guix: Test security-check sanity before performing them (with macOS) #22381

1. 
   fanquake commented at 1:01 pm on July 1, 2021: member

   This is #20980 rebased (to include the Boost Process fix), and with an additional commit (892d6897f1e613084aa0517a660eab2412308e6e) to fix running the test-security-check target for the macOS build. It should pass inside Guix, as well as when cross-compiling on Ubuntu, or building natively on macOS.

   Note that the test-security-check may output some warnings (similar too):

   0ld: warning: passed two min versions (10.14, 11.4) for platform macOS. Using 11.4.
   1ld: warning: passed two min versions (10.14, 11.4) for platform macOS. Using 11.4.
   2ld: warning: passed two min versions (10.14, 10.14) for platform macOS. Using 10.14.
   

   but those can be ignored, and come about due to us passing -platform_version when -mmacosx-version-min is already part of CC.

   Guix builds:

    071ed0c7a13a4726300779ffc87f7d271086a2744c36896fe6dc51fe3dc33df2e  guix-build-5b4703c6a70d/output/aarch64-linux-gnu/SHA256SUMS.part
    19273980a17052c8ec45b77579781c14ab5d189fa25aa29907d5115513dd302b1  guix-build-5b4703c6a70d/output/aarch64-linux-gnu/bitcoin-5b4703c6a70d-aarch64-linux-gnu-debug.tar.gz
    29c042179af43c8896eb95a34294df15d4910308dcdba40b2010cd36e192938b8  guix-build-5b4703c6a70d/output/aarch64-linux-gnu/bitcoin-5b4703c6a70d-aarch64-linux-gnu.tar.gz
    31ceddecac113f50a952ba6a201cdcdb722e3dc804e663f219bfac8268ce42bf0  guix-build-5b4703c6a70d/output/arm-linux-gnueabihf/SHA256SUMS.part
    4759597c4e925e75db4a2381c06cda9b9f4e4674c23436148676b31c9be05c7aa  guix-build-5b4703c6a70d/output/arm-linux-gnueabihf/bitcoin-5b4703c6a70d-arm-linux-gnueabihf-debug.tar.gz
    534e3b6beabaf8c95d7c2ca0d2c3ac4411766694ef43e00bd9783badbbaf045a7  guix-build-5b4703c6a70d/output/arm-linux-gnueabihf/bitcoin-5b4703c6a70d-arm-linux-gnueabihf.tar.gz
    6e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  guix-build-5b4703c6a70d/output/dist-archive/SKIPATTEST.TAG
    73664f6ceee7898caa374281fd877a7597fe491fa2e9f0c174c28d889d60b559c  guix-build-5b4703c6a70d/output/dist-archive/bitcoin-5b4703c6a70d.tar.gz
    8d6bc35ba0750c1440bb32831b8c12cddee62f6dce10fec2650897444c2bf4748  guix-build-5b4703c6a70d/output/powerpc64-linux-gnu/SHA256SUMS.part
    9a836edf6474ba0c16c19bb217549bac7936c1b44306ed512df58f607ee5568f2  guix-build-5b4703c6a70d/output/powerpc64-linux-gnu/bitcoin-5b4703c6a70d-powerpc64-linux-gnu-debug.tar.gz
   107cc91c6805d5069ca3bd1771e77d95f83eb184b137198cbf84d1d11d0a5c5afe  guix-build-5b4703c6a70d/output/powerpc64-linux-gnu/bitcoin-5b4703c6a70d-powerpc64-linux-gnu.tar.gz
   1193b4cb7b83c4975120ad5de5a92f050f5760a2a3f2c37c204c647f5a581c924a  guix-build-5b4703c6a70d/output/powerpc64le-linux-gnu/SHA256SUMS.part
   122266e2c5d0dafa28c6c057ccfc1c439baeab1d714d8c3f64a83015d2827116d2  guix-build-5b4703c6a70d/output/powerpc64le-linux-gnu/bitcoin-5b4703c6a70d-powerpc64le-linux-gnu-debug.tar.gz
   1385f41f42c319b83d049d6fd2e2278c07b40a1e28a2eac596427822c0eef9dc3f  guix-build-5b4703c6a70d/output/powerpc64le-linux-gnu/bitcoin-5b4703c6a70d-powerpc64le-linux-gnu.tar.gz
   141499ca9119926083d8c3714ca10d8d4c8d864cbeee8848fd8445b7a1d081222d  guix-build-5b4703c6a70d/output/riscv64-linux-gnu/SHA256SUMS.part
   151995fc1a2e45c49d4b0718aff5dcdac931917e8ae9e762fd23f1126abcecc248  guix-build-5b4703c6a70d/output/riscv64-linux-gnu/bitcoin-5b4703c6a70d-riscv64-linux-gnu-debug.tar.gz
   16266889eb58429a470f0fd7bb123f2ae09b0aef86c47b0390938b3634a8f748a9  guix-build-5b4703c6a70d/output/riscv64-linux-gnu/bitcoin-5b4703c6a70d-riscv64-linux-gnu.tar.gz
   17cdc3a0dcf80b110443dac5ddf8bc951001a776a651c898c5ea49bb2d487bfe29  guix-build-5b4703c6a70d/output/x86_64-apple-darwin18/SHA256SUMS.part
   188538d1eab96c97866b24546c453d95822f24cf9c6638b42ba523eb7aa441cb26  guix-build-5b4703c6a70d/output/x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx-unsigned.dmg
   19d1b73133f1da68586b07292a8425f7f851e93f599c016376f23728c041cf39cc  guix-build-5b4703c6a70d/output/x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx-unsigned.tar.gz
   205ad94c5f8a5f29405955ff3ab35d137de1acc04398d6c8298fb187b57a6e316a  guix-build-5b4703c6a70d/output/x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx64.tar.gz
   218c6d7b3f847faa7b4d16ceecf228f26f146ea982615c1d7a00c57f9230a0c484  guix-build-5b4703c6a70d/output/x86_64-linux-gnu/SHA256SUMS.part
   22d0a8c99750319ad8046cfa132a54e5c13a08351f94439ae9af0f8e5486c2c2ea  guix-build-5b4703c6a70d/output/x86_64-linux-gnu/bitcoin-5b4703c6a70d-x86_64-linux-gnu-debug.tar.gz
   23d816bb26dd4b0e309f2f576b1cccc6d78743fb2f357daad2da09bb1177330971  guix-build-5b4703c6a70d/output/x86_64-linux-gnu/bitcoin-5b4703c6a70d-x86_64-linux-gnu.tar.gz
   2465caaa7f648c7eab1eb82c3331a2ca25b8cd4fe41439de55604501e02571de55  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/SHA256SUMS.part
   255bf6f7328cbceb0db22a2d7babb07b60cb6dcc19a6db84a1698589b7f5173a06  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win-unsigned.tar.gz
   267aabcb56115decef78d3797840b6e49dbc9b202d56f892490e92616fb06fec9e  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64-debug.zip
   272f369694648ff9dc5ca1261a1e5874b1c7408ccf2802f9caef56c1334e8a5b7c  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64-setup-unsigned.exe
   281c1f92513c4aad38419ff49a7b80bf10e6b1eca01ee8c5e3b2acd1768cf1e3d5  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64.zip
   

