diff --git a/contrib/devtools/test-security-check.py b/contrib/devtools/test-security-check.py index 106b6ca699..a43b34d3a3 100755 --- a/contrib/devtools/test-security-check.py +++ b/contrib/devtools/test-security-check.py @@ -1,96 +1,83 @@ #!/usr/bin/env python3 # Copyright (c) 2015-2017 The Bitcoin Core developers # Distributed under the MIT software license, see the accompanying # file COPYING or http://www.opensource.org/licenses/mit-license.php. ''' Test script for security-check.py ''' import subprocess import unittest def write_testcode(filename): with open(filename, 'w', encoding="utf8") as f: f.write(''' #include int main() { printf("the quick brown fox jumps over the lazy god\\n"); return 0; } ''') def call_security_check(cc, source, executable, options): subprocess.check_call([cc, source, '-o', executable] + options) p = subprocess.Popen(['./security-check.py', executable], stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE, universal_newlines=True) (stdout, stderr) = p.communicate() return (p.returncode, stdout.rstrip()) class TestSecurityChecks(unittest.TestCase): def test_ELF(self): source = 'test1.c' executable = 'test1' cc = 'gcc' write_testcode(source) self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-zexecstack', '-fno-stack-protector', '-Wl,-znorelro', '-no-pie', '-fno-PIE']), (1, executable + ': failed PIE NX RELRO Canary')) self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack', '-fno-stack-protector', '-Wl,-znorelro', '-no-pie', '-fno-PIE']), (1, executable + ': failed PIE RELRO Canary')) self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack', '-fstack-protector-all', '-Wl,-znorelro', '-no-pie', '-fno-PIE']), (1, executable + ': failed PIE RELRO')) self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack', '-fstack-protector-all', '-Wl,-znorelro', '-pie', '-fPIE']), (1, executable + ': failed RELRO')) self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack', '-fstack-protector-all', '-Wl,-zrelro', '-Wl,-z,now', '-pie', '-fPIE']), (0, '')) - def test_32bit_PE(self): - source = 'test1.c' - executable = 'test1.exe' - cc = 'i686-w64-mingw32-gcc' - write_testcode(source) - - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--no-nxcompat', '-Wl,--no-dynamicbase']), - (1, executable + ': failed DYNAMIC_BASE NX')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat', '-Wl,--no-dynamicbase']), - (1, executable + ': failed DYNAMIC_BASE')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat', '-Wl,--dynamicbase']), - (0, '')) - def test_64bit_PE(self): source = 'test1.c' executable = 'test1.exe' cc = 'x86_64-w64-mingw32-gcc' write_testcode(source) self.assertEqual( call_security_check( cc, source, executable, ['-Wl,--no-nxcompat', '-Wl,--no-dynamicbase', '-Wl,--no-high-entropy-va']), (1, executable + ': failed DYNAMIC_BASE HIGH_ENTROPY_VA NX')) self.assertEqual( call_security_check( cc, source, executable, ['-Wl,--nxcompat', '-Wl,--no-dynamicbase', '-Wl,--no-high-entropy-va']), (1, executable + ': failed DYNAMIC_BASE HIGH_ENTROPY_VA')) self.assertEqual( call_security_check( cc, source, executable, [ '-Wl,--nxcompat', '-Wl,--dynamicbase', '-Wl,--no-high-entropy-va']), (1, executable + ': failed HIGH_ENTROPY_VA')) self.assertEqual( call_security_check( cc, source, executable, [ '-Wl,--nxcompat', '-Wl,--dynamicbase', '-Wl,--high-entropy-va']), (0, '')) if __name__ == '__main__': unittest.main() diff --git a/contrib/gitian-build.py b/contrib/gitian-build.py index 33057fb25d..bb616ee5b9 100755 --- a/contrib/gitian-build.py +++ b/contrib/gitian-build.py @@ -1,314 +1,312 @@ #!/usr/bin/env python3 import argparse import multiprocessing import os import subprocess import sys def setup(): global args, workdir programs = ['ruby', 'git', 'apt-cacher-ng', 'make', 'wget'] if args.kvm: programs += ['python-vm-builder', 'qemu-kvm', 'qemu-utils'] elif args.docker: dockers = ['docker.io', 'docker-ce'] for i in dockers: return_code = subprocess.call( ['sudo', 'apt-get', 'install', '-qq', i]) if return_code == 0: break if return_code != 0: print('Cannot find any way to install docker', file=sys.stderr) exit(1) else: programs += ['lxc', 'debootstrap'] subprocess.check_call(['sudo', 'apt-get', 'install', '-qq'] + programs) if not os.path.isdir('gitian-builder'): subprocess.check_call( ['git', 'clone', 'https://github.com/devrandom/gitian-builder.git']) if not os.path.isdir('bitcoin-abc'): subprocess.check_call( ['git', 'clone', 'https://github.com/Bitcoin-ABC/bitcoin-abc.git']) os.chdir('gitian-builder') make_image_prog = ['bin/make-base-vm', '--suite', 'bionic', '--arch', 'amd64'] if args.docker: make_image_prog += ['--docker'] elif not args.kvm: make_image_prog += ['--lxc'] subprocess.check_call(make_image_prog) os.chdir(workdir) if args.is_bionic and not args.kvm and not args.docker: subprocess.check_call( ['sudo', 'sed', '-i', 's/lxcbr0/br0/', '/etc/default/lxc-net']) print('Reboot is required') exit(0) def build(): global args, workdir base_output_dir = 'bitcoin-binaries/' + args.version os.makedirs(base_output_dir + '/src', exist_ok=True) print('\nBuilding Dependencies\n') os.chdir('gitian-builder') os.makedirs('inputs', exist_ok=True) subprocess.check_call(['make', '-C', '../bitcoin-abc/depends', 'download', 'SOURCES_PATH=' + os.getcwd() + '/cache/common']) output_dir_src = '../' + base_output_dir + '/src' if args.linux: print('\nCompiling ' + args.version + ' Linux') subprocess.check_call(['bin/gbuild', '-j', args.jobs, '-m', args.memory, '--commit', 'bitcoin=' + args.commit, '--url', 'bitcoin=' + args.url, '../bitcoin-abc/contrib/gitian-descriptors/gitian-linux.yml']) subprocess.check_call(['bin/gsign', '-p', args.sign_prog, '--signer', args.signer, '--release', args.version + '-linux', '--destination', '../gitian.sigs/', '../bitcoin-abc/contrib/gitian-descriptors/gitian-linux.yml']) output_dir_linux = '../' + base_output_dir + '/linux' os.makedirs(output_dir_linux, exist_ok=True) subprocess.check_call( 'mv build/out/bitcoin-*.tar.gz ' + output_dir_linux, shell=True) subprocess.check_call( 'mv build/out/src/bitcoin-*.tar.gz ' + output_dir_src, shell=True) subprocess.check_call( 'mv result/bitcoin-*-linux-res.yml ' + output_dir_linux, shell=True) if args.windows: print('\nCompiling ' + args.version + ' Windows') subprocess.check_call(['bin/gbuild', '-j', args.jobs, '-m', args.memory, '--commit', 'bitcoin=' + args.commit, '--url', 'bitcoin=' + args.url, '../bitcoin-abc/contrib/gitian-descriptors/gitian-win.yml']) subprocess.check_call(['bin/gsign', '-p', args.sign_prog, '--signer', args.signer, '--release', args.version + '-win-unsigned', '--destination', '../gitian.sigs/', '../bitcoin-abc/contrib/gitian-descriptors/gitian-win.yml']) output_dir_win = '../' + base_output_dir + '/win' os.makedirs(output_dir_win, exist_ok=True) subprocess.check_call( 'mv build/out/bitcoin-*-win-unsigned.tar.gz inputs/', shell=True) subprocess.check_call( 'mv build/out/bitcoin-*.zip build/out/bitcoin-*.exe ' + output_dir_win, shell=True) subprocess.check_call( 'mv build/out/src/bitcoin-*.tar.gz ' + output_dir_src, shell=True) subprocess.check_call( 'mv result/bitcoin-*-win-res.yml ' + output_dir_win, shell=True) if args.macos: print('\nCompiling ' + args.version + ' MacOS') subprocess.check_call(['bin/gbuild', '-j', args.jobs, '-m', args.memory, '--commit', 'bitcoin=' + args.commit, '--url', 'bitcoin=' + args.url, '../bitcoin-abc/contrib/gitian-descriptors/gitian-osx.yml']) subprocess.check_call(['bin/gsign', '-p', args.sign_prog, '--signer', args.signer, '--release', args.version + '-osx-unsigned', '--destination', '../gitian.sigs/', '../bitcoin-abc/contrib/gitian-descriptors/gitian-osx.yml']) output_dir_osx = '../' + base_output_dir + '/osx' os.makedirs(output_dir_osx, exist_ok=True) subprocess.check_call( 'mv build/out/bitcoin-*-osx-unsigned.tar.gz inputs/', shell=True) subprocess.check_call( 'mv build/out/bitcoin-*.tar.gz build/out/bitcoin-*.dmg ' + output_dir_osx, shell=True) subprocess.check_call( 'mv build/out/src/bitcoin-*.tar.gz ' + output_dir_src, shell=True) subprocess.check_call( 'mv result/bitcoin-*-osx-res.yml ' + output_dir_osx, shell=True) os.chdir(workdir) if args.commit_files: print('\nCommitting ' + args.version + ' Unsigned Sigs\n') os.chdir('gitian.sigs') subprocess.check_call( ['git', 'add', args.version + '-linux/' + args.signer]) subprocess.check_call( ['git', 'add', args.version + '-win-unsigned/' + args.signer]) subprocess.check_call( ['git', 'add', args.version + '-osx-unsigned/' + args.signer]) subprocess.check_call( ['git', 'commit', '-m', 'Add ' + args.version + ' unsigned sigs for ' + args.signer]) os.chdir(workdir) def sign(): global args, workdir os.chdir('gitian-builder') if args.windows: print('\nSigning ' + args.version + ' Windows') subprocess.check_call('cp inputs/bitcoin-' + args.version + '-win-unsigned.tar.gz inputs/bitcoin-win-unsigned.tar.gz', shell=True) subprocess.check_call(['bin/gbuild', '-i', '--commit', 'signature=' + args.commit, '../bitcoin-abc/contrib/gitian-descriptors/gitian-win-signer.yml']) subprocess.check_call(['bin/gsign', '-p', args.sign_prog, '--signer', args.signer, '--release', args.version + '-win-signed', '--destination', '../gitian.sigs/', '../bitcoin-abc/contrib/gitian-descriptors/gitian-win-signer.yml']) subprocess.check_call( 'mv build/out/bitcoin-*win64-setup.exe ../bitcoin-binaries/' + args.version, shell=True) - subprocess.check_call( - 'mv