Merge pull request #3 from obsidiansystems/master

2.0.0

.gitignore

@@ -1,6 +1,6 @@
 bin
 debug
-dep
+/dep
 obj
 src/u2f_crypto_data.h
 src/glyphs.h

CONTRIBUTING.md

@@ -0,0 +1,21 @@
+# Contributing
+
+## Hacking with [Nix](https://nixos.org/nix/)
+
+The `nix/` folder contains helper scripts for working with the ledger via Nix.
+
+### Developing
+Use `nix/env.sh` to enter a shell where you can run `make` and it will just work. You can also pass a command instead, e.g. `nix/env.sh make clean`.
+
+For development, use `nix/watch.sh make APP=<tezos_baking|tezos_wallet>` to incrementally build on every change. Be sure to `nix/env.sh make clean` if you start watching a different `APP`.
+
+### Building
+To do a full Nix build run `nix/build.sh`. You can pass `nix-build` arguments to this to build specific attributes, e.g. `nix/build.sh -A wallet`.
+
+### Installing
+`nix/install.sh` will install both the wallet and baking apps. Use `nix/install.sh baking` to install just the baking app or `nix/install.sh wallet` to install just the wallet.
+
+
+### Releasing
+
+`nix/build -A release.all`

Makefile

@@ -30,23 +30,38 @@ else ifeq ($(APP),tezos_wallet)
 APPNAME = "Tezos Wallet"
 endif
 APP_LOAD_PARAMS=--appFlags 0 --curve ed25519 --curve secp256k1 --curve prime256r1 --path "44'/1729'" $(COMMON_LOAD_PARAMS)
-VERSION_TAG=$(shell git describe --tags | cut -f1 -d-)
-APPVERSION_M=1
-APPVERSION_N=5
+VERSION_TAG ?= $(shell git describe --tags 2>/dev/null | cut -f1 -d-)
+APPVERSION_M=2
+APPVERSION_N=0
 APPVERSION_P=0
 APPVERSION=$(APPVERSION_M).$(APPVERSION_N).$(APPVERSION_P)
 
-ifneq (v$(APPVERSION), $(VERSION_TAG))
+# Only warn about version tags if specified/inferred
+ifeq ($(VERSION_TAG),)
+  $(warning VERSION_TAG not checked)
+else
+  ifneq (v$(APPVERSION), $(VERSION_TAG))
     $(warning "Version-Tag Mismatch: v$(APPVERSION) version and $(VERSION_TAG) tag")
+  endif
 endif
 
-COMMIT := $(shell git describe --abbrev=8 --always)
+COMMIT ?= $(shell git describe --tags --abbrev=8 --always --long --dirty 2>/dev/null)
+ifeq ($(COMMIT),)
+  $(error COMMIT not specified and could not be determined with git)
+endif
 
 ICONNAME=icon.gif
+
 ################
 # Default rule #
 ################
-all: default
+all: show-app default
+
+
+.PHONY: show-app
+show-app:
+	@echo ">>>>> Building $(APP) at commit $(COMMIT)"
+
 
 ############
 # Platform #

default.nix

@@ -0,0 +1,82 @@
+{ pkgs ? import nix/nixpkgs.nix {}, commit, ... }:
+let
+
+  fetchThunk = p:
+    if builtins.pathExists (p + /git.json)
+      then pkgs.fetchgit { inherit (builtins.fromJSON (builtins.readFile (p + /git.json))) url rev sha256; }
+    else if builtins.pathExists (p + /github.json)
+      then pkgs.fetchFromGitHub { inherit (builtins.fromJSON (builtins.readFile (p + /github.json))) owner repo rev sha256; }
+    else p;
+
+  fhs = pkgs.callPackage nix/fhs.nix {};
+  bolosEnv = pkgs.callPackage nix/bolos-env.nix {};
+  bolosSdk = fetchThunk nix/dep/nanos-secure-sdk;
+  src = pkgs.lib.sources.sourceFilesBySuffices (pkgs.lib.sources.cleanSource ./.) [".c" ".h" ".gif" "Makefile"];
+
+  app = bakingApp: pkgs.runCommand "ledger-app-tezos-${if bakingApp then "baking" else "wallet"}" {} ''
+    set -Eeuo pipefail
+
+    cp -a '${src}'/* .
+    chmod -R u+w .
+
+    '${fhs}/bin/enter-fhs' <<EOF
+    set -Eeuxo pipefail
+    export BOLOS_SDK='${bolosSdk}'
+    export BOLOS_ENV='${bolosEnv}'
+    export APP='${if bakingApp then "tezos_baking" else "tezos_wallet"}'
+    export COMMIT='${commit}'
+    make clean
+    make all
+    EOF
+
+    mkdir -p "$out"
+    cp -R bin "$out"
+    cp -R debug "$out"
+
+    echo
+    echo ">>>> Application size: <<<<"
+    '${pkgs.binutils-unwrapped}/bin/size' "$out/bin/app.elf"
+  '';
+
+  mkRelease = short_name: name: appDir: pkgs.runCommand "${short_name}-release-dir" {} ''
+    mkdir -p "$out"
+
+    cp '${appDir + /bin/app.hex}' "$out/app.hex"
+
+    cat > "$out/app.manifest" <<EOF
+    name='${name}'
+    nvram_size=$(grep _nvram_data_size '${appDir + /debug/app.map}' | tr -s ' ' | cut -f2 -d' ')
+    target_id=0x31100004
+    version=$(echo '${commit}' | cut -f1 -d- | cut -f2 -dv)
+    EOF
+
+    cp '${dist/icon.hex}' "$out/icon.hex"
+  '';
+
+  walletApp = app false;
+  bakingApp = app true;
+in {
+  wallet = walletApp;
+  baking = bakingApp;
+
+  release = rec {
+    wallet = mkRelease "wallet" "Tezos Wallet" walletApp;
+    baking = mkRelease "baking" "Tezos Baking" bakingApp;
+    all = pkgs.runCommand "release.tar.gz" {} ''
+      cp -r '${wallet}' wallet
+      cp -r '${baking}' baking
+      cp '${./release-installer.sh}' install.sh
+      chmod +x install.sh
+      tar czf "$out" install.sh wallet baking
+    '';
+  };
+
+  # Script that places you in the environment to run `make`, etc.
+  env-shell = pkgs.writeScriptBin "env-shell" ''
+    #!${pkgs.stdenv.shell}
+    export BOLOS_SDK='${bolosSdk}'
+    export BOLOS_ENV='${bolosEnv}'
+    export COMMIT='${commit}'
+    exec '${fhs}/bin/enter-fhs'
+  '';
+}

