From 8c34f54f74abb15a4662b045bf68a7142cd5d13b Mon Sep 17 00:00:00 2001 From: Maxim Baz Date: Sun, 15 Mar 2020 16:27:32 +0100 Subject: [PATCH 1/3] Update build script to use GOFLAGS and CGO_LDFLAGS MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This change makes use of GOFLAGS to simplify compiling with PIE, respecting LDFLAGS and trimming local paths to support reproducible builds. Relevant: https://lists.archlinux.org/pipermail/arch-dev-public/2020-March/029898.html Since you are already providing a source tarball that includes vendor dependencies (👍), all dependency-related items in the email do not apply to you: * -mod=vendor is used by default in Go 1.14 * -modcacherw is only needed if our build system was fetching vendor dependencies itself Tested by applying this patch on top of 1.7.1 release archive that contains vendor folder. --- build.bash | 26 +++++--------------------- 1 file changed, 5 insertions(+), 21 deletions(-) diff --git a/build.bash b/build.bash index 7a5ac6f2..b02e6c98 100755 --- a/build.bash +++ b/build.bash @@ -67,31 +67,15 @@ if [[ -n ${SOURCE_DATE_EPOCH:-} ]] ; then BUILDDATE=$(date --utc --date="@${SOURCE_DATE_EPOCH}" +%Y-%m-%d) fi -# For reproducible builds, we get rid of $HOME references in the binary -# using "-trimpath". -# Note: we have to set both -gcflags and -asmflags because otherwise -# "$HOME/go/src/golang.org/x/sys/unix/asm_linux_amd64.s" stays in the binary. -GV=$(go version) -if [[ $GV == *"1.7"* ]] || [[ $GV == *"1.8"* ]] || [[ $GV == *"1.9"* ]] ; then - TRIM="-trimpath=${GOPATH1}/src" -else - # Go 1.10 changed the syntax. You now have to prefix "all=" to affect - # all compiled packages. - TRIM="all=-trimpath=${GOPATH1}/src" -fi - +export GOFLAGS="-buildmode=pie -trimpath" +export CGO_LDFLAGS="$LDFLAGS" GO_LDFLAGS="-X main.GitVersion=$GITVERSION -X main.GitVersionFuse=$GITVERSIONFUSE -X main.BuildDate=$BUILDDATE" -# If LDFLAGS is set, add it as "-extldflags". -if [[ -n ${LDFLAGS:-} ]] ; then - GO_LDFLAGS="$GO_LDFLAGS \"-extldflags=$LDFLAGS\"" -fi - # Actual "go build" call for gocryptfs -go build "-ldflags=$GO_LDFLAGS" "-gcflags=$TRIM" "-asmflags=$TRIM" "$@" +go build "-ldflags=$GO_LDFLAGS" "$@" # Additional binaries -(cd gocryptfs-xray; go build "-ldflags=$GO_LDFLAGS" "-gcflags=$TRIM" "-asmflags=$TRIM" "$@") -(cd contrib/statfs; go build "-ldflags=$GO_LDFLAGS" "-gcflags=$TRIM" "-asmflags=$TRIM" "$@") +(cd gocryptfs-xray; go build "-ldflags=$GO_LDFLAGS" "$@") +(cd contrib/statfs; go build "-ldflags=$GO_LDFLAGS" "$@") ./gocryptfs -version From a29b6f5468a18b9466a1fe8d886016f56bfc3e34 Mon Sep 17 00:00:00 2001 From: Maxim Baz Date: Sun, 15 Mar 2020 16:42:07 +0100 Subject: [PATCH 2/3] Allow to override default values from outside, if necessary --- build.bash | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build.bash b/build.bash index b02e6c98..71a79374 100755 --- a/build.bash +++ b/build.bash @@ -67,8 +67,8 @@ if [[ -n ${SOURCE_DATE_EPOCH:-} ]] ; then BUILDDATE=$(date --utc --date="@${SOURCE_DATE_EPOCH}" +%Y-%m-%d) fi -export GOFLAGS="-buildmode=pie -trimpath" -export CGO_LDFLAGS="$LDFLAGS" +export GOFLAGS="${GOFLAGS:--buildmode=pie -trimpath}" +export CGO_LDFLAGS="${CGO_LDFLAGS:-$LDFLAGS}" GO_LDFLAGS="-X main.GitVersion=$GITVERSION -X main.GitVersionFuse=$GITVERSIONFUSE -X main.BuildDate=$BUILDDATE" # Actual "go build" call for gocryptfs From f195449f5d62d7203141fcbc5dceb4fc1bb1e8df Mon Sep 17 00:00:00 2001 From: Maxim Baz Date: Sun, 15 Mar 2020 16:43:42 +0100 Subject: [PATCH 3/3] Fix when LDFLAGS is unbound --- build.bash | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.bash b/build.bash index 71a79374..8a951d83 100755 --- a/build.bash +++ b/build.bash @@ -68,7 +68,7 @@ if [[ -n ${SOURCE_DATE_EPOCH:-} ]] ; then fi export GOFLAGS="${GOFLAGS:--buildmode=pie -trimpath}" -export CGO_LDFLAGS="${CGO_LDFLAGS:-$LDFLAGS}" +export CGO_LDFLAGS="${CGO_LDFLAGS:-${LDFLAGS:-}}" GO_LDFLAGS="-X main.GitVersion=$GITVERSION -X main.GitVersionFuse=$GITVERSIONFUSE -X main.BuildDate=$BUILDDATE" # Actual "go build" call for gocryptfs