build/out/bitcoin-*win32-setup.exe ../bitcoin-binaries/' + args.version, shell=True) if args.macos: print('\nSigning ' + args.version + ' MacOS') subprocess.check_call('cp inputs/bitcoin-' + args.version + '-osx-unsigned.tar.gz inputs/bitcoin-osx-unsigned.tar.gz', shell=True) subprocess.check_call(['bin/gbuild', '-i', '--commit', 'signature=' + args.commit, '../bitcoin-abc/contrib/gitian-descriptors/gitian-osx-signer.yml']) subprocess.check_call(['bin/gsign', '-p', args.sign_prog, '--signer', args.signer, '--release', args.version + '-osx-signed', '--destination', '../gitian.sigs/', '../bitcoin-abc/contrib/gitian-descriptors/gitian-osx-signer.yml']) subprocess.check_call('mv build/out/bitcoin-osx-signed.dmg ../bitcoin-binaries/' + args.version + '/bitcoin-' + args.version + '-osx.dmg', shell=True) os.chdir(workdir) if args.commit_files: print('\nCommitting ' + args.version + ' Signed Sigs\n') os.chdir('gitian.sigs') subprocess.check_call( ['git', 'add', args.version + '-win-signed/' + args.signer]) subprocess.check_call( ['git', 'add', args.version + '-osx-signed/' + args.signer]) subprocess.check_call(['git', 'commit', '-a', '-m', 'Add ' + args.version + ' signed binary sigs for ' + args.signer]) os.chdir(workdir) def verify(): global args, workdir os.chdir('gitian-builder') print('\nVerifying v' + args.version + ' Linux\n') subprocess.check_call(['bin/gverify', '-v', '-d', '../gitian.sigs/', '-r', args.version + '-linux', '../bitcoin-abc/contrib/gitian-descriptors/gitian-linux.yml']) print('\nVerifying v' + args.version + ' Windows\n') subprocess.check_call(['bin/gverify', '-v', '-d', '../gitian.sigs/', '-r', args.version + '-win-unsigned', '../bitcoin-abc/contrib/gitian-descriptors/gitian-win.yml']) print('\nVerifying v' + args.version + ' MacOS\n') subprocess.check_call(['bin/gverify', '-v', '-d', '../gitian.sigs/', '-r', args.version + '-osx-unsigned', '../bitcoin-abc/contrib/gitian-descriptors/gitian-osx.yml']) print('\nVerifying v' + args.version + ' Signed Windows\n') subprocess.check_call(['bin/gverify', '-v', '-d', '../gitian.sigs/', '-r', args.version + '-win-signed', '../bitcoin-abc/contrib/gitian-descriptors/gitian-win-signer.yml']) print('\nVerifying v' + args.version + ' Signed MacOS\n') subprocess.check_call(['bin/gverify', '-v', '-d', '../gitian.sigs/', '-r', args.version + '-osx-signed', '../bitcoin-abc/contrib/gitian-descriptors/gitian-osx-signer.yml']) os.chdir(workdir) def main(): global args, workdir num_cpus = multiprocessing.cpu_count() parser = argparse.ArgumentParser(usage='%(prog)s [options] signer version') parser.add_argument('-c', '--commit', action='store_true', dest='commit', help='Indicate that the version argument is for a commit or branch') parser.add_argument('-p', '--pull', action='store_true', dest='pull', help='Indicate that the version argument is the number of a github repository pull request') parser.add_argument('-u', '--url', dest='url', default='https://github.com/Bitcoin-ABC/bitcoin-abc.git', help='Specify the URL of the repository. Default is %(default)s') parser.add_argument('-v', '--verify', action='store_true', dest='verify', help='Verify the Gitian build') parser.add_argument('-b', '--build', action='store_true', dest='build', help='Do a Gitian build') parser.add_argument('-s', '--sign', action='store_true', dest='sign', help='Make signed binaries for Windows and MacOS') parser.add_argument('-B', '--buildsign', action='store_true', dest='buildsign', help='Build both signed and unsigned binaries') parser.add_argument('-o', '--os', dest='os', default='lwm', help='Specify which Operating Systems the build is for. Default is %(default)s. l for Linux, w for Windows, m for MacOS') parser.add_argument('-j', '--jobs', dest='jobs', default=str(num_cpus), help='Number of processes to use. Default %(default)s') parser.add_argument('-m', '--memory', dest='memory', default='3500', help='Memory to allocate in MiB. Default %(default)s') parser.add_argument('-k', '--kvm', action='store_true', dest='kvm', help='Use KVM instead of LXC') parser.add_argument('-d', '--docker', action='store_true', dest='docker', help='Use Docker instead of LXC') parser.add_argument('-S', '--setup', action='store_true', dest='setup', help='Set up the Gitian building environment. Uses LXC. If you want to use KVM, use the --kvm option. Only works on Debian-based systems (Ubuntu, Debian)') parser.add_argument('-D', '--detach-sign', action='store_true', dest='detach_sign', help='Create the assert file for detached signing. Will not commit anything.') parser.add_argument('-n', '--no-commit', action='store_false', dest='commit_files', help='Do not commit anything to git') parser.add_argument( 'signer', help='GPG signer to sign each