2. fanquake added the label Build system on Jul 1, 2021
3. fanquake added the label Needs Guix build on Jul 1, 2021
4. fanquake added this to the milestone 22.0 on Jul 1, 2021
5. 
   MarcoFalke commented at 6:16 pm on July 1, 2021: member

   From ci:

    0Ran 1 test in 1.002s
    1OK
    2F
    3======================================================================
    4FAIL: test_ELF (__main__.TestSymbolChecks)
    5----------------------------------------------------------------------
    6Traceback (most recent call last):
    7  File "./contrib/devtools/test-symbol-check.py", line 82, in test_ELF
    8    self.assertEqual(call_symbol_check(cc, source, executable, ['-lm']),
    9AssertionError: Tuples differ: (1, 'test3: symbol pow from unsupported ve[45 chars]OLS') != (0, '')
   10First differing element 0:
   111
   120
   13+ (0, '')
   14- (1,
   15-  'test3: symbol pow from unsupported version GLIBC_2.29\n'
   16-  'test3: failed IMPORTED_SYMBOLS')
   17----------------------------------------------------------------------
   18Ran 1 test in 0.490s
   19FAILED (failures=1)
   20make: *** [Makefile:1448: test-security-check] Error 1
   

6. DrahtBot removed the label Needs Guix build on Jul 1, 2021
7. 
   DrahtBot commented at 1:46 am on July 2, 2021: member

   The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

   Conflicts

   No conflicts as of last run.

8. MarcoFalke deleted a comment on Jul 2, 2021
9. MarcoFalke added the label Needs Guix build on Jul 6, 2021
10. fanquake force-pushed on Jul 7, 2021
11. fanquake marked this as a draft on Jul 7, 2021
12. lint: Run mypy with --show-error-codes

    When using mypy ignore directives, the error code needs to be specified.
    Somehow mypy doesn't print it by default...

    d6ef3543ae
13. ci: skip running the Linux test-security-check target for now

    The CI environment is a moving target, and these tests are somewhat
    fragile, so for now, disable them.

    bda62eab38
14. devtools: Improve *-check.py tool detection

    This is important to make sure that we're not testing tools different
    from the one we're building with.
    
    Introduce determine_wellknown_cmd, which encapsulates how we
    should handle well-known tools specification (IFS splitting, env
    override, etc.).

    9fdc8afe11
15. guix: Patch binutils to add security-related disable flags

    We use these flags in our test-security-check make target, but they are
    only available because debian patches them in.
    
    We can patch them in for our Guix builds so that we can check the sanity
    of our security/symbol checking suite before running them.

