andre@1253: /** @file INSTALL
andre@1253: @brief Installation Instructions
aheinecke@575: *************************
aheinecke@575: 
aheinecke@575: For Debian based GNU / Linux
aheinecke@575: ============================
andre@876: Tested development platform: Ubuntu 14.4 amd64.
bernhard@598: 
aheinecke@575: The following commands build qt5 and polarssl which are dependencies of the Software.
andre@876: To only build for the amd64 platform omit the i386 instructions.
andre@876: 
aheinecke@575: For build dependencies please refer to the Qt documentation 
bernhard@598: ( qtbase/src/plugins/platforms/xcb/README ).
bernhard@598: Polarssl needs cmake and build-essentials.
aheinecke@575: 
aheinecke@575:     export YOURPREFIX=<Prefix of your choice (default /usr)>
andre@1262:     mkdir -p $YOURPREFIX/bin
aheinecke@577:     export PATH=$YOURPREFIX/bin:$PATH
aheinecke@575: 
andre@1192:     curl https://download.qt-project.org/official_releases/qt/5.3/5.3.2/single/qt-everywhere-opensource-src-5.3.2.tar.xz.mirrorlist | grep SHA-256
andre@1192: 7f5bf93344cb57bac374ea4a32c8eda87f1357f998f14278e717cf84d0289bf0
aheinecke@575: 
bernhard@1285:     curl -O http://qt-mirror.dannhauer.de/official_releases/qt/5.3/5.3.2/single/qt-everywhere-opensource-src-5.3.2.tar.xz
aheinecke@575: 
andre@1192:     sha256sum qt-everywhere-opensource-src-5.3.2.tar.xz
andre@778: 
andre@1192:     tar -xf qt-everywhere-opensource-src-5.3.2.tar.xz
andre@1192: 
andre@1192:     cd qt-everywhere-opensource-src-5.3.2/qtbase
aheinecke@575: 
aheinecke@575: build dependencies have to to be installed at this point,
aheinecke@575: see ../qtbase/src/plugins/platforms/xcb/README
aheinecke@575: 
aheinecke@575:     ./configure --prefix=$YOURPREFIX \
aheinecke@575:     -opensource \
aheinecke@575:     -release  -nomake tests  -nomake examples  -confirm-license \
andre@876:     -static -no-cups -no-nis -no-icu -no-fontconfig -qt-freetype \
andre@778:     -no-directfb -no-opengl -no-kms -no-eglfs -no-egl -no-openssl -no-glib \
andre@931:     -qpa xcb -qt-xkbcommon -qt-xcb -no-nis -no-libjpeg -qt-libpng \
andre@1192:     -qt-zlib -no-gif -no-xinput2 && \
andre@887:     nice make -j`nproc` && \
andre@666:     make install
andre@666: 
andre@1263: If you want to build the localization you need the qt localization tools.
andre@1263: To build them:
andre@1263: 
andre@784:     cd .. && \
andre@784:     cd qttools/src/designer/src/uitools && \
andre@778:     qmake && \
andre@887:     nice make -j`nproc` && \
aheinecke@575:     make install
aheinecke@575: 
andre@784:     cd ../../../linguist && \
andre@784:     qmake && \
andre@887:     nice make -j`nproc` &&\
andre@666:     make install
aheinecke@577: 
andre@1263: 
andre@1263: Polarssl is required for TrustBridge:
andre@1263: 
andre@1342:     curl -O https://polarssl.org/download/polarssl-1.3.9-gpl.tgz
andre@1342:     sha256sum polarssl-1.3.9-gpl.tgz
andre@1342:     d3605afc28ed4b7d1d9e3142d72e42855e4a23c07c951bbb0299556b02d36755 polarssl-1.3.9-gpl.tgz
aheinecke@575: 
andre@1342:     tar -xf polarssl-1.3.9-gpl.tgz
andre@1342:     cd polarssl-1.3.9
andre@1346:     # In 1.3.9 polarssl removed custom C flag inclusion.