build assert file') parser.add_argument( 'version', help='Version number, commit, or branch to build. If building a commit or branch, the -c option must be specified') args = parser.parse_args() workdir = os.getcwd() args.linux = 'l' in args.os args.windows = 'w' in args.os args.macos = 'm' in args.os args.is_bionic = b'bionic' in subprocess.check_output( ['lsb_release', '-cs']) if args.buildsign: args.build = True args.sign = True if args.kvm and args.docker: raise Exception('Error: cannot have both kvm and docker') args.sign_prog = 'true' if args.detach_sign else 'gpg --detach-sign' # Set environment variable USE_LXC or USE_DOCKER, let gitian-builder know # that we use lxc or docker if args.docker: os.environ['USE_DOCKER'] = '1' elif not args.kvm: os.environ['USE_LXC'] = '1' if 'GITIAN_HOST_IP' not in os.environ.keys(): os.environ['GITIAN_HOST_IP'] = '10.0.3.1' if 'LXC_GUEST_IP' not in os.environ.keys(): os.environ['LXC_GUEST_IP'] = '10.0.3.5' # Disable for MacOS if no SDK found if args.macos and not os.path.isfile( 'gitian-builder/inputs/MacOSX10.14.sdk.tar.gz'): print('Cannot build for MacOS, SDK does not exist. Will build for other OSes') args.macos = False script_name = os.path.basename(sys.argv[0]) # Signer and version shouldn't be empty if args.signer == '': print(script_name + ': Missing signer.') print('Try ' + script_name + ' --help for more information') exit(1) if args.version == '': print(script_name + ': Missing version.') print('Try ' + script_name + ' --help for more information') exit(1) # Add leading 'v' for tags if args.commit and args.pull: raise Exception('Cannot have both commit and pull') args.commit = ('' if args.commit else 'v') + args.version if args.setup: setup() os.chdir('bitcoin-abc') if args.pull: subprocess.check_call( ['git', 'fetch', args.url, 'refs/pull/' + args.version + '/merge']) os.chdir('../gitian-builder/inputs/bitcoin') subprocess.check_call( ['git', 'fetch', args.url, 'refs/pull/' + args.version + '/merge']) args.commit = subprocess.check_output( ['git', 'show', '-s', '--format=%H', 'FETCH_HEAD'], universal_newlines=True, encoding='utf8').strip() args.version = 'pull-' + args.version print(args.commit) subprocess.check_call(['git', 'fetch']) subprocess.check_call(['git', 'checkout', args.commit]) os.chdir(workdir) if args.build: build() if args.sign: sign() if args.verify: verify() if __name__ == '__main__': main() diff --git a/contrib/gitian-descriptors/gitian-win.yml b/contrib/gitian-descriptors/gitian-win.yml index c916ad6800..ddcec8490f 100644 --- a/contrib/gitian-descriptors/gitian-win.yml +++ b/contrib/gitian-descriptors/gitian-win.yml @@ -1,217 +1,213 @@ --- name: "bitcoin-abc-win" enable_cache: true distro: "debian" suites: - "buster" architectures: - "amd64" packages: - "autoconf" - "automake" - "bsdmainutils" - "ca-certificates" - "cmake" - "curl" - "faketime" - "g++" - "g++-mingw-w64" - "git" - "libtool" - "ninja-build" - "mingw-w64" - "nsis" - "pkg-config" - "python3" - "zip" # FIXME: these dependencies are only required to make CMake happy when building # native tools. They can be removed when the `NativeExecutable.cmake` gets # improved to avoid requiring all the bitcoin-abc dependencies. - "libboost-all-dev" - "libevent-dev" - "libssl-dev" remotes: - "url": "https://github.com/Bitcoin-ABC/bitcoin-abc.git" "dir": "bitcoin" files: [] script: | WRAP_DIR=$HOME/wrapped - HOSTS="i686-w64-mingw32 x86_64-w64-mingw32" + HOSTS="x86_64-w64-mingw32" # CMake toolchain file name differ from host name declare -A CMAKE_TOOLCHAIN_FILE - CMAKE_TOOLCHAIN_FILE[i686-w64-mingw32]=Win32.cmake CMAKE_TOOLCHAIN_FILE[x86_64-w64-mingw32]=Win64.cmake INSTALL_COMPONENTS="bitcoind bitcoin-qt" FAKETIME_HOST_PROGS="ar ranlib nm windres strip objcopy" FAKETIME_PROGS="date makensis zip" HOST_CFLAGS="-O2 -g" HOST_CXXFLAGS="-O2 -g" export QT_RCC_TEST=1 export QT_RCC_SOURCE_DATE_OVERRIDE=1 export GZIP="-9n" export TAR_OPTIONS="--mtime="$REFERENCE_DATE\\\ $REFERENCE_TIME"" export TZ="UTC" export BUILD_DIR=`pwd` mkdir -p ${WRAP_DIR} if test -n "$GBUILD_CACHE_ENABLED"; then export SOURCES_PATH=${GBUILD_COMMON_CACHE} export BASE_CACHE=${GBUILD_PACKAGE_CACHE} mkdir -p ${BASE_CACHE} ${SOURCES_PATH} fi function create_global_faketime_wrappers { for prog in ${FAKETIME_PROGS}; do echo '#!/usr/bin/env bash' > ${WRAP_DIR}/${prog} echo "REAL=\`which -a ${prog} | grep -v ${WRAP_DIR}/${prog} | head -1\`" >> ${WRAP_DIR}/${prog} echo 'export LD_PRELOAD=/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1' >> ${WRAP_DIR}/${prog} echo "export FAKETIME=\"$1\"" >> ${WRAP_DIR}/${prog} echo "\$REAL \$@" >> $WRAP_DIR/${prog} chmod +x ${WRAP_DIR}/${prog} done } function create_per-host_faketime_wrappers { for i in $HOSTS; do for prog in ${FAKETIME_HOST_PROGS}; do echo '#!