OpenSSL (libcrypto): patch so that crypto/buildinfo.h generated by perl script contains reproducible date and fake compiler_flags

hardcode VERSION='reproducible_build' into generated configure script to get rid of generate random git abbrev 8/12 chars (could not find source) patches/openssl-3.0.8.patch: clean up tpm2-tools/tpm2-tss: hack configure scripts to not contain hardcoded libs and other rpath related strings, using sed instead of patching configure script like cryptsetup2 patch Will be clened up in other commits. Leaving here as trace for autotools sed patching for reproducible builds. CircleCI: change working dir from project->heads so that CircleCI and local builds are from heads directory, helping reproducible builds TODO: change other patches a well and generalize to gpg toolstack, removing patches that are a maintainership burden. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-18 20:47:55 +00:00 · 2024-03-27 16:14:31 -04:00 · 2024-03-27 16:14:31 -04:00 · d7915e1639
commit d7915e1639
parent 18e7be8ab7
4 changed files with 71 additions and 8 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -45,6 +45,7 @@ jobs:
    docker:
      - image: debian:11
    resource_class: large
+    working_directory: ~/heads
    steps:
      - run:
          name: Install dependencies
@ -53,7 +54,6 @@ jobs:
            apt update
            apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg gawk iasl m4 nasm patch python python2 python3 wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev doxygen graphviz udev libudev1 libudev-dev automake libtool rsync innoextract sudo imagemagick libncurses5-dev
      - checkout
-
      - run:
          name: git reset
          command: |
@ -120,6 +120,7 @@ jobs:
    docker:
      - image: debian:11
    resource_class: large
+    working_directory: ~/heads
    parameters:
      arch:
        type: string
@ -138,15 +139,16 @@ jobs:
      - persist_to_workspace:
          root: ~/
          paths:
-            - project/packages/<<parameters.arch>>
-            - project/build/<<parameters.arch>>
-            - project/crossgcc/<<parameters.arch>>
-            - project/install/<<parameters.arch>>
+            - heads/packages/<<parameters.arch>>
+            - heads/build/<<parameters.arch>>
+            - heads/crossgcc/<<parameters.arch>>
+            - heads/install/<<parameters.arch>>

  build:
    docker:
      - image: debian:11
    resource_class: large
+    working_directory: ~/heads
    parameters:
      arch:
        type: string
@ -167,6 +169,7 @@ jobs:
    docker:
      - image: debian:11
    resource_class: large
+    working_directory: ~/heads
    steps:
      - attach_workspace:
          at: ~/
@ -236,13 +239,12 @@ workflows:
      # since kernel is 6.x and coreboot is git is unshared
      # We use nitropad's coreboot's fork crossgcc
      # No need to wait further for other board's cache.
-      # We reuse built modules from x230-hotp-maximized cache only
      - build_and_persist:
          name: nitropad-nv41
          target: nitropad-nv41
          subcommand: ""
          requires:
-            - x230-hotp-maximized
+            - prep_env

      # coreboot-git Talos II (PPC)
      - build_and_persist:
@ -527,3 +529,4 @@ workflows:
 #          path: build/UNMAINTAINED_qemu-linuxboot/linuxboot.rom
 #      - store-artifacts:
 #          path: build/UNMAINTAINED_qemu-linuxboot/hashes.txt
+
--- a/modules/tpm2-tools
+++ b/modules/tpm2-tools
@ -18,7 +18,18 @@ tpm2-tools_url := https://github.com/tpm2-software/tpm2-tools/releases/download/
 tpm2-tools_hash := c0b402f6a7b3456e8eb2445211e2d41c46c7e769e05fe4d8909ff64119f7a630