    678348db51
16. build: Use and test PE binutils with --reloc-section

    Also fix test-security-check.py to account for new PE PIE failure
    indication.

    a8127b34bc
17. scripts: more robustly test macOS symbol checks 1946b5f77c
18. scripts: adjust test-symbol-check for guix release environment

    Now that our release binaries are build in a glibc 2.24 and 2.27
    environment, we can't use a symbol from glibc 2.28 to test our checks.
    Replace renameat2() with nextup(), which was introduced in 2.24.
    
    Note that this also means re-disabling the test for RISC-V, however
    RISC-V is built in a glibc 2.27 environment, and our minimum required
    glibc for that binary is 2.27.

    6cf3345297
19. guix: Test security-check sanity before performing them 5b4703c6a7
20. fanquake force-pushed on Jul 7, 2021
21. 
    fanquake commented at 12:42 pm on July 7, 2021: member

    I’ve made a few changes here, including rebasing now that #22405 has been merged, fixing up the ELF test-symbol-check test to account for it being run in the new glibc environments, and re-ordered some commits. Note that I’ve also removed the test-security(symbol)-check target from being run for Linux in the CI, mainly due to these tests being somewhat fragile. We can look at running them again when the security and symbol checks have been split up. I also have one bugfix for the symbol-check tests, that I’ll PR shortly.
22. fanquake marked this as ready for review on Jul 7, 2021
23. fanquake removed the label Needs Guix build on Jul 7, 2021
24. fanquake added the label Needs Guix build on Jul 7, 2021
25. 
    hebasto commented at 4:50 pm on July 7, 2021: member

    Guix builds:

     0$ find guix-build-$(git rev-parse --short=12 HEAD)/output/ -type f -print0 | env LC_ALL=C sort -z | xargs -r0 sha256sum
     171ed0c7a13a4726300779ffc87f7d271086a2744c36896fe6dc51fe3dc33df2e  guix-build-5b4703c6a70d/output/aarch64-linux-gnu/SHA256SUMS.part
     29273980a17052c8ec45b77579781c14ab5d189fa25aa29907d5115513dd302b1  guix-build-5b4703c6a70d/output/aarch64-linux-gnu/bitcoin-5b4703c6a70d-aarch64-linux-gnu-debug.tar.gz
     39c042179af43c8896eb95a34294df15d4910308dcdba40b2010cd36e192938b8  guix-build-5b4703c6a70d/output/aarch64-linux-gnu/bitcoin-5b4703c6a70d-aarch64-linux-gnu.tar.gz
     41ceddecac113f50a952ba6a201cdcdb722e3dc804e663f219bfac8268ce42bf0  guix-build-5b4703c6a70d/output/arm-linux-gnueabihf/SHA256SUMS.part
     5759597c4e925e75db4a2381c06cda9b9f4e4674c23436148676b31c9be05c7aa  guix-build-5b4703c6a70d/output/arm-linux-gnueabihf/bitcoin-5b4703c6a70d-arm-linux-gnueabihf-debug.tar.gz
     634e3b6beabaf8c95d7c2ca0d2c3ac4411766694ef43e00bd9783badbbaf045a7  guix-build-5b4703c6a70d/output/arm-linux-gnueabihf/bitcoin-5b4703c6a70d-arm-linux-gnueabihf.tar.gz
     7e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  guix-build-5b4703c6a70d/output/dist-archive/SKIPATTEST.TAG
     83664f6ceee7898caa374281fd877a7597fe491fa2e9f0c174c28d889d60b559c  guix-build-5b4703c6a70d/output/dist-archive/bitcoin-5b4703c6a70d.tar.gz
     9d6bc35ba0750c1440bb32831b8c12cddee62f6dce10fec2650897444c2bf4748  guix-build-5b4703c6a70d/output/powerpc64-linux-gnu/SHA256SUMS.part
    10a836edf6474ba0c16c19bb217549bac7936c1b44306ed512df58f607ee5568f2  guix-build-5b4703c6a70d/output/powerpc64-linux-gnu/bitcoin-5b4703c6a70d-powerpc64-linux-gnu-debug.tar.gz
    117cc91c6805d5069ca3bd1771e77d95f83eb184b137198cbf84d1d11d0a5c5afe  guix-build-5b4703c6a70d/output/powerpc64-linux-gnu/bitcoin-5b4703c6a70d-powerpc64-linux-gnu.tar.gz
    1293b4cb7b83c4975120ad5de5a92f050f5760a2a3f2c37c204c647f5a581c924a  guix-build-5b4703c6a70d/output/powerpc64le-linux-gnu/SHA256SUMS.part
    132266e2c5d0dafa28c6c057ccfc1c439baeab1d714d8c3f64a83015d2827116d2  guix-build-5b4703c6a70d/output/powerpc64le-linux-gnu/bitcoin-5b4703c6a70d-powerpc64le-linux-gnu-debug.tar.gz
    1485f41f42c319b83d049d6fd2e2278c07b40a1e28a2eac596427822c0eef9dc3f  guix-build-5b4703c6a70d/output/powerpc64le-linux-gnu/bitcoin-5b4703c6a70d-powerpc64le-linux-gnu.tar.gz
    151499ca9119926083d8c3714ca10d8d4c8d864cbeee8848fd8445b7a1d081222d  guix-build-5b4703c6a70d/output/riscv64-linux-gnu/SHA256SUMS.part
    161995fc1a2e45c49d4b0718aff5dcdac931917e8ae9e762fd23f1126abcecc248  guix-build-5b4703c6a70d/output/riscv64-linux-gnu/bitcoin-5b4703c6a70d-riscv64-linux-gnu-debug.tar.gz
    17266889eb58429a470f0fd7bb123f2ae09b0aef86c47b0390938b3634a8f748a9  guix-build-5b4703c6a70d/output/riscv64-linux-gnu/bitcoin-5b4703c6a70d-riscv64-linux-gnu.tar.gz
    18cdc3a0dcf80b110443dac5ddf8bc951001a776a651c898c5ea49bb2d487bfe29  guix-build-5b4703c6a70d/output/x86_64-apple-darwin18/SHA256SUMS.part
    198538d1eab96c97866b24546c453d95822f24cf9c6638b42ba523eb7aa441cb26  guix-build-5b4703c6a70d/output/x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx-unsigned.dmg
    20d1b73133f1da68586b07292a8425f7f851e93f599c016376f23728c041cf39cc  guix-build-5b4703c6a70d/output/x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx-unsigned.tar.gz
    215ad94c5f8a5f29405955ff3ab35d137de1acc04398d6c8298fb187b57a6e316a  guix-build-5b4703c6a70d/output/x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx64.tar.gz
    228c6d7b3f847faa7b4d16ceecf228f26f146ea982615c1d7a00c57f9230a0c484  guix-build-5b4703c6a70d/output/x86_64-linux-gnu/SHA256SUMS.part
    23d0a8c99750319ad8046cfa132a54e5c13a08351f94439ae9af0f8e5486c2c2ea  guix-build-5b4703c6a70d/output/x86_64-linux-gnu/bitcoin-5b4703c6a70d-x86_64-linux-gnu-debug.tar.gz
    24d816bb26dd4b0e309f2f576b1cccc6d78743fb2f357daad2da09bb1177330971  guix-build-5b4703c6a70d/output/x86_64-linux-gnu/bitcoin-5b4703c6a70d-x86_64-linux-gnu.tar.gz
    2565caaa7f648c7eab1eb82c3331a2ca25b8cd4fe41439de55604501e02571de55  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/SHA256SUMS.part
    265bf6f7328cbceb0db22a2d7babb07b60cb6dcc19a6db84a1698589b7f5173a06  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win-unsigned.tar.gz
    277aabcb56115decef78d3797840b6e49dbc9b202d56f892490e92616fb06fec9e  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64-debug.zip
    282f369694648ff9dc5ca1261a1e5874b1c7408ccf2802f9caef56c1334e8a5b7c  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64-setup-unsigned.exe
    291c1f92513c4aad38419ff49a7b80bf10e6b1eca01ee8c5e3b2acd1768cf1e3d5  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64.zip
    