/usr/bin/env bash' > ${WRAP_DIR}/${i}-${prog} echo "REAL=\`which -a ${i}-${prog} | grep -v ${WRAP_DIR}/${i}-${prog} | head -1\`" >> ${WRAP_DIR}/${i}-${prog} echo 'export LD_PRELOAD=/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1' >> ${WRAP_DIR}/${i}-${prog} echo "export FAKETIME=\"$1\"" >> ${WRAP_DIR}/${i}-${prog} echo "\$REAL \$@" >> $WRAP_DIR/${i}-${prog} chmod +x ${WRAP_DIR}/${i}-${prog} done done } function create_per-host_linker_wrapper { # This is only needed for trusty, as the mingw linker leaks a few bytes of # heap, causing non-determinism. See discussion in https://github.com/bitcoin/bitcoin/pull/6900 for i in $HOSTS; do mkdir -p ${WRAP_DIR}/${i} for prog in collect2; do echo '#!/usr/bin/env bash' > ${WRAP_DIR}/${i}/${prog} REAL=$(${i}-gcc -print-prog-name=${prog}) echo "export MALLOC_PERTURB_=255" >> ${WRAP_DIR}/${i}/${prog} echo "${REAL} \$@" >> $WRAP_DIR/${i}/${prog} chmod +x ${WRAP_DIR}/${i}/${prog} done for prog in gcc g++; do echo '#!/usr/bin/env bash' > ${WRAP_DIR}/${i}-${prog} echo "REAL=\`which -a ${i}-${prog}-posix | grep -v ${WRAP_DIR}/${i}-${prog} | head -1\`" >> ${WRAP_DIR}/${i}-${prog} echo 'export LD_PRELOAD=/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1' >> ${WRAP_DIR}/${i}-${prog} echo "export FAKETIME=\"$1\"" >> ${WRAP_DIR}/${i}-${prog} echo "export COMPILER_PATH=${WRAP_DIR}/${i}" >> ${WRAP_DIR}/${i}-${prog} echo "\$REAL \$@" >> $WRAP_DIR/${i}-${prog} chmod +x ${WRAP_DIR}/${i}-${prog} done done } # Faketime for depends so intermediate results are comparable export PATH_orig=${PATH} create_global_faketime_wrappers "2000-01-01 12:00:00" create_per-host_faketime_wrappers "2000-01-01 12:00:00" create_per-host_linker_wrapper "2000-01-01 12:00:00" export PATH=${WRAP_DIR}:${PATH} cd bitcoin SOURCEDIR=`pwd` BASEPREFIX=`pwd`/depends # Build dependencies for each host for i in $HOSTS; do make ${MAKEOPTS} -C ${BASEPREFIX} HOST="${i}" done # Faketime for binaries export PATH=${PATH_orig} create_global_faketime_wrappers "${REFERENCE_DATETIME}" create_per-host_faketime_wrappers "${REFERENCE_DATETIME}" create_per-host_linker_wrapper "${REFERENCE_DATETIME}" export PATH=${WRAP_DIR}:${PATH} mkdir -p source_package pushd source_package cmake -GNinja .. \ -DBUILD_BITCOIN_WALLET=OFF \ -DBUILD_BITCOIN_ZMQ=OFF \ -DBUILD_BITCOIN_SEEDER=OFF \ -DBUILD_BITCOIN_CLI=OFF \ -DBUILD_BITCOIN_TX=OFF \ -DBUILD_BITCOIN_QT=OFF \ -DBUILD_LIBBITCOINCONSENSUS=OFF \ -DENABLE_CLANG_TIDY=OFF \ -DENABLE_QRCODE=OFF \ -DENABLE_UPNP=OFF ninja package_source SOURCEDIST=`echo bitcoin-abc-*.tar.gz` mv ${SOURCEDIST} .. popd DISTNAME=`echo ${SOURCEDIST} | sed 's/.tar.*//'` # Correct tar file order mkdir -p temp pushd temp tar xf ../$SOURCEDIST find bitcoin-abc-* | sort | tar --no-recursion --mode='u+rw,go+r-w,a+X' --owner=0 --group=0 -c -T - | gzip -9n > ../$SOURCEDIST mkdir -p $OUTDIR/src cp ../$SOURCEDIST $OUTDIR/src popd # Allow extra cmake option to be specified for each host declare -A CMAKE_EXTRA_OPTIONS - CMAKE_EXTRA_OPTIONS[i686-w64-mingw32]="-DCPACK_PACKAGE_FILE_NAME=${DISTNAME}-win32-setup-unsigned" CMAKE_EXTRA_OPTIONS[x86_64-w64-mingw32]="-DCPACK_PACKAGE_FILE_NAME=${DISTNAME}-win64-setup-unsigned" ORIGPATH="$PATH" # Extract the release tarball into a dir for each host and build for i in ${HOSTS}; do export PATH=${BASEPREFIX}/${i}/native/bin:${WRAP_DIR}:${ORIGPATH} mkdir -p distsrc-${i} cd distsrc-${i} INSTALLPATH=`pwd`/installed/${DISTNAME} mkdir -p ${INSTALLPATH} tar --strip-components=1 -xf ../$SOURCEDIST cmake -GNinja .. \ -DCMAKE_TOOLCHAIN_FILE=${SOURCEDIR}/cmake/platforms/${CMAKE_TOOLCHAIN_FILE[${i}]} \ -DCLIENT_VERSION_IS_RELEASE=ON \ -DENABLE_CLANG_TIDY=OFF \ -DENABLE_REDUCE_EXPORTS=ON \ -DBUILD_BITCOIN_SEEDER=OFF \ -DCPACK_STRIP_FILES=ON \ -DCMAKE_INSTALL_PREFIX=${INSTALLPATH} \ -DCCACHE=OFF \ ${CMAKE_EXTRA_OPTIONS[${i}]} ninja ninja security-check for _component in ${INSTALL_COMPONENTS}; do cmake -DCOMPONENT=${_component} -P cmake_install.cmake done ninja package cp -f bitcoin-abc-*-setup-unsigned.exe ${OUTDIR}/ cd installed mkdir -p ${DISTNAME}/lib mv ${DISTNAME}/bin/*.dll ${DISTNAME}/lib/ find ${DISTNAME}/bin -type f -executable -exec ${i}-objcopy --only-keep-debug {} {}.dbg \; -exec ${i}-strip -s {} \; -exec ${i}-objcopy --add-gnu-debuglink={}.dbg {} \; find ${DISTNAME}/lib -type f -exec ${i}-objcopy --only-keep-debug {} {}.dbg \; -exec ${i}-strip -s {} \; -exec ${i}-objcopy --add-gnu-debuglink={}.dbg {} \; find ${DISTNAME} -not -name "*.dbg" -type f | sort | zip -X@ ${OUTDIR}/${DISTNAME}-${i}.zip find ${DISTNAME} -name "*.dbg" -type f | sort | zip -X@ ${OUTDIR}/${DISTNAME}-${i}-debug.zip cd ../../ rm -rf distsrc-${i} done cd $OUTDIR find . -name "*-setup-unsigned.exe" | sort | tar --no-recursion --mode='u+rw,go+r-w,a+X' --owner=0 --group=0 -c -T - | gzip -9n > ${OUTDIR}/${DISTNAME}-win-unsigned.tar.gz mv ${OUTDIR}/${DISTNAME}-x86_64-*-debug.zip ${OUTDIR}/${DISTNAME}-win64-debug.zip - mv ${OUTDIR}/${DISTNAME}-i686-*-debug.zip ${OUTDIR}/${DISTNAME}-win32-debug.zip mv ${OUTDIR}/${DISTNAME}-x86_64-*.zip ${OUTDIR}/${DISTNAME}-win64.zip - mv ${OUTDIR}/${DISTNAME}-i686-*.zip ${OUTDIR}/${DISTNAME}-win32.zip diff --git a/depends/README.md b/depends/README.md index d3835100b3..9ff742951a 100644 --- a/depends/README.md +++ b/depends/README.md @@ -1,116 +1,115 @@ ### Usage To build dependencies for the current arch+OS: make To build for another arch/OS: make build- Where `` is one of the following: - linux64 - linux32 - linux-arm - linux-aarch64 - osx - - win32 - win64 For example, building the dependencies for macOS: make build-osx Note that it will use all the CPU cores available on the machine by default. This behavior can be changed by setting the `JOBS` environment variable (see below). To use the dependencies for building Bitcoin ABC, you need to set the platform file to be used by `cmake`. The platform files are located under `cmake/platforms/`. For example, cross-building for macOS (run from the project root): mkdir build_osx cd build_osx cmake -GNinja .. -DCMAKE_TOOLCHAIN_FILE=../cmake/platforms/OSX.cmake ninja No other options are needed, the paths are automatically configured. ### Install the required dependencies: Ubuntu & Debian #### Common to all arch/OS sudo apt-get install build-essential autoconf automake cmake curl git libtool ninja-build patch pkg-config python3 #### For macOS cross compilation sudo apt-get install imagemagick libbz2-dev libcap-dev librsvg2-bin libtiff-tools python3-setuptools -#### For Win32/Win64 cross compilation +#### For Win64 cross compilation - see [build-windows.md](../doc/build-windows.md#cross-compilation-for-ubuntu-and-windows-subsystem-for-linux) #### For linux cross compilation Common linux dependencies: sudo apt-get install gperf For linux 32 bits cross compilation: First add the i386 architecture to `dpkg`: sudo dpkg --add-architecture i386 sudo apt-get update Then install the dependencies: sudo apt-get install lib32stdc++-8-dev libc6-dev:i386 For linux ARM cross compilation: sudo apt-get install g++-arm-linux-gnueabihf For linux AARCH64 cross compilation: sudo apt-get install g++-aarch64-linux-gnu ### Dependency Options The following can be set when running make: make FOO=bar SOURCES_PATH: downloaded sources will be placed here BASE_CACHE: built packages will be placed here SDK_PATH: Path where sdk's can be found (used by macOS) FALLBACK_DOWNLOAD_PATH: If a source file can't be fetched, try here before giving up NO_QT: Don't download/build/cache qt and its dependencies NO_ZMQ: Don't download/build/cache packages needed for enabling zeromq NO_WALLET: Don't download/build/cache libs needed to enable the wallet NO_UPNP: Don't download/build/cache packages needed for enabling upnp DEBUG: disable some optimizations and enable more runtime checking RAPIDCHECK: build rapidcheck (experimental, requires cmake) HOST_ID_SALT: Optional salt to use when generating host package ids BUILD_ID_SALT: Optional salt to use when generating build package ids JOBS: Number of jobs to use for each package build If some packages are not built, for example by building the depends with `make NO_WALLET=1`, the appropriate options should be set when building Bitcoin ABC using these dependencies. In this example, `-DBUILD_BITCOIN_WALLET=OFF` should be passed to the `cmake` command line to ensure that the build will not fail due to missing dependencies. Additional targets: download: run 'make download' to fetch all sources without building them download-osx: run 'make download-osx' to fetch all sources needed for macOS builds download-win: run 'make download-win' to fetch all sources needed for win builds download-linux: run 'make download-linux' to fetch all sources needed for linux builds build-all: build the dependencies for all the arch/OS ### Other documentation - [description.md](description.md): General description of the depends system - [packages.md](packages.md): Steps for adding packages diff --git a/doc/build-windows.md b/doc/build-windows.md index ec5881f124..f6e52da693 100644 --- a/doc/build-windows.md +++ b/doc/build-windows.md @@ -1,186 +1,156 @@ WINDOWS BUILD NOTES ==================== Below are some notes on how to build Bitcoin ABC for Windows. The options known to work for building Bitcoin ABC on Windows are: * On Linux, using the [Mingw-w64](https://mingw-w64.org/doku.php) cross compiler tool chain. Debian Buster is recommended and is the platform used to