are all necessary | ||||
when building for OS X. | when building for macOS. | ||||
Apple's version of binutils (called cctools) contains lots of functionality | Apple's version of binutils (called cctools) contains lots of functionality | ||||
missing in the FSF's binutils. In addition to extra linker options for | missing in the FSF's binutils. In addition to extra linker options for | ||||
frameworks and sysroots, several other tools are needed as well such as | frameworks and sysroots, several other tools are needed as well such as | ||||
install_name_tool, lipo, and nmedit. These do not build under linux, so they | install_name_tool, lipo, and nmedit. These do not build under linux, so they | ||||
have been patched to do so. The work here was used as a starting point: | have been patched to do so. The work here was used as a starting point: | ||||
[mingwandroid/toolchain4](https://github.com/mingwandroid/toolchain4). | [mingwandroid/toolchain4](https://github.com/mingwandroid/toolchain4). | ||||
Show All 15 Lines | |||||
needed: | needed: | ||||
``` | ``` | ||||
Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.11.sdk | Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.11.sdk | ||||
``` | ``` | ||||
Unfortunately, the usual linux tools (7zip, hpmount, loopback mount) are incapable of opening this file. | Unfortunately, the usual linux tools (7zip, hpmount, loopback mount) are incapable of opening this file. | ||||
To create a tarball suitable for Gitian input, there are two options: | To create a tarball suitable for Gitian input, there are two options: | ||||
Using Mac OS X, you can mount the dmg, and then create it with: | Using macOS, you can mount the dmg, and then create it with: | ||||
``` | ``` | ||||
$ hdiutil attach Xcode_7.3.1.dmg | $ hdiutil attach Xcode_7.3.1.dmg | ||||
$ tar -C /Volumes/Xcode/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/ -czf MacOSX10.11.sdk.tar.gz MacOSX10.11.sdk | $ tar -C /Volumes/Xcode/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/ -czf MacOSX10.11.sdk.tar.gz MacOSX10.11.sdk | ||||
``` | ``` | ||||
Alternatively, you can use 7zip and SleuthKit to extract the files one by one. | Alternatively, you can use 7zip and SleuthKit to extract the files one by one. | ||||
The script contrib/macdeploy/extract-osx-sdk.sh automates this. First ensure | The script contrib/macdeploy/extract-osx-sdk.sh automates this. First ensure | ||||
the dmg file is in the current directory, and then run the script. You may wish | the dmg file is in the current directory, and then run the script. You may wish | ||||
Show All 26 Lines | |||||
The 'dmg' tool has the ability to create DMGs from scratch as well, but this | The 'dmg' tool has the ability to create DMGs from scratch as well, but this | ||||
functionality is broken. Only the compression feature is currently used. | functionality is broken. Only the compression feature is currently used. | ||||
Ideally, the creation could be fixed and genisoimage would no longer be necessary. | Ideally, the creation could be fixed and genisoimage would no longer be necessary. | ||||
Background images and other features can be added to DMG files by inserting a | Background images and other features can be added to DMG files by inserting a | ||||
.DS_Store before creation. This is generated by the script | .DS_Store before creation. This is generated by the script | ||||
contrib/macdeploy/custom_dsstore.py. | contrib/macdeploy/custom_dsstore.py. | ||||
As of OS X Mavericks (10.9), using an Apple-blessed key to sign binaries is a | As of OS X 10.9 Mavericks, using an Apple-blessed key to sign binaries is a | ||||
requirement in order to satisfy the new Gatekeeper requirements. Because this | requirement in order to satisfy the new Gatekeeper requirements. Because this | ||||
private key cannot be shared, we'll have to be a bit creative in order for the | private key cannot be shared, we'll have to be a bit creative in order for the | ||||
build process to remain somewhat deterministic. Here's how it works: | build process to remain somewhat deterministic. Here's how it works: | ||||
- Builders use Gitian to create an unsigned release. This outputs an unsigned | - Builders use Gitian to create an unsigned release. This outputs an unsigned | ||||
dmg which users may choose to bless and run. It also outputs an unsigned app | dmg which users may choose to bless and run. It also outputs an unsigned app | ||||
structure in the form of a tarball, which also contains all of the tools | structure in the form of a tarball, which also contains all of the tools | ||||
that have been previously (deterministically) built in order to create a | that have been previously (deterministically) built in order to create a | ||||
final dmg. | final dmg. | ||||
- The Apple keyholder uses this unsigned app to create a detached signature, | - The Apple keyholder uses this unsigned app to create a detached signature, | ||||
using the script that is also included there. Detached signatures are available from this [repository](https://github.com/bitcoin-core/bitcoin-detached-sigs). | using the script that is also included there. Detached signatures are available from this [repository](https://github.com/bitcoin-core/bitcoin-detached-sigs). | ||||
- Builders feed the unsigned app + detached signature back into Gitian. It | - Builders feed the unsigned app + detached signature back into Gitian. It | ||||
uses the pre-built tools to recombine the pieces into a deterministic dmg. | uses the pre-built tools to recombine the pieces into a deterministic dmg. |