26. 
    hebasto commented at 4:51 pm on July 7, 2021: member

    Approach ACK 5b4703c6a70db2fa72fcace56a15db07d4b0acf1.
27. 
    dongcarl commented at 8:45 pm on July 7, 2021: member

    Concept ACK! 😄
28. 
    achow101 commented at 4:09 am on July 8, 2021: member

     0$ cat noncodesigned.SHA256SUMS 
     19273980a17052c8ec45b77579781c14ab5d189fa25aa29907d5115513dd302b1  aarch64-linux-gnu/bitcoin-5b4703c6a70d-aarch64-linux-gnu-debug.tar.gz
     29c042179af43c8896eb95a34294df15d4910308dcdba40b2010cd36e192938b8  aarch64-linux-gnu/bitcoin-5b4703c6a70d-aarch64-linux-gnu.tar.gz
     3759597c4e925e75db4a2381c06cda9b9f4e4674c23436148676b31c9be05c7aa  arm-linux-gnueabihf/bitcoin-5b4703c6a70d-arm-linux-gnueabihf-debug.tar.gz
     434e3b6beabaf8c95d7c2ca0d2c3ac4411766694ef43e00bd9783badbbaf045a7  arm-linux-gnueabihf/bitcoin-5b4703c6a70d-arm-linux-gnueabihf.tar.gz
     53664f6ceee7898caa374281fd877a7597fe491fa2e9f0c174c28d889d60b559c  dist-archive/bitcoin-5b4703c6a70d.tar.gz
     6a836edf6474ba0c16c19bb217549bac7936c1b44306ed512df58f607ee5568f2  powerpc64-linux-gnu/bitcoin-5b4703c6a70d-powerpc64-linux-gnu-debug.tar.gz
     77cc91c6805d5069ca3bd1771e77d95f83eb184b137198cbf84d1d11d0a5c5afe  powerpc64-linux-gnu/bitcoin-5b4703c6a70d-powerpc64-linux-gnu.tar.gz
     82266e2c5d0dafa28c6c057ccfc1c439baeab1d714d8c3f64a83015d2827116d2  powerpc64le-linux-gnu/bitcoin-5b4703c6a70d-powerpc64le-linux-gnu-debug.tar.gz
     985f41f42c319b83d049d6fd2e2278c07b40a1e28a2eac596427822c0eef9dc3f  powerpc64le-linux-gnu/bitcoin-5b4703c6a70d-powerpc64le-linux-gnu.tar.gz
    101995fc1a2e45c49d4b0718aff5dcdac931917e8ae9e762fd23f1126abcecc248  riscv64-linux-gnu/bitcoin-5b4703c6a70d-riscv64-linux-gnu-debug.tar.gz
    11266889eb58429a470f0fd7bb123f2ae09b0aef86c47b0390938b3634a8f748a9  riscv64-linux-gnu/bitcoin-5b4703c6a70d-riscv64-linux-gnu.tar.gz
    128538d1eab96c97866b24546c453d95822f24cf9c6638b42ba523eb7aa441cb26  x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx-unsigned.dmg
    13d1b73133f1da68586b07292a8425f7f851e93f599c016376f23728c041cf39cc  x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx-unsigned.tar.gz
    145ad94c5f8a5f29405955ff3ab35d137de1acc04398d6c8298fb187b57a6e316a  x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx64.tar.gz
    15d0a8c99750319ad8046cfa132a54e5c13a08351f94439ae9af0f8e5486c2c2ea  x86_64-linux-gnu/bitcoin-5b4703c6a70d-x86_64-linux-gnu-debug.tar.gz
    16d816bb26dd4b0e309f2f576b1cccc6d78743fb2f357daad2da09bb1177330971  x86_64-linux-gnu/bitcoin-5b4703c6a70d-x86_64-linux-gnu.tar.gz
    175bf6f7328cbceb0db22a2d7babb07b60cb6dcc19a6db84a1698589b7f5173a06  x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win-unsigned.tar.gz
    187aabcb56115decef78d3797840b6e49dbc9b202d56f892490e92616fb06fec9e  x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64-debug.zip
    192f369694648ff9dc5ca1261a1e5874b1c7408ccf2802f9caef56c1334e8a5b7c  x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64-setup-unsigned.exe
