Skip to content

Commit

Permalink
build: Fix AppImage reproducibility by using rusts trim-paths
Browse files Browse the repository at this point in the history
This also uses a patched version of cryptography that passes
`-fmacro-prefix-map` to the compiler.

fixes Electron-Cash#2807
  • Loading branch information
EchterAgo committed Mar 22, 2024
1 parent b5b34f1 commit 515021a
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 1 deletion.
7 changes: 7 additions & 0 deletions contrib/build-linux/appimage/Dockerfile_ub2004
Original file line number Diff line number Diff line change
Expand Up @@ -62,3 +62,10 @@ RUN echo deb ${UBUNTU_MIRROR} ${UBUNTU_DIST} main restricted universe multiverse
rm -rf /var/lib/apt/lists/* && \
apt-get autoremove -y && \
apt-get clean

# This is to enable nightly features in the release configuration
ENV RUSTC_BOOTSTRAP=1
# Enable trim-paths feature in cargo 1.75+ to make sure pip paths
# do not end up in binaries making them not reproducible
ENV CARGO_TRIM_PATHS=all
ENV CARGO_UNSTABLE_TRIM_PATHS=true
4 changes: 3 additions & 1 deletion contrib/build-linux/appimage/_build.sh
Original file line number Diff line number Diff line change
Expand Up @@ -125,9 +125,11 @@ mkdir -p "$CACHEDIR/pip_cache"
CFLAGS="-g0" "$python" -m pip install --no-deps --no-warn-script-location --no-binary :all: --cache-dir "$CACHEDIR/pip_cache" -r "$CONTRIB/deterministic-build/requirements-pip.txt"
CFLAGS="-g0" "$python" -m pip install --no-deps --no-warn-script-location --no-binary :all: --cache-dir "$CACHEDIR/pip_cache" -r "$CONTRIB/deterministic-build/requirements-build-appimage.txt"
CFLAGS="-g0" "$python" -m pip install --no-deps --no-warn-script-location --no-binary :all: --cache-dir "$CACHEDIR/pip_cache" -r "$CONTRIB/deterministic-build/requirements.txt"
CFLAGS="-g0" "$python" -m pip install --no-deps --no-warn-script-location --no-binary :all: --only-binary PyQt5,PyQt5-Qt5 --cache-dir "$CACHEDIR/pip_cache" -r <(filter_deps /zxing-cpp/ < "$CONTRIB/deterministic-build/requirements-binaries.txt")
CFLAGS="-g0" "$python" -m pip install --no-deps --no-warn-script-location --no-binary :all: --only-binary PyQt5,PyQt5-Qt5 --cache-dir "$CACHEDIR/pip_cache" -r <(filter_deps /zxing-cpp/ < "$CONTRIB/deterministic-build/requirements-binaries.txt" | filter_deps /cryptography/)
# zxing-cpp 2.2.1 with patch for reproducible build, see https://github.com/zxing-cpp/zxing-cpp/pull/730
CFLAGS="-g0" "$python" -m pip install --no-deps --no-warn-script-location --no-binary :all: --only-binary cmake --cache-dir "$CACHEDIR/pip_cache" git+https://github.com/EchterAgo/zxing-cpp.git@3ac618250672db83e7a37b4e43fe6f72b88756d4#subdirectory=wrappers/python
# cryptography 42.0.5 with patch for reproducible build, see https://github.com/pyca/cryptography/pull/10627
CFLAGS="-g0" "$python" -m pip install --no-deps --no-warn-script-location --no-binary :all: --only-binary cmake --cache-dir "$CACHEDIR/pip_cache" git+https://github.com/pyca/cryptography.git@857d6b1d2fb1b93251a89ca3534e2a28b32c4950
# Temporary fix for hidapi incompatibility with Cython 3
# See https://github.com/trezor/cython-hidapi/issues/155
# We use PIP_CONSTRAINT as an environment variable instead of command line flag because it gets passed to subprocesses
Expand Down

0 comments on commit 515021a

Please sign in to comment.