build the Bitcoin ABC Windows release binaries. * On Windows, using [Windows Subsystem for Linux (WSL)](https://msdn.microsoft.com/commandline/wsl/about) and the Mingw-w64 cross compiler tool chain. Other options which may work, but which have not been extensively tested are (please contribute instructions): * On Windows, using a POSIX compatibility layer application such as [cygwin](http://www.cygwin.com/) or [msys2](http://www.msys2.org/). * On Windows, using a native compiler tool chain such as [Visual Studio](https://www.visualstudio.com). In any case please make sure that the compiler supports C++14. Installing Windows Subsystem for Linux --------------------------------------- With Windows 10, Microsoft has released a new feature named the [Windows Subsystem for Linux (WSL)](https://msdn.microsoft.com/commandline/wsl/about). This feature allows you to run a bash shell directly on Windows in an Ubuntu-based environment. Within this environment you can cross compile for Windows without the need for a separate Linux VM or server. Note that while WSL can be installed with other Linux variants, such as OpenSUSE, the following instructions have only been tested with Ubuntu Bionic. This feature is not supported in versions of Windows prior to Windows 10 or on Windows Server SKUs. In addition, it is available [only for 64-bit versions of Windows](https://msdn.microsoft.com/en-us/commandline/wsl/install_guide). Full instructions to install WSL are available on the above link. To install WSL on Windows 10 with Fall Creators Update installed (version >= 16215.0) do the following: 1. Enable the Windows Subsystem for Linux feature * Open the Windows Features dialog (`OptionalFeatures.exe`) * Enable 'Windows Subsystem for Linux' * Click 'OK' and restart if necessary 2. Install Ubuntu * Open Microsoft Store and search for Ubuntu or use [this link](https://www.microsoft.com/store/productId/9NBLGGH4MSV6) * Click Install 3. Complete Installation * Open a cmd prompt and type "Ubuntu" * Create a new UNIX user account (this is a separate account from your Windows account) After the bash shell is active, you can follow the instructions below, starting with the "Cross-compilation" section. Compiling the 64-bit version is recommended, but it is possible to compile the 32-bit version. Cross-compilation for Ubuntu and Windows Subsystem for Linux ------------------------------------------------------------ At the time of writing the Windows Subsystem for Linux installs Ubuntu Bionic 18.04. The steps below can be performed on Ubuntu (including in a VM) or WSL. The depends system will also work on other Linux distributions, however the commands for installing the toolchain will be different. First, install the general dependencies: sudo apt update sudo apt upgrade sudo apt install autoconf automake build-essential bsdmainutils curl git libboost-all-dev libevent-dec libssl-dev libtool ninja-build pkg-config python3 The cmake version packaged with Ubuntu Bionic is too old for building Building Bitcoin ABC. To install the latest version: sudo apt-get install apt-transport-https ca-certificates gnupg software-properties-common wget wget -O - https://apt.kitware.com/keys/kitware-archive-latest.asc 2>/dev/null | sudo apt-key add - sudo apt-add-repository 'deb https://apt.kitware.com/ubuntu/ bionic main' sudo apt update sudo apt install cmake A host toolchain (`build-essential`) is necessary because some dependency packages (such as `protobuf`) need to build host utilities that are used in the build process. See also: [dependencies.md](dependencies.md). ## Building for 64-bit Windows The first step is to install the mingw-w64 cross-compilation tool chain. Due to different Ubuntu packages for each distribution and problems with the Xenial packages the steps for each are different. Common steps to install mingw32 cross compiler tool chain: sudo apt install g++-mingw-w64-x86-64 Ubuntu Xenial 16.04 and Windows Subsystem for Linux [1](#footnote1),[2](#footnote2): sudo apt install software-properties-common sudo add-apt-repository "deb http://archive.ubuntu.com/ubuntu artful universe" sudo apt update sudo apt upgrade sudo update-alternatives --config x86_64-w64-mingw32-g++ # Set the default mingw32 g++ compiler option to posix. sudo update-alternatives --config x86_64-w64-mingw32-gcc # Set the default mingw32 gcc compiler option to posix. Ubuntu Artful 17.10 [2](#footnote2) and later, including Ubuntu Bionic on WSL: sudo update-alternatives --config x86_64-w64-mingw32-g++ # Set the default mingw32 g++ compiler option to posix. sudo update-alternatives --config x86_64-w64-mingw32-gcc # Set the default mingw32 gcc compiler option to posix. Once the toolchain is installed the build steps are common: Note that for WSL the Bitcoin ABC source path MUST be somewhere in the default mount file system, for example /usr/src/bitcoin-abc, AND not under /mnt/d/. This means you cannot use a directory that is located directly on the host Windows file system to perform the build. Acquire the source in the usual way: git clone https://github.com/Bitcoin-ABC/bitcoin-abc.git Once the source code is ready the build steps are below: PATH=$(echo "$PATH" | sed -e 's/:\/mnt.