    201c1f92513c4aad38419ff49a7b80bf10e6b1eca01ee8c5e3b2acd1768cf1e3d5  x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64.zip
    

29. 
    dongcarl commented at 6:06 pm on July 8, 2021: member

    I seem to be getting matching results!

     09273980a17052c8ec45b77579781c14ab5d189fa25aa29907d5115513dd302b1  aarch64-linux-gnu/bitcoin-5b4703c6a70d-aarch64-linux-gnu-debug.tar.gz
     19c042179af43c8896eb95a34294df15d4910308dcdba40b2010cd36e192938b8  aarch64-linux-gnu/bitcoin-5b4703c6a70d-aarch64-linux-gnu.tar.gz
     2759597c4e925e75db4a2381c06cda9b9f4e4674c23436148676b31c9be05c7aa  arm-linux-gnueabihf/bitcoin-5b4703c6a70d-arm-linux-gnueabihf-debug.tar.gz
     334e3b6beabaf8c95d7c2ca0d2c3ac4411766694ef43e00bd9783badbbaf045a7  arm-linux-gnueabihf/bitcoin-5b4703c6a70d-arm-linux-gnueabihf.tar.gz
     43664f6ceee7898caa374281fd877a7597fe491fa2e9f0c174c28d889d60b559c  dist-archive/bitcoin-5b4703c6a70d.tar.gz
     5a836edf6474ba0c16c19bb217549bac7936c1b44306ed512df58f607ee5568f2  powerpc64-linux-gnu/bitcoin-5b4703c6a70d-powerpc64-linux-gnu-debug.tar.gz
     67cc91c6805d5069ca3bd1771e77d95f83eb184b137198cbf84d1d11d0a5c5afe  powerpc64-linux-gnu/bitcoin-5b4703c6a70d-powerpc64-linux-gnu.tar.gz
     72266e2c5d0dafa28c6c057ccfc1c439baeab1d714d8c3f64a83015d2827116d2  powerpc64le-linux-gnu/bitcoin-5b4703c6a70d-powerpc64le-linux-gnu-debug.tar.gz
     885f41f42c319b83d049d6fd2e2278c07b40a1e28a2eac596427822c0eef9dc3f  powerpc64le-linux-gnu/bitcoin-5b4703c6a70d-powerpc64le-linux-gnu.tar.gz
     91995fc1a2e45c49d4b0718aff5dcdac931917e8ae9e762fd23f1126abcecc248  riscv64-linux-gnu/bitcoin-5b4703c6a70d-riscv64-linux-gnu-debug.tar.gz
    10266889eb58429a470f0fd7bb123f2ae09b0aef86c47b0390938b3634a8f748a9  riscv64-linux-gnu/bitcoin-5b4703c6a70d-riscv64-linux-gnu.tar.gz
    118538d1eab96c97866b24546c453d95822f24cf9c6638b42ba523eb7aa441cb26  x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx-unsigned.dmg
    12d1b73133f1da68586b07292a8425f7f851e93f599c016376f23728c041cf39cc  x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx-unsigned.tar.gz
    135ad94c5f8a5f29405955ff3ab35d137de1acc04398d6c8298fb187b57a6e316a  x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx64.tar.gz
    14d0a8c99750319ad8046cfa132a54e5c13a08351f94439ae9af0f8e5486c2c2ea  x86_64-linux-gnu/bitcoin-5b4703c6a70d-x86_64-linux-gnu-debug.tar.gz
    15d816bb26dd4b0e309f2f576b1cccc6d78743fb2f357daad2da09bb1177330971  x86_64-linux-gnu/bitcoin-5b4703c6a70d-x86_64-linux-gnu.tar.gz
    165bf6f7328cbceb0db22a2d7babb07b60cb6dcc19a6db84a1698589b7f5173a06  x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win-unsigned.tar.gz
    177aabcb56115decef78d3797840b6e49dbc9b202d56f892490e92616fb06fec9e  x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64-debug.zip
    182f369694648ff9dc5ca1261a1e5874b1c7408ccf2802f9caef56c1334e8a5b7c  x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64-setup-unsigned.exe
    191c1f92513c4aad38419ff49a7b80bf10e6b1eca01ee8c5e3b2acd1768cf1e3d5  x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64.zip
    

