AaronFiore/electrum
1
0
Fork 0
Code Activity
Files
e8a8c8c3f14b2173af5fa28fdadf51df5cd59a4e
electrum/contrib/osx/make_osx
SomberNight 150ebe116a mac build: maybe fix reproducibility fail (_cbor.cpython-39-darwin.so) 
vagrants-iMac:electrum vagrant$ ./contrib/osx/compare_dmg dist/electrum-4.3.0-ghost43.dmg /Users/vagrant/Desktop/electrum-4.3.0-thomas1.dmg
[...]
Extracting signatures from release app...
Created mac_extracted_sigs.tar.gz
Applying extracted signatures to unsigned app...
Done. .app with sigs applied is at: /tmp/electrum_compare_dmg/signed_app
++ diff -qr /tmp/electrum_compare_dmg/signed_app /tmp/electrum_compare_dmg/dmg2
+ diff='Files /tmp/electrum_compare_dmg/signed_app/Electrum.app/Contents/MacOS/cbor/_cbor.cpython-39-darwin.so and /tmp/electrum_compare_dmg/dmg2/Electrum.app/Contents/MacOS/cbor/_cbor.cpython-39-darwin.so differ'
+ diff='diff errored'
+ set +x
diff errored
DMGs do *not* match.
failure

user@user-VirtualBox:~/wspace/tmp$ vbindiff comp/signed_app/_cbor.cpython-39-darwin.so comp/dmg2/_cbor.cpython-39-darwin.so

comp/signed_app/_cbor.cpython-39-darwin.so
0000 6AC0: 00 5F 50 79 49 6E 69 74  5F 5F 63 62 6F 72 2E 6D  ._PyInit __cbor.m
0000 6AD0: 6F 64 65 66 00 5F 43 62  6F 72 4D 65 74 68 6F 64  odef._Cb orMethod
0000 6AE0: 73 00 2F 70 72 69 76 61  74 65 2F 76 61 72 2F 66  s./priva te/var/f
0000 6AF0: 6F 6C 64 65 72 73 2F 35  36 2F 64 38 36 70 35 39  olders/5 6/d86p59
0000 6B00: 37 31 31 67 7A 63 62 38  73 31 71 37 31 36 78 31  711gzcb8 s1q716x1
0000 6B10: 6C 63 30 30 30 30 67 6E  2F 54 2F 70 69 70 2D 69  lc0000gn /T/pip-i
0000 6B20: 6E 73 74 61 6C 6C 2D 36  6D 69 36 68 6C 75 65 2F  nstall-6 mi6hlue/
comp/dmg2/_cbor.cpython-39-darwin.so
0000 6AC0: 00 5F 50 79 49 6E 69 74  5F 5F 63 62 6F 72 2E 6D  ._PyInit __cbor.m
0000 6AD0: 6F 64 65 66 00 5F 43 62  6F 72 4D 65 74 68 6F 64  odef._Cb orMethod
0000 6AE0: 73 00 2F 70 72 69 76 61  74 65 2F 76 61 72 2F 66  s./priva te/var/f
0000 6AF0: 6F 6C 64 65 72 73 2F 37  68 2F 70 33 30 7A 5F 74  olders/7 h/p30z_t
0000 6B00: 79 31 35 30 31 32 70 66  5F 33 64 79 78 62 73 39  y15012pf _3dyxbs9
0000 6B10: 33 34 30 30 30 30 67 6E  2F 54 2F 70 69 70 2D 69  340000gn /T/pip-i
0000 6B20: 6E 73 74 61 6C 6C 2D 30  68 64 39 63 35 6D 65 2F  nstall-0 hd9c5me/

related: https://github.com/pypa/pip/issues/6505
2022-08-05 15:57:10 +02:00

256 lines
9.5 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
set -e
# Parameterize
PYTHON_VERSION=3.9.11
BUILDDIR=/tmp/electrum-build
PACKAGE=Electrum
GIT_REPO=https://github.com/spesmilo/electrum
export GCC_STRIP_BINARIES="1"
export PYTHONDONTWRITEBYTECODE=1 # don't create __pycache__/ folders with .pyc files
. "$(dirname "$0")/../build_tools_util.sh"
CONTRIB_OSX="$(dirname "$(realpath "$0")")"
CONTRIB="$CONTRIB_OSX/.."
PROJECT_ROOT="$CONTRIB/.."