install.sh

@@ -1,37 +1,37 @@
-#!/bin/sh
-set -eux
+#!/usr/bin/env bash
+set -Eeuo pipefail
 
-rootdir="$(cd "$(dirname "$0")"/; pwd)"
+root="$(git rev-parse --show-toplevel)"
 
 app_name=Tezos
 if [ "${1:-}X" != X ]; then
     app_name="$1"
 fi
 
-app_file=$rootdir/bin/app.hex
+app_dir="$root"
 if [ "${2:-}X" != X ]; then
-    app_file="$2"
+    app_dir="$2"
 fi
 
 if [ "${3:-}X" = X ]; then
-    version="$(git -C "$rootdir" describe --tags | cut -f1 -d- | cut -f2 -dv)"
+    version="$(git -C "$root" describe --tags | cut -f1 -d- | cut -f2 -dv)"
 else
     version="$3"
 fi
 
 set -x
 python -m ledgerblue.loadApp \
     --appFlags 0x00 \
-    --dataSize 0x80 \
+    --dataSize "$(grep _nvram_data_size "$app_dir/debug/app.map" | tr -s ' ' | cut -f2 -d' ')" \
     --tlv \
     --curve ed25519 \
     --curve secp256k1 \
     --curve prime256r1 \
     --targetId "${TARGET_ID:-0x31100004}" \
     --delete \
     --path 44"'"/1729"'" \
-    --fileName "$app_file" \
+    --fileName "$app_dir/bin/app.hex" \
     --appName "$app_name" \
     --appVersion "$version" \
-    --icon "$(cat "$rootdir/dist/icon.hex")" \
+    --icon "$(cat "$root/dist/icon.hex")" \
     --targetVersion ""

nix/bolos-env.nix

@@ -0,0 +1,25 @@
+{ pkgs, ... }:
+let
+  requireCurl = { url, sha256 }: pkgs.lib.overrideDerivation
+    (pkgs.requireFile { inherit url sha256; })
+    (attrs: {
+       builder = pkgs.writeScript "get-the-thing" ''
+        #!${pkgs.stdenv.shell}
+        '${pkgs.curl}/bin/curl' --cacert '${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt' --url '${url}' -o "$out"
+       '';
+     });
+  clang = requireCurl {
+    url = http://releases.llvm.org/4.0.0/clang+llvm-4.0.0-x86_64-linux-gnu-ubuntu-16.10.tar.xz;
+    sha256 = "0j0kc73xvm2dl84f7gd2kh6a8nxlr7alk91846m0im77mvm631rv";
+  };
+  gcc = requireCurl {
+    url = https://launchpadlibrarian.net/251687888/gcc-arm-none-eabi-5_3-2016q1-20160330-linux.tar.bz2;
+    sha256 = "08x2sv2mhx3l3adw8kgcvmrs10qav99al410wpl18w19yfq50y11";
+  };
+in pkgs.runCommand "bolos-env" {} ''
+  mkdir -p "$out"
+  mkdir "$out/clang-arm-fropi"
+  tar xavf '${clang}' --strip-components=1 -C "$out/clang-arm-fropi"
+  mkdir "$out/gcc-arm-none-eabi-5_3-2016q1"
+  tar xavf '${gcc}' --strip-components=1 -C "$out/gcc-arm-none-eabi-5_3-2016q1"
+''

nix/build.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+# Override package set by passing --arg pkgs
+
+commit=$(git describe --tags --abbrev=8 --always --long --dirty 2>/dev/null)
+echo >&2 "Git commit: $commit"
+exec nix-build --no-out-link --argstr commit "$commit" "$@"

