Wladimir J. van der Laan 3ae41a64dd
gitian: upgrade OpenSSL to 1.0.1h
Upgrade for https://www.openssl.org/news/secadv_20140605.txt

Just in case - there is no vulnerability that affects ecdsa signing or
verification.

The MITM attack vulnerability (CVE-2014-0224) may have some effect on
our usage of SSL/TLS.

As long as payment requests are signed (which is the common case), usage
of the payment protocol should also not be affected.

The TLS usage in RPC may be at risk for MITM attacks. If you have
`-rpcssl` enabled, be sure to update OpenSSL as soon as possible.

Rebased-By: Wladimir J. van der Laan <laanwj@gmail.com>
Rebased-From: 6e7c4d1
2014-06-06 18:59:56 +02:00

93 lines
4.5 KiB
YAML

---
name: "qt"
suites:
- "precise"
architectures:
- "amd64"
packages:
- "mingw-w64"
- "g++-mingw-w64"
- "zip"
- "unzip"
- "faketime"
- "libz-dev"
reference_datetime: "2011-01-30 00:00:00"
remotes: []
files:
- "qt-everywhere-opensource-src-5.2.0.tar.gz"
- "bitcoin-deps-win32-gitian-r13.zip"
- "bitcoin-deps-win64-gitian-r13.zip"
script: |
# Defines
export TZ=UTC
INDIR=$HOME/build
TEMPDIR=$HOME/tmp
# Qt: workaround for determinism in resource ordering
# Qt5's rcc uses a QHash to store the files for the resource.
# A security fix in QHash makes the ordering of keys to be different on every run
# (https://qt.gitorious.org/qt/qtbase/commit/c01eaa438200edc9a3bbcd8ae1e8ded058bea268).
# This is good in general but qrc shouldn't be doing a traversal over a randomized container.
# The thorough solution would be to use QMap instead of QHash, but this requires patching Qt.
# For now luckily there is a test mode that forces a fixed seed.
export QT_RCC_TEST=1
# Integrity Check
echo "395ec72277c5786c65b8163ef5817fd03d0a1f524a6d47f53624baf8056f1081 qt-everywhere-opensource-src-5.2.0.tar.gz" | sha256sum -c
for BITS in 32 64; do # for architectures
#
INSTALLPREFIX=$HOME/staging${BITS}
BUILDDIR=$HOME/build${BITS}
DEPSDIR=$HOME/deps${BITS}
if [ "$BITS" == "32" ]; then
HOST=i686-w64-mingw32
else
HOST=x86_64-w64-mingw32
fi
#
mkdir -p $INSTALLPREFIX $INSTALLPREFIX/host/bin $DEPSDIR $BUILDDIR
#
# Need mingw-compiled openssl from bitcoin-deps:
cd $DEPSDIR
unzip $INDIR/bitcoin-deps-win${BITS}-gitian-r13.zip
#
cd $BUILDDIR
#
tar xzf $INDIR/qt-everywhere-opensource-src-5.2.0.tar.gz
cd qt-everywhere-opensource-src-5.2.0
SPECNAME="win32-g++"
SPECFILE="qtbase/mkspecs/${SPECNAME}/qmake.conf"
sed 's/qt_instdate=`date +%Y-%m-%d`/qt_instdate=2011-01-30/' -i qtbase/configure
sed --posix "s|QMAKE_CFLAGS = -pipe -fno-keep-inline-dllexport|QMAKE_CFLAGS\t\t= -pipe -fno-keep-inline-dllexport -isystem /usr/$HOST/include/ -frandom-seed=qtbuild -I$DEPSDIR/include|" -i ${SPECFILE}
sed --posix "s|QMAKE_LFLAGS =|QMAKE_LFLAGS\t\t= -L$DEPSDIR/lib|" -i ${SPECFILE}
# Before we tried to pass arguments to ar (static linking) in using QMAKE_LIB, however
# qt removes the arguments for ar and provides a script which makes it impossible to pass the determinism flag -
# so rather than try to replace ar, post-process all libraries and plugins at the end.
#
# Don't load faketime while compiling Qt, qmake will get stuck in nearly infinite loops
#export LD_PRELOAD=/usr/lib/faketime/libfaketime.so.1
#export FAKETIME=$REFERENCE_DATETIME
#
# Compile static libraries, and use statically linked openssl (-openssl-linked):
OPENSSL_LIBS="-L$DEPSDIR/lib -lssl -lcrypto -lgdi32" ./configure -prefix $INSTALLPREFIX -bindir $INSTALLPREFIX/host/bin -confirm-license -release -opensource -static -xplatform $SPECNAME -device-option CROSS_COMPILE="$HOST-" -no-audio-backend -no-javascript-jit -no-sql-sqlite -no-sql-odbc -no-nis -no-cups -no-iconv -no-dbus -no-gif -no-opengl -no-compile-examples -no-feature-style-windowsce -no-feature-style-windowsmobile -no-qml-debug -openssl-linked -skip qtsvg -skip qtwebkit -skip qtwebkit-examples -skip qtserialport -skip qtdeclarative -skip qtmultimedia -skip qtimageformats -skip qtlocation -skip qtsensors -skip qtquick1 -skip qtquickcontrols -skip qtactiveqt -skip qtconnectivity -skip qtwinextras -skip qtxmlpatterns -skip qtscript -skip qtdoc -system-libpng -system-zlib
make $MAKEOPTS install
# post-process all generated libraries and plugins to be deterministic
# extract them to a temporary directory then re-build them deterministically
for LIB in $(find $INSTALLPREFIX -name *.a); do
rm -rf $TEMPDIR && mkdir $TEMPDIR && cd $TEMPDIR
$HOST-ar xv $LIB | cut -b5- > /tmp/list.txt
rm $LIB
$HOST-ar crsD $LIB $(cat /tmp/list.txt)
done
#
cd $INSTALLPREFIX
# Remove unused non-deterministic stuff
rm host/bin/qtpaths.exe lib/libQt5Bootstrap.a lib/libQt5Bootstrap.la
# as zip stores file timestamps, use faketime to intercept stat calls to set dates for all files to reference date
export LD_PRELOAD=/usr/lib/faketime/libfaketime.so.1
export FAKETIME=$REFERENCE_DATETIME
find -print0 | xargs -r0 touch # fix up timestamps before packaging
find | sort | zip -X@ $OUTDIR/qt-win${BITS}-5.2.0-gitian-r3.zip
unset LD_PRELOAD
unset FAKETIME
done # for BITS in