30. in configure.ac:903 in 5b4703c6a7

    899@@ -900,6 +900,7 @@ if test x$use_hardening != xno; then
    900     ])
    901   fi
    902 
    903+  AX_CHECK_LINK_FLAG([[-Wl,--enable-reloc-section]], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS -Wl,--enable-reloc-section"],, [[$LDFLAG_WERROR]])
    

    ---

    ---

    

    fanquake commented at 2:11 am on July 9, 2021:

    From #20980 (review)

    I think testing for this, and adding to our hardened ldflags when available is fine. It’s enabled by default, however we like to be explicit. It’s also available with the binutils (2.34) we are using for gitian builds.

    Note that some of these flags also imply each other: –high-entropy-va implies –dynamic-base & –enable-reloc-section –dynamic-base implies –enable-reloc-section

31. in contrib/guix/patches/binutils-mingw-w64-disable-flags.patch:5 in 5b4703c6a7

    0@@ -0,0 +1,171 @@
    1+Description: Add disable opposites to the security-related flags
    2+Author: Stephen Kitt <skitt@debian.org>
    3+
    4+This patch adds "no-" variants to disable the various security flags:
    5+"no-dynamicbase", "no-nxcompat", "no-high-entropy-va", "disable-reloc-section".
    

    ---

    ---

    

    fanquake commented at 2:11 am on July 9, 2021:

    From #20980 (review)

    Checked that this matches https://salsa.debian.org/mingw-w64-team/binutils-mingw-w64/-/blob/master/debian/patches/disable-flags.patch bar whitespace changes.

32. in contrib/devtools/test-security-check.py:62 in 5b4703c6a7

    67-        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--dynamicbase','-Wl,--no-high-entropy-va','-no-pie','-fno-PIE']),
    68-            (1, executable+': failed HIGH_ENTROPY_VA RELOC_SECTION'))
    69-        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--dynamicbase','-Wl,--high-entropy-va','-no-pie','-fno-PIE']),
    70-            (1, executable+': failed RELOC_SECTION'))
    71-        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--dynamicbase','-Wl,--high-entropy-va','-pie','-fPIE']),
    72+        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--no-nxcompat','-Wl,--disable-reloc-section','-Wl,--no-dynamicbase','-Wl,--no-high-entropy-va','-no-pie','-fno-PIE']),
    

    ---

    ---

    

    fanquake commented at 2:12 am on July 9, 2021:

    From #20980 (review)

    At this stage we have already given in to not being able to run the test security check target for windows in gitian due to lack of –no options in ld, so adding –disable here to test –enable-reloc-section isn’t making anything worse. If anything this speaks to the usefulness of Guix, given how easy it is to patch these –no/–disable flags back into our toolchain. It would be much more difficult trying to achieve the same using gitian.