CACHEDIR="$CONTRIB_OSX/.cache"
mkdir -p "$CACHEDIR"
cd "$PROJECT_ROOT"
which brew > /dev/null 2>&1 || fail "Please install brew from https://brew.sh/ to continue"
which xcodebuild > /dev/null 2>&1 || fail "Please install xcode command line tools to continue"
# Code Signing: See https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html
if [ -n "$CODESIGN_CERT" ]; then
# Test the identity is valid for signing by doing this hack. There is no other way to do this.
cp -f /bin/ls ./CODESIGN_TEST
set +e
codesign -s "$CODESIGN_CERT" --dryrun -f ./CODESIGN_TEST > /dev/null 2>&1
res=$?
set -e
rm -f ./CODESIGN_TEST
if ((res)); then
fail "Code signing identity \"$CODESIGN_CERT\" appears to be invalid."
fi
unset res
info "Code signing enabled using identity \"$CODESIGN_CERT\""
else
warn "Code signing DISABLED. Specify a valid macOS Developer identity installed on the system to enable signing."
fi
function DoCodeSignMaybe { # ARGS: infoName fileOrDirName
infoName="$1"
file="$2"
deep=""
if [ -z "$CODESIGN_CERT" ]; then
# no cert -> we won't codesign
return
fi
if [ -d "$file" ]; then
deep="--deep"
fi
if [ -z "$infoName" ] || [ -z "$file" ] || [ ! -e "$file" ]; then
fail "Argument error to internal function DoCodeSignMaybe()"
fi
hardened_arg="--entitlements=${CONTRIB_OSX}/entitlements.plist -o runtime"
info "Code signing ${infoName}..."
codesign -f -v $deep -s "$CODESIGN_CERT" $hardened_arg "$file" || fail "Could not code sign ${infoName}"
}
info "Installing Python $PYTHON_VERSION"
PKG_FILE="python-${PYTHON_VERSION}-macosx10.9.pkg"
if [ ! -f "$CACHEDIR/$PKG_FILE" ]; then
curl -o "$CACHEDIR/$PKG_FILE" "https://www.python.org/ftp/python/${PYTHON_VERSION}/$PKG_FILE"
fi
echo "c2073d44c404c661dadbf0cbda55c6e7d681baba9178ed1bdb126d34caa898a9 $CACHEDIR/$PKG_FILE" | shasum -a 256 -c \
|| fail "python pkg checksum mismatched"
sudo installer -pkg "$CACHEDIR/$PKG_FILE" -target / \
|| fail "failed to install python"
# sanity check "python3" has the version we just installed.
FOUND_PY_VERSION=$(python3 -c 'import sys; print(".".join(map(str, sys.version_info[:3])))')
if [[ "$FOUND_PY_VERSION" != "$PYTHON_VERSION" ]]; then
fail "python version mismatch: $FOUND_PY_VERSION != $PYTHON_VERSION"
fi
break_legacy_easy_install
# create a fresh virtualenv
# This helps to avoid older versions of pip-installed dependencies interfering with the build.
VENV_DIR="$CONTRIB_OSX/build-venv"
rm -rf "$VENV_DIR"
python3 -m venv $VENV_DIR
source $VENV_DIR/bin/activate
# don't add debug info to compiled C files (e.g. when pip calls setuptools/wheel calls gcc)
# see https://github.com/pypa/pip/issues/6505#issuecomment-526613584
export CFLAGS="-g0"
info "Installing build dependencies"
python3 -m pip install --no-build-isolation --no-dependencies --no-warn-script-location \
-Ir ./contrib/deterministic-build/requirements-build-base.txt \
|| fail "Could not install build dependencies (base)"
python3 -m pip install --no-build-isolation --no-dependencies --no-warn-script-location \
-Ir ./contrib/deterministic-build/requirements-build-mac.txt \
|| fail "Could not install build dependencies (mac)"
info "Installing some build-time deps for compilation..."
brew install autoconf automake libtool gettext coreutils pkgconfig
info "Building PyInstaller."
PYINSTALLER_REPO="https://github.com/pyinstaller/pyinstaller.git"
PYINSTALLER_COMMIT="40c9abce2d8de879e414fd377c933dccaab1e156"
# ^ tag "4.2"
# TODO test newer versions of pyinstaller for build-reproducibility.
# we are using this version for now due to change in code-signing behaviour
# (https://github.com/pyinstaller/pyinstaller/pull/5581)
(
if [ -f "$CACHEDIR/pyinstaller/PyInstaller/bootloader/Darwin-64bit/runw" ]; then
info "pyinstaller already built, skipping"
exit 0
fi
cd "$PROJECT_ROOT"
ELECTRUM_COMMIT_HASH=$(git rev-parse HEAD)
cd "$CACHEDIR"
rm -rf pyinstaller
mkdir pyinstaller
cd pyinstaller
# Shallow clone
git init
git remote add origin $PYINSTALLER_REPO
git fetch --depth 1 origin $PYINSTALLER_COMMIT
git checkout -b pinned "${PYINSTALLER_COMMIT}^{commit}"
rm -fv PyInstaller/bootloader/Darwin-*/run* || true
# add reproducible randomness. this ensures we build a different bootloader for each commit.
# if we built the same one for all releases, that might also get anti-virus false positives
echo "const char *electrum_tag = \"tagged by Electrum@$ELECTRUM_COMMIT_HASH\";" >> ./bootloader/src/pyi_main.c
pushd bootloader
# compile bootloader
python3 ./waf all CFLAGS="-static"
popd
# sanity check bootloader is there:
[[ -e "PyInstaller/bootloader/Darwin-64bit/runw" ]] || fail "Could not find runw in target dir!"
