Mercurial > trustbridge > trustbridge
view INSTALL @ 1402:1adf72328b75 tip
Added tag 1.0 for changeset ee807f64e21e
| author | Andre Heinecke <andre.heinecke@intevation.de> |
|---|---|
| date | Tue, 27 Jan 2015 15:18:32 +0100 |
| parents | e18fccc081f1 |
| children |
line wrap: on
line source
/** @file INSTALL @brief Installation Instructions ************************* For Debian based GNU / Linux ============================ Tested development platform: Ubuntu 14.4 amd64. The following commands build qt5 and polarssl which are dependencies of the Software. To only build for the amd64 platform omit the i386 instructions. For build dependencies please refer to the Qt documentation ( qtbase/src/plugins/platforms/xcb/README ). Polarssl needs cmake and build-essentials. export YOURPREFIX=<Prefix of your choice (default /usr)> mkdir -p $YOURPREFIX/bin export PATH=$YOURPREFIX/bin:$PATH curl https://download.qt-project.org/official_releases/qt/5.3/5.3.2/single/qt-everywhere-opensource-src-5.3.2.tar.xz.mirrorlist | grep SHA-256 7f5bf93344cb57bac374ea4a32c8eda87f1357f998f14278e717cf84d0289bf0 curl -O http://qt-mirror.dannhauer.de/official_releases/qt/5.3/5.3.2/single/qt-everywhere-opensource-src-5.3.2.tar.xz sha256sum qt-everywhere-opensource-src-5.3.2.tar.xz tar -xf qt-everywhere-opensource-src-5.3.2.tar.xz cd qt-everywhere-opensource-src-5.3.2/qtbase build dependencies have to to be installed at this point, see ../qtbase/src/plugins/platforms/xcb/README ./configure --prefix=$YOURPREFIX \ -opensource \ -release -nomake tests -nomake examples -confirm-license \ -static -no-cups -no-nis -no-icu -no-fontconfig -qt-freetype \ -no-directfb -no-opengl -no-kms -no-eglfs -no-egl -no-openssl -no-glib \ -qpa xcb -qt-xkbcommon -qt-xcb -no-nis -no-libjpeg -qt-libpng \ -qt-zlib -no-gif -no-xinput2 && \ nice make -j`nproc` && \ make install If you want to build the localization you need the qt localization tools. To build them: cd .. && \ cd qttools/src/designer/src/uitools && \ qmake && \ nice make -j`nproc` && \ make install cd ../../../linguist && \ qmake && \ nice make -j`nproc` &&\ make install Polarssl is required for TrustBridge: curl -O https://polarssl.org/download/polarssl-1.3.9-gpl.tgz sha256sum polarssl-1.3.9-gpl.tgz d3605afc28ed4b7d1d9e3142d72e42855e4a23c07c951bbb0299556b02d36755 polarssl-1.3.9-gpl.tgz tar -xf polarssl-1.3.9-gpl.tgz cd polarssl-1.3.9 # In 1.3.9 polarssl removed custom C flag inclusion. # we need this for -fpic patch -p0 << EOF --- CMakeLists.txt 2014-10-28 12:13:53.566828092 +0100 +++ CMakeLists.txt.orig 2014-10-28 12:13:48.202827991 +0100 @@ -4,7 +4,7 @@ string(REGEX MATCH "Clang" CMAKE_COMPILER_IS_CLANG "\${CMAKE_C_COMPILER_ID}") if(CMAKE_COMPILER_IS_GNUCC) - set(CMAKE_C_FLAGS "-Wall -Wextra -W -Wdeclaration-after-statement -Wlogical-op -Wwrite-strings") + set(CMAKE_C_FLAGS "\${CMAKE_C_FLAGS} -Wall -Wextra -W -Wdeclaration-after-statement -Wlogical-op -Wwrite-strings") set(CMAKE_C_FLAGS_RELEASE "-O2") set(CMAKE_C_FLAGS_DEBUG "-g3 -O0") set(CMAKE_C_FLAGS_COVERAGE "-g3 -O0 --coverage") EOF # Patch for CVE 2015-1182 patch -p1 << EOF diff --git a/library/asn1parse.c b/library/asn1parse.c index a3a2b56..e2117bf 100644 --- a/library/asn1parse.c +++ b/library/asn1parse.c @@ -278,6 +278,8 @@ int asn1_get_sequence_of( unsigned char **p, if( cur->next == NULL ) return( POLARSSL_ERR_ASN1_MALLOC_FAILED ); + memset( cur->next, 0, sizeof( asn1_sequence ) ); + cur = cur->next; } } EOF mkdir build cd build cmake .. -DCMAKE_C_FLAGS=-fpic -DCMAKE_INSTALL_PREFIX=$YOURPREFIX make && make test && make install Trustbridge checkout: At this point you need a trustbridge checkout as curl needs to be patched to enable the certificate pinning and the force of SSL Ciphersuites when using polarssl. hg clone https://wald.intevation.org/hg/trustbridge/ Libcurl: curl -O http://curl.haxx.se/download/curl-7.38.0.tar.gz sha256sum curl-7.38.0.tar.gz 5661028aa6532882fa228cd23c99ddbb8b87643dbb1a7ea55c068d34a943dff1 curl-7.38.0.tar.gz curl -O http://curl.haxx.se/download/curl-7.38.0.tar.gz.asc gpg2 --verify curl-7.38.0.tar.gz.asc tar -xf curl-7.38.0.tar.gz cd curl-7.38.0/ patch -p1 < ../trustbridge/patches/*.patch mkdir build cd build ../configure --prefix=$YOURPREFIX \ --without-nghttp2 --without-libidn --without-winidn --without-libssh2 \ --without-librtmp --without-libmetalink --without-axtls --without-nss \ --without-cyassl --without-ssl --without-gnutls --disable-gopher --disable-smtp \ --disable-imap --disable-pop3 --disable-tftp --disable-telnet --disable-dict \ --disable-rtsp --disable-ldaps --disable-ldap --disable-file \ --disable-ftp --enable-http --enable-shared=no -enable-static=yes \ --with-polarssl=$YOURPREFIX --without-ca-bundle --without-ca-path \ --without-zlib make && make install To compile the software you can use plain cmake. An out of source build is highly suggested. For build options see CMakeList.txt cd trustbridge hg clone https://wald.intevation.org/hg/trustbridge/nss-cmake-static mkdir build-linux cd build-linux cmake .. -DCMAKE_PREFIX_PATH=$YOURPREFIX \ -DCMAKE_INSTALL_PREFIX=$YOURPREFIX CLANG ===== Alternatively you can build trustbridge with CLANG. This is a bit of a hack and does not use all the hardening flags. Building with CLANG is _NOT_ recommended but it can be useful for analysis of the code. As root install the required packages an perform an evil hack that fixes the c++ build with clang on ubuntu: apt-get install clang llvm ln -s /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19 /usr/lib/x86_64-linux-gnu/libstdc++.so Now you can build trustbridge as user: mkdir build-clang cd build-clang CC=/usr/bin/clang \ CXX=/usr/bin/clang++ \ cmake .. -DCMAKE_PREFIX_PATH=$YOURPREFIX \ -DUSE_CLANG=TRUE \ -DCMAKE_VERBOSE_MAKEFILE=TRUE make To run scan build: CXX=/usr/share/clang/scan-build/c++-analyzer \ CC=/usr/share/clang/scan-build/ccc-analyzer \ cmake .. -DCMAKE_PREFIX_PATH=$YOURPREFIX \ -DUSE_CLANG=TRUE \ -DCMAKE_VERBOSE_MAKEFILE=TRUE scan-build make I386 ==== Install dependencies (list might be incomplete) apt-get install libx32stdc++-4.8-dev libc6:i386 g++-4.8-multilib \ libxcb1:i386 libxcb1-dev:i386 libx11-xcb1:i386 libx11-xcb-dev:i386 libxcb-keysyms1:i386 \ libxcb-keysyms1-dev:i386 libxcb-image0:i386 libxcb-image0-dev:i386 \ libxcb-shm0:i386 libxcb-shm0-dev:i386 libxcb-icccm4:i386 \ libxcb-icccm4-dev:i386 libxcb-sync-dev:i386 \ libxcb-render-util0:i386 libxcb-render-util0-dev:i386 \ libxcb-xfixes0-dev:i386 libxrender-dev:i386 libxcb-shape0-dev:i386 \ libxcb-randr0-dev:i386 libxcb-glx0-dev:i386 libdbus-1-dev:i386 \ libsm-dev:i386 libnss3-dev:i386 Create a new directory for qt. As qt has to build in source you need a different directory: mkdir i386 cd i386 tar -xf ../qt-everywhere-opensource-src-5.3.2.tar.xz cd qt-everywhere-opensource-src-5.3.2/qtbase/ ./configure --prefix=$YOURPREFIX/i386 \ -opensource -platform linux-g++-32 \ -release -nomake tests -nomake examples -confirm-license \ -static -no-cups -no-nis -no-icu \ -no-directfb -no-opengl -no-kms -no-eglfs -no-egl -no-openssl -no-glib \ -system-libpng -qpa xcb -qt-xcb -no-nis -no-libjpeg -no-gif -qt-zlib \ -no-fontconfig -qt-freetype -qt-libpng -qt-xkbcommon -no-xinput2 \ && \ nice make -j`nproc` && \ make install Switch back to the polarssl directory: cd ../../../polarssl-1.3.9/ mkdir build-i386 cd build-i386 cmake .. -DCMAKE_C_FLAGS="-fpic -m32" -DCMAKE_INSTALL_PREFIX=$YOURPREFIX/i386 \ -DCMAKE_VERBOSE_MAKEFILE=True \ -DENABLE_TESTING=FALSE -DENABLE_PROGRAMS=FALSE && \ nice make -j`nproc` && \ make install Change to the curl directory: cd ../../curl-7.38.0/ mkdir build-i386 cd build-i386 