33. 
    fanquake commented at 2:17 am on July 9, 2021: member

    I’m going to go-ahead and merge this now. For additional context, I’ve also copied over some of the comments I left when reviewing #20980, that highlight the benefits of using Guix. The changes we’re making here to patch our mingw-w64 toolchain and run additional security / sanity checks would be much harder / awkward to achieve inside gitian.
34. fanquake merged this on Jul 9, 2021
35. fanquake closed this on Jul 9, 2021

    ---

36. 
    Emzy commented at 9:58 am on July 9, 2021: contributor

    Guix builds:

     0$ find guix-build-$(git rev-parse --short=12 HEAD)/output/ -type f -print0 | env LC_ALL=C sort -z | xargs -r0 sha256sum
     171ed0c7a13a4726300779ffc87f7d271086a2744c36896fe6dc51fe3dc33df2e  guix-build-5b4703c6a70d/output/aarch64-linux-gnu/SHA256SUMS.part
     29273980a17052c8ec45b77579781c14ab5d189fa25aa29907d5115513dd302b1  guix-build-5b4703c6a70d/output/aarch64-linux-gnu/bitcoin-5b4703c6a70d-aarch64-linux-gnu-debug.tar.gz
     39c042179af43c8896eb95a34294df15d4910308dcdba40b2010cd36e192938b8  guix-build-5b4703c6a70d/output/aarch64-linux-gnu/bitcoin-5b4703c6a70d-aarch64-linux-gnu.tar.gz
     41ceddecac113f50a952ba6a201cdcdb722e3dc804e663f219bfac8268ce42bf0  guix-build-5b4703c6a70d/output/arm-linux-gnueabihf/SHA256SUMS.part
     5759597c4e925e75db4a2381c06cda9b9f4e4674c23436148676b31c9be05c7aa  guix-build-5b4703c6a70d/output/arm-linux-gnueabihf/bitcoin-5b4703c6a70d-arm-linux-gnueabihf-debug.tar.gz
     634e3b6beabaf8c95d7c2ca0d2c3ac4411766694ef43e00bd9783badbbaf045a7  guix-build-5b4703c6a70d/output/arm-linux-gnueabihf/bitcoin-5b4703c6a70d-arm-linux-gnueabihf.tar.gz
     7e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  guix-build-5b4703c6a70d/output/dist-archive/SKIPATTEST.TAG
     83664f6ceee7898caa374281fd877a7597fe491fa2e9f0c174c28d889d60b559c  guix-build-5b4703c6a70d/output/dist-archive/bitcoin-5b4703c6a70d.tar.gz
     9d6bc35ba0750c1440bb32831b8c12cddee62f6dce10fec2650897444c2bf4748  guix-build-5b4703c6a70d/output/powerpc64-linux-gnu/SHA256SUMS.part
    10a836edf6474ba0c16c19bb217549bac7936c1b44306ed512df58f607ee5568f2  guix-build-5b4703c6a70d/output/powerpc64-linux-gnu/bitcoin-5b4703c6a70d-powerpc64-linux-gnu-debug.tar.gz
    117cc91c6805d5069ca3bd1771e77d95f83eb184b137198cbf84d1d11d0a5c5afe  guix-build-5b4703c6a70d/output/powerpc64-linux-gnu/bitcoin-5b4703c6a70d-powerpc64-linux-gnu.tar.gz
    1293b4cb7b83c4975120ad5de5a92f050f5760a2a3f2c37c204c647f5a581c924a  guix-build-5b4703c6a70d/output/powerpc64le-linux-gnu/SHA256SUMS.part
    132266e2c5d0dafa28c6c057ccfc1c439baeab1d714d8c3f64a83015d2827116d2  guix-build-5b4703c6a70d/output/powerpc64le-linux-gnu/bitcoin-5b4703c6a70d-powerpc64le-linux-gnu-debug.tar.gz
    1485f41f42c319b83d049d6fd2e2278c07b40a1e28a2eac596427822c0eef9dc3f  guix-build-5b4703c6a70d/output/powerpc64le-linux-gnu/bitcoin-5b4703c6a70d-powerpc64le-linux-gnu.tar.gz
    151499ca9119926083d8c3714ca10d8d4c8d864cbeee8848fd8445b7a1d081222d  guix-build-5b4703c6a70d/output/riscv64-linux-gnu/SHA256SUMS.part
    161995fc1a2e45c49d4b0718aff5dcdac931917e8ae9e762fd23f1126abcecc248  guix-build-5b4703c6a70d/output/riscv64-linux-gnu/bitcoin-5b4703c6a70d-riscv64-linux-gnu-debug.tar.gz
    17266889eb58429a470f0fd7bb123f2ae09b0aef86c47b0390938b3634a8f748a9  guix-build-5b4703c6a70d/output/riscv64-linux-gnu/bitcoin-5b4703c6a70d-riscv64-linux-gnu.tar.gz
    18cdc3a0dcf80b110443dac5ddf8bc951001a776a651c898c5ea49bb2d487bfe29  guix-build-5b4703c6a70d/output/x86_64-apple-darwin18/SHA256SUMS.part
    198538d1eab96c97866b24546c453d95822f24cf9c6638b42ba523eb7aa441cb26  guix-build-5b4703c6a70d/output/x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx-unsigned.dmg
    20d1b73133f1da68586b07292a8425f7f851e93f599c016376f23728c041cf39cc  guix-build-5b4703c6a70d/output/x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx-unsigned.tar.gz
    215ad94c5f8a5f29405955ff3ab35d137de1acc04398d6c8298fb187b57a6e316a  guix-build-5b4703c6a70d/output/x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx64.tar.gz
    228c6d7b3f847faa7b4d16ceecf228f26f146ea982615c1d7a00c57f9230a0c484  guix-build-5b4703c6a70d/output/x86_64-linux-gnu/SHA256SUMS.part
    23d0a8c99750319ad8046cfa132a54e5c13a08351f94439ae9af0f8e5486c2c2ea  guix-build-5b4703c6a70d/output/x86_64-linux-gnu/bitcoin-5b4703c6a70d-x86_64-linux-gnu-debug.tar.gz
    24d816bb26dd4b0e309f2f576b1cccc6d78743fb2f357daad2da09bb1177330971  guix-build-5b4703c6a70d/output/x86_64-linux-gnu/bitcoin-5b4703c6a70d-x86_64-linux-gnu.tar.gz
    2565caaa7f648c7eab1eb82c3331a2ca25b8cd4fe41439de55604501e02571de55  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/SHA256SUMS.part
    265bf6f7328cbceb0db22a2d7babb07b60cb6dcc19a6db84a1698589b7f5173a06  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win-unsigned.tar.gz
    277aabcb56115decef78d3797840b6e49dbc9b202d56f892490e92616fb06fec9e  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64-debug.zip
    282f369694648ff9dc5ca1261a1e5874b1c7408ccf2802f9caef56c1334e8a5b7c  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64-setup-unsigned.exe
    291c1f92513c4aad38419ff49a7b80bf10e6b1eca01ee8c5e3b2acd1768cf1e3d5  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64.zip
    