 # we have ESYS 3.0, but it doesn't figure that out on its own
-tpm2-tools_configure := ./bootstrap && ./configure \
+tpm2-tools_configure := \
+	./bootstrap \
+	&& sed -i 's/hardcode_direct=yes/hardcode_direct=no/g' configure \
+	&& sed -i 's/hardcode_libdir_flag_spec=.*/hardcode_libdir_flag_spec=" "/' configure \
+	&& sed -i 's/hardcode_minus_L=yes/hardcode_minus_L=no/g' configure \
+	&& sed -i 's/hardcode_automatic=yes/hardcode_automatic=no/g' configure \
+	&& sed -i 's/hardcode_runpath_var=yes/hardcode_runpath_var=no/g' configure \
+	&& sed -i 's/hardcode_into_libs=yes/hardcode_into_libs=no/g' configure \
+	&& sed -i 's/hardcode_direct_absolute=yes/hardcode_direct_absolute=no/g' configure \
+	&& sed -i 's/inherit_rpath=yes/inherit_rpath=no/g' configure \
+	&& sed -i "s/VERSION='.*'/VERSION='reproducible_build'/g" configure \
+	&& ./configure \
 	$(CROSS_TOOLS) \
 	--host $(MUSL_ARCH)-elf-linux \
 	--prefix "/" \
--- a/modules/tpm2-tss
+++ b/modules/tpm2-tss
@ -8,6 +8,20 @@ tpm2-tss_url := https://github.com/tpm2-software/tpm2-tss/releases/download/$(tp
 tpm2-tss_hash := 48305e4144dcf6d10f3b25b7bccf0189fd2d1186feafd8cd68c6b17ecf0d7912

 tpm2-tss_configure := aclocal && automake --add-missing && autoreconf -fi \
+	&& sed -i 's/hardcode_direct=yes/hardcode_direct=no/g' configure \
+	&& sed -i 's/hardcode_libdir_flag_spec=.*/hardcode_libdir_flag_spec=" "/' configure \
+	&& sed -i 's/hardcode_minus_L=yes/hardcode_minus_L=no/g' configure \
+	&& sed -i 's/hardcode_direct_absolute=yes/hardcode_direct_absolute=no/g' configure \
+	&& sed -i 's/hardcode_into_libs=yes/hardcode_into_libs=no/g' configure \
+	&& sed -i 's/hardcode_libdir_flag_spec_CXX=.*/hardcode_libdir_flag_spec_CXX=" "/' configure \
+	&& sed -i 's/hardcode_automatic=yes/hardcode_automatic=no/g' configure \
+	&& sed -i 's/hardcode_runpath_var=yes/hardcode_runpath_var=no/g' configure \
+	&& sed -i 's/hardcode_direct_CXX=yes/hardcode_direct_CXX=no/g' configure \
+	&& sed -i 's/hardcode_direct_absolute_CXX=yes/hardcode_direct_absolute_CXX=no/g' configure \
+	&& sed -i 's/hardcode_minus_L_CXX=yes/hardcode_minus_L_CXX=no/g' configure \
+	&& sed -i 's/hardcode_automatic_CXX=yes/hardcode_automatic_CXX=no/g' configure \
+	&& sed -i 's/inherit_rpath=yes/inherit_rpath=no/g' configure \
+	&& sed -i 's/inherit_rpath_CXX=yes/inherit_rpath_CXX=no/g' configure \
 	&& ./configure \
 	$(CROSS_TOOLS) \
 	--host $(MUSL_ARCH)-elf-linux \
--- a/patches/openssl-3.0.8.patch
+++ b/patches/openssl-3.0.8.patch
@ -0,0 +1,35 @@
+--- ./util/mkbuildinf.pl.orig   2023-02-07 08:43:33.000000000 -0500
+++ ./util/mkbuildinf.pl	2024-03-27 14:36:49.974651246 -0400
+@@ -12,7 +12,7 @@
+ my ($cflags, $platform) = @ARGV;
+ $cflags = "compiler: $cflags";
+ 
+-my $date = gmtime($ENV{'SOURCE_DATE_EPOCH'} || time()) . " UTC";
+my $date = gmtime($ENV{'SOURCE_DATE_EPOCH'} || '0') . " UTC";
+ 
+ print <<"END_OUTPUT";
+ /*
+@@ -36,21 +36,7 @@
+  * literal
+  */
+ static const char compiler_flags[] = {
+-END_OUTPUT
+-
+-my $ctr = 0;
+-foreach my $c (split //, $cflags) {
+-    $c =~ s|([\\'])|\\$1|;
+-    # Max 16 characters per line
+-    if  (($ctr++ % 16) == 0) {
+-        if ($ctr != 1) {
+-            print "\n";
+-        }
+-        print "    ";
+-    }
+-    print "'$c',";
+-}
+-print <<"END_OUTPUT";
+-'\\0'
+    'r','e','p','r','o','d','u','c','i','b','l','e',' ','b','u','i',
+    'l','d','\\0'
+ };
+ END_OUTPUT