rm pyinstaller.py # workaround for https://github.com/pyinstaller/pyinstaller/pull/6701
) || fail "PyInstaller build failed"
info "Installing PyInstaller."
python3 -m pip install --no-build-isolation --no-dependencies --no-warn-script-location "$CACHEDIR/pyinstaller"
info "Using these versions for building $PACKAGE:"
sw_vers
python3 --version
echo -n "Pyinstaller "
pyinstaller --version
rm -rf ./dist
git submodule update --init
rm -rf "$BUILDDIR" > /dev/null 2>&1
mkdir "$BUILDDIR"
info "generating locale"
(
if ! which msgfmt > /dev/null 2>&1; then
brew install gettext
brew link --force gettext
fi
cd "$CONTRIB"/deterministic-build/electrum-locale
# we want the binary to have only compiled (.mo) locale files; not source (.po) files
rm -rf "$PROJECT_ROOT/electrum/locale/"
for i in ./locale/*; do
dir="$PROJECT_ROOT/electrum/$i/LC_MESSAGES"
mkdir -p "$dir"
msgfmt --output-file="$dir/electrum.mo" "$i/electrum.po" || true
done
) || fail "failed generating locale"
if [ ! -f "$PROJECT_ROOT"/electrum/libsecp256k1.0.dylib ]; then
info "Building libsecp256k1 dylib..."
"$CONTRIB"/make_libsecp256k1.sh || fail "Could not build libsecp"
else
info "Skipping libsecp256k1 build: reusing already built dylib."
fi
cp "$PROJECT_ROOT"/electrum/libsecp256k1.0.dylib "$CONTRIB"/osx
if [ ! -f "$PROJECT_ROOT"/electrum/libzbar.0.dylib ]; then
info "Building ZBar dylib..."
"$CONTRIB"/make_zbar.sh || fail "Could not build ZBar dylib"
else
info "Skipping ZBar build: reusing already built dylib."
fi
cp "$PROJECT_ROOT"/electrum/libzbar.0.dylib "$CONTRIB"/osx
if [ ! -f "$PROJECT_ROOT"/electrum/libusb-1.0.dylib ]; then
info "Building libusb dylib..."
"$CONTRIB"/make_libusb.sh || fail "Could not build libusb dylib"
else
info "Skipping libusb build: reusing already built dylib."
fi
cp "$PROJECT_ROOT"/electrum/libusb-1.0.dylib "$CONTRIB"/osx
info "Installing requirements..."
python3 -m pip install --no-build-isolation --no-dependencies --no-warn-script-location \
-Ir ./contrib/deterministic-build/requirements.txt \
|| fail "Could not install requirements"
info "Installing hardware wallet requirements..."
python3 -m pip install --no-build-isolation --no-dependencies --no-warn-script-location \
-Ir ./contrib/deterministic-build/requirements-hw.txt \
|| fail "Could not install hardware wallet requirements"
info "Installing dependencies specific to binaries..."
python3 -m pip install --no-build-isolation --no-dependencies --no-warn-script-location \
-Ir ./contrib/deterministic-build/requirements-binaries-mac.txt \
|| fail "Could not install dependencies specific to binaries"
info "Building $PACKAGE..."
python3 -m pip install --no-build-isolation --no-dependencies \
--no-warn-script-location . > /dev/null || fail "Could not build $PACKAGE"
info "Faking timestamps..."
find . -exec touch -t '200101220000' {} + || true
VERSION=`git describe --tags --dirty --always`
info "Building binary"
pyinstaller --noconfirm --ascii --clean --name $VERSION contrib/osx/osx.spec || fail "Could not build binary"
info "Adding bitcoin URI types to Info.plist"
plutil -insert 'CFBundleURLTypes' \
-xml '<array><dict> <key>CFBundleURLName</key> <string>bitcoin</string> <key>CFBundleURLSchemes</key> <array><string>bitcoin</string><string>lightning</string></array> </dict></array>' \
-- dist/$PACKAGE.app/Contents/Info.plist \
|| fail "Could not add keys to Info.plist. Make sure the program 'plutil' exists and is installed."
DoCodeSignMaybe "app bundle" "dist/${PACKAGE}.app"
if [ ! -z "$CODESIGN_CERT" ]; then
if [ ! -z "$APPLE_ID_USER" ]; then
info "Notarizing .app with Apple's central server..."
"${CONTRIB_OSX}/notarize_app.sh" "dist/${PACKAGE}.app" || fail "Could not notarize binary."
else
warn "AppleID details not set! Skipping Apple notarization."
fi
fi
info "Creating .DMG"
hdiutil create -fs HFS+ -volname $PACKAGE -srcfolder dist/$PACKAGE.app dist/electrum-$VERSION.dmg || fail "Could not create .DMG"
DoCodeSignMaybe ".DMG" "dist/electrum-${VERSION}.dmg"
if [ -z "$CODESIGN_CERT" ]; then
warn "App was built successfully but was not code signed. Users may get security warnings from macOS."
warn "Specify a valid code signing identity to enable code signing."
fi
View Git Blame Copy Permalink