37. 
    DrahtBot commented at 8:23 am on July 10, 2021: member

    Guix builds

    File	commit 4129134e844f78a89f8515cf30dad4b6074703c7(master)	commit 53ff4d396e2253d1a45c2a9ffa981e4d6afbc94c(master and this pull)
    SHA256SUMS.part	c5cf1c6985c1c430...	82bcd13e2b9964b0...
    SKIPATTEST.TAG	e3b0c44298fc1c14...	e3b0c44298fc1c14...
    *-aarch64-linux-gnu-debug.tar.gz	d564c8ce3c2132bb...	55b839bd2aed337b...
    *-aarch64-linux-gnu.tar.gz	8c2cc0b1046d6518...	b7450b6181d1c1d5...
    *-arm-linux-gnueabihf-debug.tar.gz	9b2d147ec30ecd15...	ab5f00e9fe58fcdc...
    *-arm-linux-gnueabihf.tar.gz	bd8da7121fdf38b2...	cb14fdf57aa2e0ef...
    *-osx-unsigned.dmg	4dd21a03916bd42e...	a6f020ef8ef822c1...
    *-osx-unsigned.tar.gz	ff3602163bce9934...	53dadaff1d4c09b7...
    *-osx64.tar.gz	50b1b0f6f8b8eb16...	2f3267e2c3429a30...
    *-powerpc64-linux-gnu-debug.tar.gz	aad00c9521d46187...	d69dcb6c362e8b12...
    *-powerpc64-linux-gnu.tar.gz	1a326af20ced546f...	488a50541ec3a01f...
    *-powerpc64le-linux-gnu-debug.tar.gz	237b9ee0ddb60e47...	7cf5cf06d3a3e4af...
    *-powerpc64le-linux-gnu.tar.gz	98de1dec19a8b6f9...	6934a86af432f553...
    *-riscv64-linux-gnu-debug.tar.gz	6e0e781bbd611ad7...	a8cd716e97ea72c2...
    *-riscv64-linux-gnu.tar.gz	96cff3df87b6f625...	b2fa6bc22f08c1ad...
    *-win-unsigned.tar.gz	59721ac4abcebb51...	4d9ee9516edb5b25...
    *-win64-debug.zip	d6f919dd523c407d...	0e62ba4f79db6d38...
    *-win64-setup-unsigned.exe	96dc1c8f917b086c...	8e418e209b836d12...
    *-win64.zip	e0e5925b0a898b9c...	b132e945b467d11e...
    *-x86_64-linux-gnu-debug.tar.gz	3912bb99acf83778...	d5977a757a7eb434...
    *-x86_64-linux-gnu.tar.gz	eb0edfa33b57ecb7...	a905ef1d17e48190...
    *.tar.gz	5b1ee87a8833130e...	1a07c24236de4cf3...
    guix_build.log	cc1551ca0837126d...	d6734368b63662da...
    guix_build.log.diff		ca7b8968b018d47c...

38. DrahtBot removed the label Needs Guix build on Jul 10, 2021
39. sidhujag referenced this in commit 976ede38a7 on Jul 10, 2021
40. fanquake deleted the branch on Jul 14, 2021
41. laanwj referenced this in commit 90499358e9 on Aug 18, 2021
42. sidhujag referenced this in commit 0084d93604 on Aug 20, 2021
43. gwillen referenced this in commit 915d06019a on Jun 1, 2022
44. DrahtBot locked this on Aug 18, 2022

Contributors
fanquake MarcoFalke DrahtBot hebasto dongcarl achow101 Emzy

Labels
Build system

Milestone
22.0