From 515021aa043287d239e89f4c7e419719fd0c5f26 Mon Sep 17 00:00:00 2001 From: Axel Gembe Date: Fri, 22 Mar 2024 19:00:22 +0700 Subject: [PATCH] build: Fix AppImage reproducibility by using rusts trim-paths This also uses a patched version of cryptography that passes `-fmacro-prefix-map` to the compiler. fixes #2807 --- contrib/build-linux/appimage/Dockerfile_ub2004 | 7 +++++++ contrib/build-linux/appimage/_build.sh | 4 +++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/contrib/build-linux/appimage/Dockerfile_ub2004 b/contrib/build-linux/appimage/Dockerfile_ub2004 index e43659ce51df..03ffe568aff6 100755 --- a/contrib/build-linux/appimage/Dockerfile_ub2004 +++ b/contrib/build-linux/appimage/Dockerfile_ub2004 @@ -62,3 +62,10 @@ RUN echo deb ${UBUNTU_MIRROR} ${UBUNTU_DIST} main restricted universe multiverse rm -rf /var/lib/apt/lists/* && \ apt-get autoremove -y && \ apt-get clean + +# This is to enable nightly features in the release configuration +ENV RUSTC_BOOTSTRAP=1 +# Enable trim-paths feature in cargo 1.75+ to make sure pip paths +# do not end up in binaries making them not reproducible +ENV CARGO_TRIM_PATHS=all +ENV CARGO_UNSTABLE_TRIM_PATHS=true diff --git a/contrib/build-linux/appimage/_build.sh b/contrib/build-linux/appimage/_build.sh index 1dca4ed2a47d..92c8a2d61e71 100755 --- a/contrib/build-linux/appimage/_build.sh +++ b/contrib/build-linux/appimage/_build.sh @@ -125,9 +125,11 @@ mkdir -p "$CACHEDIR/pip_cache" CFLAGS="-g0" "$python" -m pip install --no-deps --no-warn-script-location --no-binary :all: --cache-dir "$CACHEDIR/pip_cache" -r "$CONTRIB/deterministic-build/requirements-pip.txt" CFLAGS="-g0" "$python" -m pip install --no-deps --no-warn-script-location --no-binary :all: --cache-dir "$CACHEDIR/pip_cache" -r "$CONTRIB/deterministic-build/requirements-build-appimage.txt" CFLAGS="-g0" "$python" -m pip install --no-deps --no-warn-script-location --no-binary :all: --cache-dir "$CACHEDIR/pip_cache" -r "$CONTRIB/deterministic-build/requirements.txt" -CFLAGS="-g0" "$python" -m pip install --no-deps --no-warn-script-location --no-binary :all: --only-binary PyQt5,PyQt5-Qt5 --cache-dir "$CACHEDIR/pip_cache" -r <(filter_deps /zxing-cpp/ < "$CONTRIB/deterministic-build/requirements-binaries.txt") +CFLAGS="-g0" "$python" -m pip install --no-deps --no-warn-script-location --no-binary :all: --only-binary PyQt5,PyQt5-Qt5 --cache-dir "$CACHEDIR/pip_cache" -r <(filter_deps /zxing-cpp/ < "$CONTRIB/deterministic-build/requirements-binaries.txt" | filter_deps /cryptography/) # zxing-cpp 2.2.1 with patch for reproducible build, see https://github.com/zxing-cpp/zxing-cpp/pull/730 CFLAGS="-g0" "$python" -m pip install --no-deps --no-warn-script-location --no-binary :all: --only-binary cmake --cache-dir "$CACHEDIR/pip_cache" git+https://github.com/EchterAgo/zxing-cpp.git@3ac618250672db83e7a37b4e43fe6f72b88756d4#subdirectory=wrappers/python +# cryptography 42.0.5 with patch for reproducible build, see https://github.com/pyca/cryptography/pull/10627 +CFLAGS="-g0" "$python" -m pip install --no-deps --no-warn-script-location --no-binary :all: --only-binary cmake --cache-dir "$CACHEDIR/pip_cache" git+https://github.com/pyca/cryptography.git@857d6b1d2fb1b93251a89ca3534e2a28b32c4950 # Temporary fix for hidapi incompatibility with Cython 3 # See https://github.com/trezor/cython-hidapi/issues/155 # We use PIP_CONSTRAINT as an environment variable instead of command line flag because it gets passed to subprocesses