CMake modifying installed binary causing verification fail

[DL6ER]

Note

This does not affect binaries built on the CI, only binaries built locally

When running ./build.sh in a local repository, we get a local binary where ./pihole-FTL verify works as expected. However, when running /.build.sh install, any call to pihole-FTL verify will actually fail.

Furthermore, we observe this in /var/log/pihole/FTL.log:

2024-10-27 10:10:45.636 CET [3305335M] CRIT: Corrupt binary detected - this may lead to unexpected behaviour!

Preliminary investigation results are that CMake modifies the binary post-build (i.e., post checksum-generation) which subsequently leads to a hash mismatch and - entirely correctly - emitting the critical error above. This is a new issue after recently upgrading my Pi-hole from Ubuntu 22.04 LTS to 24.04 LTS so it is probably caused by a more recent CMake version being used.

When directly comparing the local and the installed file, we get a few differences:

sudo ./build.sh install
hexdump -C cmake/pihole-FTL > local.hex
hexdump -C $(which pihole-FTL) > global.hex
diff local.hex global.hex

10673,10674c10673,10674
< 00029b00  32 2e 32 39 00 2f 75 73  72 2f 6c 6f 63 61 6c 2f  |2.29./usr/local/|
< 00029b10  6c 69 62 36 34 3a 00 00  00 00 02 00 03 00 04 00  |lib64:..........|
---
> 00029b00  32 2e 32 39 00 00 00 00  00 00 00 00 00 00 00 00  |2.29............|
> 00029b10  00 00 00 00 00 00 00 00  00 00 02 00 03 00 04 00  |................|
398491,398517c398491,398516
< 0061a270  1d 00 00 00 00 00 00 00  65 02 01 00 00 00 00 00  |........e.......|
< 0061a280  0c 00 00 00 00 00 00 00  00 f0 04 00 00 00 00 00  |................|
< 0061a290  0d 00 00 00 00 00 00 00  a4 c5 3a 00 00 00 00 00  |..........:.....|
< 0061a2a0  19 00 00 00 00 00 00 00  50 be 60 00 00 00 00 00  |........P.`.....|
< 0061a2b0  1b 00 00 00 00 00 00 00  08 00 00 00 00 00 00 00  |................|
< 0061a2c0  1a 00 00 00 00 00 00 00  58 be 60 00 00 00 00 00  |........X.`.....|
< 0061a2d0  1c 00 00 00 00 00 00 00  08 00 00 00 00 00 00 00  |................|
< 0061a2e0  f5 fe ff 6f 00 00 00 00  b0 03 00 00 00 00 00 00  |...o............|
< 0061a2f0  05 00 00 00 00 00 00 00  a0 98 01 00 00 00 00 00  |................|
< 0061a300  06 00 00 00 00 00 00 00  18 5b 00 00 00 00 00 00  |.........[......|
< 0061a310  0a 00 00 00 00 00 00 00  77 02 01 00 00 00 00 00  |........w.......|
< 0061a320  0b 00 00 00 00 00 00 00  18 00 00 00 00 00 00 00  |................|
< 0061a330  15 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
< 0061a340  03 00 00 00 00 00 00 00  60 b4 61 00 00 00 00 00  |........`.a.....|
< 0061a350  02 00 00 00 00 00 00 00  30 21 00 00 00 00 00 00  |........0!......|
< 0061a360  14 00 00 00 00 00 00 00  07 00 00 00 00 00 00 00  |................|
< 0061a370  17 00 00 00 00 00 00 00  e0 cb 04 00 00 00 00 00  |................|
< 0061a380  07 00 00 00 00 00 00 00  60 b7 02 00 00 00 00 00  |........`.......|
< 0061a390  08 00 00 00 00 00 00 00  80 14 02 00 00 00 00 00  |................|
< 0061a3a0  09 00 00 00 00 00 00 00  18 00 00 00 00 00 00 00  |................|
< 0061a3b0  1e 00 00 00 00 00 00 00  08 00 00 00 00 00 00 00  |................|
< 0061a3c0  fb ff ff 6f 00 00 00 00  01 00 00 08 00 00 00 00  |...o............|