CFLAGS="-fpic -m32" CPPFLAGS="-fpic -m32" ../configure --prefix=$YOURPREFIX/i386 \ --without-nghttp2 --without-libidn --without-winidn --without-libssh2 \ --without-librtmp --without-libmetalink --without-axtls --without-nss \ --without-cyassl --without-ssl --without-gnutls --disable-gopher --disable-smtp \ --disable-imap --disable-pop3 --disable-tftp --disable-telnet --disable-dict \ --disable-rtsp --disable-ldaps --disable-ldap --disable-file \ --disable-ftp --enable-http --enable-shared=no -enable-static=yes \ --with-polarssl=$YOURPREFIX/i386 --without-ca-bundle --without-ca-path \ --without-zlib make && make install Now for Trustbridge itself: cd ../../trustbridge mkdir build-i386 cd build-i386 cmake .. -DCMAKE_PREFIX_PATH="$YOURPREFIX/i386" \ -DCMAKE_VERBOSE_MAKEFILE=True \ -DCMAKE_C_FLAGS=-m32 \ -DCMAKE_CXX_FLAGS="-m32" Hiawatha (for Downloader unit test) =================================== Hiawatha is used in the downloader unit tests to provide a testbench for the ssl connection. To build it you may need libxslt-dev as additional dependency. curl -O https://www.hiawatha-webserver.org/files/hiawatha-9.7.tar.gz sha256sum hiawatha-9.7.tar.gz e8581336883b7b963f38572f6396f8c47b43e5bedd3147d052fa3652e6c0ed86 hiawatha-9.7.tar.gz tar -xf hiawatha-9.7.tar.gz cd hiawatha-9.7 mkdir build cd build cmake .. -DCMAKE_INSTALL_PREFIX=$YOURPREFIX make && make install Osslsigncode (for binverify unit test) ====================================== Osslsigncode is used to create PKCS#7 embedded signatures for Windows Authenticode it is needed for the Windows part of the binverify unit test on the build system. curl -L --max-redirs=1 -O http://downloads.sourceforge.net/project/osslsigncode/osslsigncode/osslsigncode-1.7.1.tar.gz sha256sum osslsigncode-1.7.1.tar.gz f9a8cdb38b9c309326764ebc937cba1523a3a751a7ab05df3ecc99d18ae466c9 tar -xf osslsigncode-1.7.1.tar.gz cd osslsigncode-1.7.1 ./configure --without-curl --prefix=$YOURPREFIX make && make install #for a windows binary (optional): OPENSSL_CFLAGS=-I$MXETARGET/include OPENSSL_LIBS="-L$MXETARGET/lib -lcrypto -lz -lgdi32" ./configure --without-curl --host=i686-w64-mingw32 --prefix=$MXETARGET For Microsoft Windows ===================== The Windows variant can be cross compiled on Debian based GNU / Linux systems. The minimum requirement is Debian stable. Tested development platform: Ubuntu 13.10. Dependencies on the Host system: apt-get install git autoconf automake bash bison bzip2 \ cmake flex gettext git g++ intltool \ libffi-dev libtool libltdl-dev libssl-dev \ libxml-parser-perl make openssl patch perl \ pkg-config scons sed unzip curl xz-utils autopoint \ gperf Build the windows binaries: MXEPATH=$YOURPREFIX/win git clone https://github.com/Intevation/mxe.git $MXEPATH cd $MXEPATH git checkout trustbridge echo "MXE_TARGETS := i686-w64-mingw32.static" > settings.mk make polarssl make qtbase (optional) make curl Add CMAKE_STRIP to the toolchain file: echo "set(CMAKE_STRIP $MXEPATH/usr/bin/i686-w64-mingw32.static-strip)" >> \ "$MXEPATH/usr/i686-w64-mingw32.static/share/cmake/mxe-conf.cmake" Workaround Qt CMake Bugs: find $MXEPATH/usr/i686-w64-mingw32.static/qt5/lib/cmake -name \*.cmake | \ xargs sed -i 's/\/\([a-z]*\)\.lib/\/lib\1\.a/g' sed -i 's/^_qt5gui_find_extra_libs.*//' \ $MXEPATH/usr/i686-w64-mingw32.static/qt5/lib/cmake/Qt5Gui/Qt5GuiConfigExtras.cmake Compile the software: cd trustbridge mkdir build-windows cd build-windows MXETARGET=$MXEPATH/usr/i686-w64-mingw32.static/ cmake .. \ -DCMAKE_PREFIX_PATH="$MXETARGET/qt5;$MXETARGET;" \ -DCMAKE_TOOLCHAIN_FILE="$MXETARGET/share/cmake/mxe-conf.cmake" \ -DCMAKE_VERBOSE_MAKEFILE=True Runtime Depdendencies ===================== The Admin tool needs some additional software to be able to create installtion packages: apt-get install nsis wine sharutils */