nix/dep/nanos-secure-sdk/default.nix

@@ -0,0 +1,7 @@
+# DO NOT HAND-EDIT THIS FILE
+import ((import <nixpkgs> {}).fetchFromGitHub (
+  let json = builtins.fromJSON (builtins.readFile ./github.json);
+  in { inherit (json) owner repo rev sha256;
+       private = json.private or false;
+     }
+))

nix/dep/nanos-secure-sdk/github.json

@@ -0,0 +1,7 @@
+{
+  "owner": "LedgerHQ",
+  "repo": "nanos-secure-sdk",
+  "branch": "master",
+  "rev": "f9e1c7b8904df2eee0ae7e603f552b876c169334",
+  "sha256": "1wzra32zkqw521a5cmvqsblpkbkfzgx2pbngqpymcgf8db20p50i"
+}

nix/env.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+commit=$(git describe --tags --abbrev=8 --always --long --dirty 2>/dev/null)
+echo >&2 "Git commit: $commit"
+shell_dir="$(nix-build -A env-shell --no-out-link --argstr commit "$commit" "${NIX_BUILD_ARGS:-}")"
+shell="$shell_dir/bin/env-shell"
+
+if [ $# -eq 0 ]; then
+  echo >&2 "Entering via $shell"
+  exec "$shell"
+else
+  exec "$shell" <<EOF
+    $@
+EOF
+fi

nix/fhs.nix

@@ -0,0 +1,21 @@
+{ pkgs, ... }:
+let
+  libtinfo5 = pkgs.runCommand "libtinfo5" {} ''
+    mkdir -p "$out/lib"
+    ln -s '${pkgs.ncurses5}/lib/libncursesw.so.5' "$out/lib/libtinfo.so.5"
+  '';
+in pkgs.buildFHSUserEnv {
+  name = "enter-fhs";
+
+  # TODO: Reduce this set to the minimal set
+  targetPkgs = pkgs: with pkgs; [
+    alsaLib atk cairo cups dbus expat file fontconfig freetype gdb git glib
+    libnotify libxml2 libxslt
+    netcat nspr nss strace udev watch wget which xorg.libX11
+    xorg.libXScrnSaver xorg.libXcomposite xorg.libXcursor xorg.libXdamage
+    xorg.libXext xorg.libXfixes xorg.libXi xorg.libXrandr xorg.libXrender
+    xorg.libXtst xorg.libxcb xorg.xcbutilkeysyms zlib zsh
+    gnumake libtinfo5 glibc_multi.dev (python2.withPackages (ps: [ps.pillow]))
+  ];
+  runScript = "bash"; # "$SHELL";
+}

nix/install.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+root="$(git rev-parse --show-toplevel)"
+
+install() {
+  local release_file
+  release_file=$("$root/nix/build.sh" -A "release.$1")
+  bash "$root/release-installer.sh" "$release_file"
+}
+
+export root
+export -f install
+
+nix-shell "$root/nix/ledgerblue.nix" -A shell --run "$(cat <<EOF
+set -Eeuo pipefail
+if [ $# -eq 0 ]; then
+  install wallet
+  install baking
+else
+  install "${1:-}"
+fi
+EOF
+)"

nix/ledgerblue.nix

@@ -0,0 +1,7 @@
+{ pkgs ? import ../nix/nixpkgs.nix {}, ... }:
+rec {
+  withLedgerblue = (pkgs.python36.withPackages (ps: with ps; [
+    ecpy hidapi pycrypto python-u2flib-host requests ledgerblue pillow pkgs.hidapi protobuf
+  ]));
+  shell = withLedgerblue.env;
+}

nix/nixpkgs.nix

@@ -0,0 +1,10 @@
+# To bump:
+#   1. Select channel from: http://howoldis.herokuapp.com/
+#   2. Copy the URL to a `nixexprs.tar.xz` file. It should include hashes (i.e. not be a redirect).
+#   3. Run `nix-prefetch-url --unpack <url>` to get the SHA256 hash of the contents.*
+#   4. Update the URL and SHA256 values below.
+
+import (builtins.fetchTarball {
+  url = "https://releases.nixos.org/nixpkgs/nixpkgs-19.03pre167327.11cf7d6e1ff/nixexprs.tar.xz";
+  sha256 = "0y0fs0j6pb9p9hzv1zagcavvpv50z2anqnbri6kq5iy1j4yqaric";
+})

nix/watch.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+set -uo pipefail
+
+root="$(git rev-parse --show-toplevel)"
+
+fail() { unset ___empty; : "${___empty:?$1}"; }
+
+[ -z "${1:-}" ] && fail "No command given; try running $0 make"
+
+watchdirs=("$root/default.nix" "$root/nix" "$root/Makefile" "$root/src")
+
+inotifywait="$(nix-build '<nixpkgs>' -A inotify-tools --no-out-link)/bin/inotifywait"
+while true; do
+  "$root/nix/env.sh" <<EOF
+    $@
+EOF
+  if ! "$inotifywait" -qre close_write "${watchdirs[@]}"; then
+    fail "inotifywait failed"
+  fi
+  echo "----------------------"
+  echo
+done