From 042d8b14277150ca79c4ee9068f79bc8257c3947 Mon Sep 17 00:00:00 2001 From: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> Date: Tue, 19 Apr 2022 08:59:37 -0700 Subject: [PATCH] Build statically-linked sqlcipher for Unix (#334) --- dockerbuild/Dockerfile | 4 +--- element.io/nightly/control.template | 2 +- element.io/release/control.template | 2 +- hak/matrix-seshat/build.ts | 36 +++++++++++++++++++++++------ hak/matrix-seshat/check.ts | 26 ++++++++++----------- hak/matrix-seshat/fetchDeps.ts | 4 +--- 6 files changed, 45 insertions(+), 29 deletions(-) diff --git a/dockerbuild/Dockerfile b/dockerbuild/Dockerfile index 0eca359b8b..0f423c96e9 100644 --- a/dockerbuild/Dockerfile +++ b/dockerbuild/Dockerfile @@ -12,9 +12,7 @@ RUN apt-get -qq update && apt-get -qq dist-upgrade && \ # libsecret-1-dev and libgnome-keyring-dev are required even for prebuild keytar apt-get -qq install --no-install-recommends qtbase5-dev bsdtar build-essential autoconf libssl-dev gcc-multilib g++-multilib lzip rpm python libcurl4 git git-lfs ssh unzip \ libsecret-1-dev libgnome-keyring-dev \ - libopenjp2-tools \ - # Used by Seshat - libsqlcipher-dev && \ + libopenjp2-tools && \ # git-lfs git lfs install && \ apt-get purge -y --auto-remove && rm -rf /var/lib/apt/lists/* diff --git a/element.io/nightly/control.template b/element.io/nightly/control.template index 6873172efa..aa29aa64c1 100644 --- a/element.io/nightly/control.template +++ b/element.io/nightly/control.template @@ -3,7 +3,7 @@ License: Apache-2.0 Vendor: support@element.io Architecture: amd64 Maintainer: support@element.io -Depends: libgtk-3-0, libnotify4, libnss3, libxss1, libxtst6, xdg-utils, libatspi2.0-0, libuuid1, libsecret-1-0, libsqlcipher0 +Depends: libgtk-3-0, libnotify4, libnss3, libxss1, libxtst6, xdg-utils, libatspi2.0-0, libuuid1, libsecret-1-0 Recommends: libappindicator3-1 Section: net Priority: extra diff --git a/element.io/release/control.template b/element.io/release/control.template index 5738665c61..697466a0fe 100644 --- a/element.io/release/control.template +++ b/element.io/release/control.template @@ -3,7 +3,7 @@ License: Apache-2.0 Vendor: support@element.io Architecture: amd64 Maintainer: support@element.io -Depends: libgtk-3-0, libnotify4, libnss3, libxss1, libxtst6, xdg-utils, libatspi2.0-0, libuuid1, libsecret-1-0, libsqlcipher0 +Depends: libgtk-3-0, libnotify4, libnss3, libxss1, libxtst6, xdg-utils, libatspi2.0-0, libuuid1, libsecret-1-0 Recommends: libappindicator3-1 Replaces: riot-desktop (<< 1.7.0), riot-web (<< 1.7.0) Breaks: riot-desktop (<< 1.7.0), riot-web (<< 1.7.0) diff --git a/hak/matrix-seshat/build.ts b/hak/matrix-seshat/build.ts index 8d50bb1cc2..1558adafe6 100644 --- a/hak/matrix-seshat/build.ts +++ b/hak/matrix-seshat/build.ts @@ -26,7 +26,7 @@ export default async function(hakEnv: HakEnv, moduleInfo: DependencyInfo): Promi if (hakEnv.isWin()) { await buildOpenSslWin(hakEnv, moduleInfo); await buildSqlCipherWin(hakEnv, moduleInfo); - } else if (hakEnv.isMac()) { + } else { await buildSqlCipherUnix(hakEnv, moduleInfo); } await buildMatrixSeshat(hakEnv, moduleInfo); @@ -179,12 +179,17 @@ async function buildSqlCipherUnix(hakEnv, moduleInfo) { '--prefix=' + moduleInfo.depPrefix + '', '--enable-tempstore=yes', '--enable-shared=no', + '--enable-tcl=no', ]; if (hakEnv.isMac()) { args.push('--with-crypto-lib=commoncrypto'); } + if (hakEnv.isLinux()) { + args.push('--with-pic=yes'); + } + if (!hakEnv.isHost()) { // In the nonsense world of `configure`, it is assumed you are building // a compiler like `gcc`, so the `host` option actually means the target @@ -265,12 +270,29 @@ async function buildMatrixSeshat(hakEnv, moduleInfo) { // it for now: we should confirm how much of this it still actually needs. const env = hakEnv.makeGypEnv(); - if (!hakEnv.isLinux()) { - Object.assign(env, { - SQLCIPHER_STATIC: 1, - SQLCIPHER_LIB_DIR: path.join(moduleInfo.depPrefix, 'lib'), - SQLCIPHER_INCLUDE_DIR: path.join(moduleInfo.depPrefix, 'include'), - }); + Object.assign(env, { + SQLCIPHER_STATIC: 1, + SQLCIPHER_LIB_DIR: path.join(moduleInfo.depPrefix, 'lib'), + SQLCIPHER_INCLUDE_DIR: path.join(moduleInfo.depPrefix, 'include'), + }); + + if (hakEnv.isLinux()) { + // Ensure Element uses the statically-linked seshat build, and prevent other applications + // from attempting to use this one. Detailed explanation: + // + // RUSTFLAGS + // An environment variable containing a list of arguments to pass to rustc. + // -Clink-arg=VALUE + // A rustc argument to pass a single argument to the linker. + // -Wl, + // gcc syntax to pass an argument (from gcc) to the linker (ld). + // -Bsymbolic: + // Prefer local/statically linked symbols over those in the environment. + // Prevent overriding native libraries by LD_PRELOAD etc. + // --exclude-libs ALL + // Prevent symbols from being exported by any archive libraries. + // Reduces output filesize and prevents being dynamically linked against. + env.RUSTFLAGS = '-Clink-arg=-Wl,-Bsymbolic -Clink-arg=-Wl,--exclude-libs,ALL'; } if (hakEnv.isWin()) { diff --git a/hak/matrix-seshat/check.ts b/hak/matrix-seshat/check.ts index d34247f53e..ad6533a56d 100644 --- a/hak/matrix-seshat/check.ts +++ b/hak/matrix-seshat/check.ts @@ -22,21 +22,19 @@ import { DependencyInfo } from '../../scripts/hak/dep'; export default async function(hakEnv: HakEnv, moduleInfo: DependencyInfo): Promise { // of course tcl doesn't have a --version - if (!hakEnv.isLinux()) { - await new Promise((resolve, reject) => { - const proc = childProcess.spawn('tclsh', [], { - stdio: ['pipe', 'ignore', 'ignore'], - }); - proc.on('exit', (code) => { - if (code !== 0) { - reject("Can't find tclsh - have you installed TCL?"); - } else { - resolve(); - } - }); - proc.stdin.end(); + await new Promise((resolve, reject) => { + const proc = childProcess.spawn('tclsh', [], { + stdio: ['pipe', 'ignore', 'ignore'], }); - } + proc.on('exit', (code) => { + if (code !== 0) { + reject("Can't find tclsh - have you installed TCL?"); + } else { + resolve(); + } + }); + proc.stdin.end(); + }); const tools = [ ['rustc', '--version'], diff --git a/hak/matrix-seshat/fetchDeps.ts b/hak/matrix-seshat/fetchDeps.ts index a2fcf348b6..1ae1286bcb 100644 --- a/hak/matrix-seshat/fetchDeps.ts +++ b/hak/matrix-seshat/fetchDeps.ts @@ -25,9 +25,7 @@ import HakEnv from '../../scripts/hak/hakEnv'; import { DependencyInfo } from '../../scripts/hak/dep'; export default async function(hakEnv: HakEnv, moduleInfo: DependencyInfo): Promise { - if (!hakEnv.isLinux()) { - await getSqlCipher(hakEnv, moduleInfo); - } + await getSqlCipher(hakEnv, moduleInfo); if (hakEnv.isWin()) { await getOpenSsl(hakEnv, moduleInfo);