6e7c4d17d8
Upgrade for https://www.openssl.org/news/secadv_20140605.txt Just in case - there is no vulnerability that affects ecdsa signing or verification. The MITM attack vulnerability (CVE-2014-0224) may have some effect on our usage of SSL/TLS. As long as payment requests are signed (which is the common case), usage of the payment protocol should also not be affected. The TLS usage in RPC may be at risk for MITM attacks. If you have `-rpcssl` enabled, be sure to update OpenSSL as soon as possible.
92 lines
4.5 KiB
YAML
92 lines
4.5 KiB
YAML
---
|
|
name: "qt"
|
|
suites:
|
|
- "precise"
|
|
architectures:
|
|
- "amd64"
|
|
packages:
|
|
- "mingw-w64"
|
|
- "g++-mingw-w64"
|
|
- "zip"
|
|
- "unzip"
|
|
- "faketime"
|
|
- "libz-dev"
|
|
reference_datetime: "2011-01-30 00:00:00"
|
|
remotes: []
|
|
files:
|
|
- "qt-everywhere-opensource-src-5.2.0.tar.gz"
|
|
- "bitcoin-deps-win32-gitian-r13.zip"
|
|
- "bitcoin-deps-win64-gitian-r13.zip"
|
|
script: |
|
|
# Defines
|
|
export TZ=UTC
|
|
INDIR=$HOME/build
|
|
TEMPDIR=$HOME/tmp
|
|
# Qt: workaround for determinism in resource ordering
|
|
# Qt5's rcc uses a QHash to store the files for the resource.
|
|
# A security fix in QHash makes the ordering of keys to be different on every run
|
|
# (https://qt.gitorious.org/qt/qtbase/commit/c01eaa438200edc9a3bbcd8ae1e8ded058bea268).
|
|
# This is good in general but qrc shouldn't be doing a traversal over a randomized container.
|
|
# The thorough solution would be to use QMap instead of QHash, but this requires patching Qt.
|
|
# For now luckily there is a test mode that forces a fixed seed.
|
|
export QT_RCC_TEST=1
|
|
# Integrity Check
|
|
echo "395ec72277c5786c65b8163ef5817fd03d0a1f524a6d47f53624baf8056f1081 qt-everywhere-opensource-src-5.2.0.tar.gz" | sha256sum -c
|
|
|
|
for BITS in 32 64; do # for architectures
|
|
#
|
|
INSTALLPREFIX=$HOME/staging${BITS}
|
|
BUILDDIR=$HOME/build${BITS}
|
|
DEPSDIR=$HOME/deps${BITS}
|
|
if [ "$BITS" == "32" ]; then
|
|
HOST=i686-w64-mingw32
|
|
else
|
|
HOST=x86_64-w64-mingw32
|
|
fi
|
|
#
|
|
mkdir -p $INSTALLPREFIX $INSTALLPREFIX/host/bin $DEPSDIR $BUILDDIR
|
|
#
|
|
# Need mingw-compiled openssl from bitcoin-deps:
|
|
cd $DEPSDIR
|
|
unzip $INDIR/bitcoin-deps-win${BITS}-gitian-r13.zip
|
|
#
|
|
cd $BUILDDIR
|
|
#
|
|
tar xzf $INDIR/qt-everywhere-opensource-src-5.2.0.tar.gz
|
|
cd qt-everywhere-opensource-src-5.2.0
|
|
SPECNAME="win32-g++"
|
|
SPECFILE="qtbase/mkspecs/${SPECNAME}/qmake.conf"
|
|
sed 's/qt_instdate=`date +%Y-%m-%d`/qt_instdate=2011-01-30/' -i qtbase/configure
|
|
sed --posix "s|QMAKE_CFLAGS = -pipe -fno-keep-inline-dllexport|QMAKE_CFLAGS\t\t= -pipe -fno-keep-inline-dllexport -isystem /usr/$HOST/include/ -frandom-seed=qtbuild -I$DEPSDIR/include|" -i ${SPECFILE}
|
|
sed --posix "s|QMAKE_LFLAGS =|QMAKE_LFLAGS\t\t= -L$DEPSDIR/lib|" -i ${SPECFILE}
|
|
# Before we tried to pass arguments to ar (static linking) in using QMAKE_LIB, however
|
|
# qt removes the arguments for ar and provides a script which makes it impossible to pass the determinism flag -
|
|
# so rather than try to replace ar, post-process all libraries and plugins at the end.
|
|
#
|
|
# Don't load faketime while compiling Qt, qmake will get stuck in nearly infinite loops
|
|
#export LD_PRELOAD=/usr/lib/faketime/libfaketime.so.1
|
|
#export FAKETIME=$REFERENCE_DATETIME
|
|
#
|
|
# Compile static libraries, and use statically linked openssl (-openssl-linked):
|
|
OPENSSL_LIBS="-L$DEPSDIR/lib -lssl -lcrypto -lgdi32" ./configure -prefix $INSTALLPREFIX -bindir $INSTALLPREFIX/host/bin -confirm-license -release -opensource -static -xplatform $SPECNAME -device-option CROSS_COMPILE="$HOST-" -no-audio-backend -no-javascript-jit -no-sql-sqlite -no-sql-odbc -no-nis -no-cups -no-iconv -no-dbus -no-gif -no-opengl -no-compile-examples -no-feature-style-windowsce -no-feature-style-windowsmobile -no-qml-debug -openssl-linked -skip qtsvg -skip qtwebkit -skip qtwebkit-examples -skip qtserialport -skip qtdeclarative -skip qtmultimedia -skip qtimageformats -skip qtlocation -skip qtsensors -skip qtquick1 -skip qtquickcontrols -skip qtactiveqt -skip qtconnectivity -skip qtwinextras -skip qtxmlpatterns -skip qtscript -skip qtdoc -system-libpng -system-zlib
|
|
make $MAKEOPTS install
|
|
# post-process all generated libraries and plugins to be deterministic
|
|
# extract them to a temporary directory then re-build them deterministically
|
|
for LIB in $(find $INSTALLPREFIX -name *.a); do
|
|
rm -rf $TEMPDIR && mkdir $TEMPDIR && cd $TEMPDIR
|
|
$HOST-ar xv $LIB | cut -b5- > /tmp/list.txt
|
|
rm $LIB
|
|
$HOST-ar crsD $LIB $(cat /tmp/list.txt)
|
|
done
|
|
#
|
|
cd $INSTALLPREFIX
|
|
# Remove unused non-deterministic stuff
|
|
rm host/bin/qtpaths.exe lib/libQt5Bootstrap.a lib/libQt5Bootstrap.la
|
|
# as zip stores file timestamps, use faketime to intercept stat calls to set dates for all files to reference date
|
|
export LD_PRELOAD=/usr/lib/faketime/libfaketime.so.1
|
|
export FAKETIME=$REFERENCE_DATETIME
|
|
find -print0 | xargs -r0 touch # fix up timestamps before packaging
|
|
find | sort | zip -X@ $OUTDIR/qt-win${BITS}-5.2.0-gitian-r3.zip
|
|
unset LD_PRELOAD
|
|
unset FAKETIME
|
|
done # for BITS in
|