*//g') # strip out problematic Windows %PATH% imported var cd depends make build-win64 cd .. mkdir build cd build cmake -GNinja .. -DCMAKE_TOOLCHAIN_FILE=../cmake/platforms/Win64.cmake -DBUILD_BITCOIN_SEEDER=OFF # seeder not supported in Windows yet ninja -## Building for 32-bit Windows - -To build executables for Windows 32-bit, install the following dependencies: - - sudo apt install g++-mingw-w64-i686 mingw-w64-i686-dev - -For Ubuntu Xenial 16.04 and later, including Ubuntu Bionic on the Windows Subsystem for Linux [2](#footnote2): - - sudo update-alternatives --config i686-w64-mingw32-g++ # Set the default mingw32 g++ compiler option to posix. - sudo update-alternatives --config i686-w64-mingw32-gcc # Set the default mingw32 gcc compiler option to posix. - -Note that for WSL the Bitcoin ABC source path MUST be somewhere in the default mount file system, for -example /usr/src/bitcoin-abc, AND not under /mnt/d/. -This means you cannot use a directory that located directly on the host Windows file system to perform the build. - -Acquire the source in the usual way: - - git clone https://github.com/Bitcoin-ABC/bitcoin-abc.git - -Then build using: - - PATH=$(echo "$PATH" | sed -e 's/:\/mnt.*//g') # strip out problematic Windows %PATH% imported var - cd depends - make build-win32 - cd .. - mkdir build - cd build - cmake -GNinja .. -DCMAKE_TOOLCHAIN_FILE=../cmake/platforms/Win32.cmake -DBUILD_BITCOIN_SEEDER=OFF # seeder not supported in Windows yet - ninja - ## Depends system For further documentation on the depends system see [README.md](../depends/README.md) in the depends directory. Installation ------------- After building using the Windows subsystem it can be useful to copy the compiled executables to a directory on the windows drive in the same directory structure as they appear in the release `.zip` archive. This can be done in the following way. This will install to `c:\workspace\bitcoin-abc`, for example: - cmake -GNinja .. -DCMAKE_TOOLCHAIN_FILE=../cmake/platforms/Win32.cmake -DBUILD_BITCOIN_SEEDER=OFF -DCMAKE_INSTALL_PREFIX=/mnt/c/workspace/bitcoin-abc + cmake -GNinja .. -DCMAKE_TOOLCHAIN_FILE=../cmake/platforms/Win64.cmake -DBUILD_BITCOIN_SEEDER=OFF -DCMAKE_INSTALL_PREFIX=/mnt/c/workspace/bitcoin-abc ninja install Footnotes --------- 1: There is currently a bug in the 64 bit Mingw-w64 cross compiler packaged for WSL/Ubuntu Xenial 16.04 that causes two of the bitcoin executables to crash shortly after start up. The bug is related to the -fstack-protector-all g++ compiler flag which is used to mitigate buffer overflows. Installing the Mingw-w64 packages from the Ubuntu 17.10 distribution solves the issue, however, this is not an officially supported approach and it's only recommended if you are prepared to reinstall WSL/Ubuntu should something break. -2: Starting from Ubuntu Xenial 16.04, both the 32 and 64 bit Mingw-w64 packages install two different -compiler options to allow a choice between either posix or win32 threads. The default option is win32 threads which is the more +2: Starting from Ubuntu Xenial 16.04, the Mingw-w64 packages install two different compiler +options to allow a choice between either posix or win32 threads. The default option is win32 threads which is the more efficient since it will result in binary code that links directly with the Windows kernel32.lib. Unfortunately, the headers required to support win32 threads conflict with some of the classes in the C++11 standard library, in particular std::mutex. It's not possible to build the Bitcoin ABC code using the win32 version of the Mingw-w64 cross compilers (at least not without modifying headers in the Bitcoin ABC source code). diff --git a/doc/release-notes.md b/doc/release-notes.md index efbdd38a5c..773eef07d6 100644 --- a/doc/release-notes.md +++ b/doc/release-notes.md @@ -1,5 +1,9 @@ Bitcoin ABC version 0.21.4 is now available from: This release includes the following features and fixes: + - The 32 bits Windows target is no longer supported. It will no longer be part + of the release shipment. Users that are willing to build for 32 bits Windows + should be aware that this will not be tested by the Bitcoin ABC team and be + prepared to face issues.