< 0061a3d0  fe ff ff 6f 00 00 00 00  90 b5 02 00 00 00 00 00  |...o............|
< 0061a3e0  ff ff ff 6f 00 00 00 00  05 00 00 00 00 00 00 00  |...o............|
< 0061a3f0  f0 ff ff 6f 00 00 00 00  18 9b 02 00 00 00 00 00  |...o............|
< 0061a400  f9 ff ff 6f 00 00 00 00  fe 15 00 00 00 00 00 00  |...o............|
< 0061a410  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
---
> 0061a270  0c 00 00 00 00 00 00 00  00 f0 04 00 00 00 00 00  |................|
> 0061a280  0d 00 00 00 00 00 00 00  a4 c5 3a 00 00 00 00 00  |..........:.....|
> 0061a290  19 00 00 00 00 00 00 00  50 be 60 00 00 00 00 00  |........P.`.....|
> 0061a2a0  1b 00 00 00 00 00 00 00  08 00 00 00 00 00 00 00  |................|
> 0061a2b0  1a 00 00 00 00 00 00 00  58 be 60 00 00 00 00 00  |........X.`.....|
> 0061a2c0  1c 00 00 00 00 00 00 00  08 00 00 00 00 00 00 00  |................|
> 0061a2d0  f5 fe ff 6f 00 00 00 00  b0 03 00 00 00 00 00 00  |...o............|
> 0061a2e0  05 00 00 00 00 00 00 00  a0 98 01 00 00 00 00 00  |................|
> 0061a2f0  06 00 00 00 00 00 00 00  18 5b 00 00 00 00 00 00  |.........[......|
> 0061a300  0a 00 00 00 00 00 00 00  77 02 01 00 00 00 00 00  |........w.......|
> 0061a310  0b 00 00 00 00 00 00 00  18 00 00 00 00 00 00 00  |................|
> 0061a320  15 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
> 0061a330  03 00 00 00 00 00 00 00  60 b4 61 00 00 00 00 00  |........`.a.....|
> 0061a340  02 00 00 00 00 00 00 00  30 21 00 00 00 00 00 00  |........0!......|
> 0061a350  14 00 00 00 00 00 00 00  07 00 00 00 00 00 00 00  |................|
> 0061a360  17 00 00 00 00 00 00 00  e0 cb 04 00 00 00 00 00  |................|
> 0061a370  07 00 00 00 00 00 00 00  60 b7 02 00 00 00 00 00  |........`.......|
> 0061a380  08 00 00 00 00 00 00 00  80 14 02 00 00 00 00 00  |................|
> 0061a390  09 00 00 00 00 00 00 00  18 00 00 00 00 00 00 00  |................|
> 0061a3a0  1e 00 00 00 00 00 00 00  08 00 00 00 00 00 00 00  |................|
> 0061a3b0  fb ff ff 6f 00 00 00 00  01 00 00 08 00 00 00 00  |...o............|
> 0061a3c0  fe ff ff 6f 00 00 00 00  90 b5 02 00 00 00 00 00  |...o............|
> 0061a3d0  ff ff ff 6f 00 00 00 00  05 00 00 00 00 00 00 00  |...o............|
> 0061a3e0  f0 ff ff 6f 00 00 00 00  18 9b 02 00 00 00 00 00  |...o............|
> 0061a3f0  f9 ff ff 6f 00 00 00 00  fe 15 00 00 00 00 00 00  |...o............|
> 0061a400  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

This may be related to the this new output I don't recall having seen before:

[...]
Installing pihole-FTL
-- Install configuration: "RelWithDebInfo"
-- Installing: /usr/bin/pihole-FTL
-- Set non-toolchain portion of runtime path of "/usr/bin/pihole-FTL" to ""    <------------

There is probably a CMake setting to prevent this binary modification but I'm not aware of it. Another solution would be moving the install step into ./build.sh instead of doing it with CMake.

$ cmake --version
cmake version 3.28.3

[yubiuser]

Maybe https://stackoverflow.com/a/32470070

[DL6ER]

Yes, this was already close and I tried that earlier but to no avail. The solution was similar in the end, so we have not been far off but, instead of fiddling around with the RPATH, I found a way to disabled this altogether. We don't need it for FTL.

See PR #2102

[DL6ER]

Fix has been merged