Changeset View
Changeset View
Standalone View
Standalone View
contrib/macdeploy/README.md
### MacDeploy ### | # MacOS Deployment | ||||
For Snow Leopard (which uses [Python 2.6](http://www.python.org/download/releases/2.6/)), you will need the param_parser package: | The `macdeployqtplus` script should not be run manually. Instead, after building as usual: | ||||
sudo easy_install argparse | ```bash | ||||
ninja osx-dmg | |||||
``` | |||||
This script should not be run manually, instead, after building as usual: | During the deployment process, the disk image window will pop up briefly | ||||
when the fancy settings are applied. This is normal, please do not interfere, | |||||
the process will unmount the DMG and cleanup before finishing. | |||||
make deploy | When complete, it will have produced `Bitcoin-ABC.dmg`. | ||||
During the process, the disk image window will pop up briefly where the fancy | ## SDK Extraction | ||||
settings are applied. This is normal, please do not interfere. | |||||
When finished, it will produce `Bitcoin-Core.dmg`. | `Xcode.app` is packaged in a `.xip` archive. | ||||
This makes the SDK less-trivial to extract on non-macOS machines. | |||||
One approach (tested on Debian Buster) is outlined below: | |||||
```bash | |||||
apt install clang cpio git liblzma-dev libxml2-dev libssl-dev make | |||||
git clone https://github.com/tpoechtrager/xar | |||||
pushd xar/xar | |||||
./configure | |||||
make | |||||
make install | |||||
popd | |||||
git clone https://github.com/NiklasRosenstein/pbzx | |||||
pushd pbzx | |||||
clang -llzma -lxar pbzx.c -o pbzx -Wl,-rpath=/usr/local/lib | |||||
popd | |||||
xar -xf Xcode_10.2.1.xip -C . | |||||
./pbzx/pbzx -n Content | cpio -i | |||||
find Xcode.app -type d -name MacOSX.sdk -execdir sh -c 'tar -c MacOSX.sdk/ | gzip -9n > /MacOSX10.14.sdk.tar.gz' \; | |||||
``` | |||||
on macOS the process is more straightforward: | |||||
```bash | |||||
xip -x Xcode_10.2.1.xip | |||||
tar -C Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/ -czf MacOSX10.14.sdk.tar.gz MacOSX.sdk | |||||
``` | |||||
Our previously used macOS SDK (`MacOSX10.11.sdk`) can be extracted from | |||||
[Xcode 7.3.1 dmg](https://developer.apple.com/devcenter/download.action?path=/Developer_Tools/Xcode_7.3.1/Xcode_7.3.1.dmg). | |||||
The script [`extract-osx-sdk.sh`](./extract-osx-sdk.sh) automates this. First | |||||
ensure the DMG file is in the current directory, and then run the script. You | |||||
may wish to delete the `intermediate 5.hfs` file and `MacOSX10.11.sdk` (the | |||||
directory) when you've confirmed the extraction succeeded. | |||||
```bash | |||||
apt-get install p7zip-full sleuthkit | |||||
contrib/macdeploy/extract-osx-sdk.sh | |||||
rm -rf 5.hfs MacOSX10.11.sdk | |||||
``` | |||||
## Deterministic macOS DMG Notes | |||||
Working macOS DMGs are created in Linux by combining a recent `clang`, the Apple | |||||
`binutils` (`ld`, `ar`, etc) and DMG authoring tools. | |||||
Apple uses `clang` extensively for development and has upstreamed the necessary | |||||
functionality so that a vanilla clang can take advantage. It supports the use of `-F`, | |||||
`-target`, `-mmacosx-version-min`, and `--sysroot`, which are all necessary when | |||||
building for macOS. | |||||
Apple's version of `binutils` (called `cctools`) contains lots of functionality missing in the | |||||
FSF's `binutils`. In addition to extra linker options for frameworks and sysroots, several | |||||
other tools are needed as well such as `install_name_tool`, `lipo`, and `nmedit`. These | |||||
do not build under Linux, so they have been patched to do so. The work here was used as | |||||
a starting point: [mingwandroid/toolchain4](https://github.com/mingwandroid/toolchain4). | |||||
In order to build a working toolchain, the following source packages are needed from | |||||
Apple: `cctools`, `dyld`, and `ld64`. | |||||
These tools inject timestamps by default, which produce non-deterministic binaries. The | |||||
`ZERO_AR_DATE` environment variable is used to disable that. | |||||
This version of `cctools` has been patched to use the current version of `clang`'s headers | |||||
and its `libLTO.so` rather than those from `llvmgcc`, as it was originally done in `toolchain4`. | |||||
To complicate things further, all builds must target an Apple SDK. These SDKs are free to | |||||
download, but not redistributable. To obtain it, register for an Apple Developer Account, | |||||
then download [Xcode 10.2.1](https://download.developer.apple.com/Developer_Tools/Xcode_10.2.1/Xcode_10.2.1.xip). | |||||
This file is many gigabytes in size, but most (but not all) of what we need is | |||||
contained only in a single directory: | |||||
```bash | |||||
Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.14.sdk | |||||
``` | |||||
See the SDK Extraction notes above for how to obtain it. | |||||
The Gitian descriptors build 2 sets of files: Linux tools, then Apple binaries which are | |||||
created using these tools. The build process has been designed to avoid including the | |||||
SDK's files in Gitian's outputs. All interim tarballs are fully deterministic and may be freely | |||||
redistributed. | |||||
`genisoimage` is used to create the initial DMG. It is not deterministic as-is, so it has been | |||||
patched. A system `genisoimage` will work fine, but it will not be deterministic because | |||||
the file-order will change between invocations. The patch can be seen here: [cdrkit-deterministic.patch](https://github.com/bitcoin/bitcoin/blob/master/depends/patches/native_cdrkit/cdrkit-deterministic.patch). | |||||
No effort was made to fix this cleanly, so it likely leaks memory badly, however it's only used for | |||||
a single invocation, so that's no real concern. | |||||
`genisoimage` cannot compress DMGs, so afterwards, the DMG tool from the | |||||
`libdmg-hfsplus` project is used to compress it. There are several bugs in this tool and its | |||||
maintainer has seemingly abandoned the project. | |||||
The DMG tool has the ability to create DMGs from scratch as well, but this functionality is | |||||
broken. Only the compression feature is currently used. Ideally, the creation could be fixed | |||||
and `genisoimage` would no longer be necessary. | |||||
Background images and other features can be added to DMG files by inserting a | |||||
`.DS_Store` before creation. This is generated by the script `contrib/macdeploy/custom_dsstore.py`. | |||||
As of OS X 10.9 Mavericks, using an Apple-blessed key to sign binaries is a requirement in | |||||
order to satisfy the new Gatekeeper requirements. Because this private key cannot be | |||||
shared, we'll have to be a bit creative in order for the build process to remain somewhat | |||||
deterministic. Here's how it works: | |||||
- Builders use Gitian to create an unsigned release. This outputs an unsigned DMG which | |||||
users may choose to bless and run. It also outputs an unsigned app structure in the form | |||||
of a tarball, which also contains all of the tools that have been previously (deterministically) | |||||
built in order to create a final DMG. | |||||
- The Apple keyholder uses this unsigned app to create a detached signature, using the | |||||
script that is also included there. Detached signatures are available from this [repository](https://github.com/bitcoin-core/bitcoin-detached-sigs). | |||||
- Builders feed the unsigned app + detached signature back into Gitian. It uses the | |||||
pre-built tools to recombine the pieces into a deterministic DMG. |