andre@1346:     # we need this for -fpic
andre@1346:     patch -p0 << EOF
andre@1346: --- CMakeLists.txt      2014-10-28 12:13:53.566828092 +0100
andre@1346: +++ CMakeLists.txt.orig 2014-10-28 12:13:48.202827991 +0100
andre@1346: @@ -4,7 +4,7 @@
andre@1346:  string(REGEX MATCH "Clang" CMAKE_COMPILER_IS_CLANG "\${CMAKE_C_COMPILER_ID}")
andre@1346:  
andre@1346:  if(CMAKE_COMPILER_IS_GNUCC)
andre@1346: -  set(CMAKE_C_FLAGS "-Wall -Wextra -W -Wdeclaration-after-statement -Wlogical-op -Wwrite-strings")
andre@1346: +  set(CMAKE_C_FLAGS "\${CMAKE_C_FLAGS} -Wall -Wextra -W -Wdeclaration-after-statement -Wlogical-op -Wwrite-strings")
andre@1346:    set(CMAKE_C_FLAGS_RELEASE "-O2")
andre@1346:    set(CMAKE_C_FLAGS_DEBUG "-g3 -O0")
andre@1346:    set(CMAKE_C_FLAGS_COVERAGE "-g3 -O0 --coverage")
andre@1346: EOF
andre@1400:     # Patch for CVE 2015-1182
andre@1400:     patch -p1 << EOF
andre@1400: diff --git a/library/asn1parse.c b/library/asn1parse.c
andre@1400: index a3a2b56..e2117bf 100644
andre@1400: --- a/library/asn1parse.c
andre@1400: +++ b/library/asn1parse.c
andre@1400: @@ -278,6 +278,8 @@ int asn1_get_sequence_of( unsigned char **p,
andre@1400:              if( cur->next == NULL )
andre@1400:                  return( POLARSSL_ERR_ASN1_MALLOC_FAILED );
andre@1400: 
andre@1400: +            memset( cur->next, 0, sizeof( asn1_sequence ) );
andre@1400: +
andre@1400:              cur = cur->next;
andre@1400:          }
andre@1400:      }
andre@1400: EOF
andre@1346: 
aheinecke@575:     mkdir build
aheinecke@575:     cd build
aheinecke@575:     cmake .. -DCMAKE_C_FLAGS=-fpic -DCMAKE_INSTALL_PREFIX=$YOURPREFIX
aheinecke@575:     make && make test && make install
aheinecke@575: 
andre@998: Trustbridge checkout:
andre@998: At this point you need a trustbridge checkout as curl needs to be patched
andre@998: to enable the certificate pinning and the force of SSL Ciphersuites when
andre@998: using polarssl.
andre@998: 
andre@998:     hg clone https://wald.intevation.org/hg/trustbridge/
andre@998: 
andre@908: Libcurl:
andre@998: 
bernhard@1285:     curl -O http://curl.haxx.se/download/curl-7.38.0.tar.gz
bernhard@1285:     sha256sum curl-7.38.0.tar.gz
andre@1089:     5661028aa6532882fa228cd23c99ddbb8b87643dbb1a7ea55c068d34a943dff1 curl-7.38.0.tar.gz
bernhard@1285:     curl -O http://curl.haxx.se/download/curl-7.38.0.tar.gz.asc
bernhard@1285:     gpg2 --verify curl-7.38.0.tar.gz.asc
andre@960: 
andre@1089:     tar -xf curl-7.38.0.tar.gz
andre@1089:     cd curl-7.38.0/
andre@998:     patch -p1 < ../trustbridge/patches/*.patch
andre@971:     mkdir build
andre@971:     cd build
andre@908: 
andre@971:     ../configure --prefix=$YOURPREFIX \
andre@908:     --without-nghttp2 --without-libidn --without-winidn --without-libssh2 \
andre@908:     --without-librtmp --without-libmetalink --without-axtls --without-nss \
andre@908:     --without-cyassl --without-ssl  --without-gnutls --disable-gopher --disable-smtp \
andre@908:     --disable-imap --disable-pop3 --disable-tftp --disable-telnet --disable-dict \
andre@953:     --disable-rtsp --disable-ldaps --disable-ldap --disable-file \
andre@908:     --disable-ftp --enable-http --enable-shared=no -enable-static=yes \
andre@948:     --with-polarssl=$YOURPREFIX --without-ca-bundle --without-ca-path \
andre@948:     --without-zlib
andre@953:     make && make install
andre@908: 
andre@1253: To compile the software you can use plain cmake.
andre@1253: An out of source build is highly suggested.
andre@1253: For build options see CMakeList.txt
aheinecke@575: 
aheinecke@575:     cd trustbridge
andre@834:     hg clone https://wald.intevation.org/hg/trustbridge/nss-cmake-static
aheinecke@575:     mkdir build-linux
aheinecke@575:     cd build-linux
andre@1363:     cmake .. -DCMAKE_PREFIX_PATH=$YOURPREFIX \
andre@1363:              -DCMAKE_INSTALL_PREFIX=$YOURPREFIX
aheinecke@575: 
andre@1265: CLANG
andre@1265: =====
andre@1266: Alternatively you can build trustbridge with CLANG. This is a bit of a hack
andre@1266: and does not use all the hardening flags. Building with CLANG is _NOT_ recommended
andre@1266: but it can be useful for analysis of the code.
andre@1266: 
andre@1266: As root install the required packages an perform an evil hack that fixes the c++
andre@1266: build with clang on ubuntu:
andre@1266: 
andre@1266:     apt-get install clang llvm
andre@1266:     ln -s /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19 /usr/lib/x86_64-linux-gnu/libstdc++.so
andre@1266: 
andre@1266: Now you can build trustbridge as user:
andre@1264: 
andre@1264:     mkdir build-clang
andre@1264:     cd build-clang
andre@1264:     CC=/usr/bin/clang \
andre@1264:     CXX=/usr/bin/clang++ \
andre@1264:     cmake .. -DCMAKE_PREFIX_PATH=$YOURPREFIX \
andre@1266:     -DUSE_CLANG=TRUE \
andre@1266:     -DCMAKE_VERBOSE_MAKEFILE=TRUE
andre@1267:     make
andre@1267: 
andre@1267: To run scan build:
andre@1267: 
andre@1267:     CXX=/usr/share/clang/scan-build/c++-analyzer \
andre@1267:     CC=/usr/share/clang/scan-build/ccc-analyzer \
andre@1267:     cmake .. -DCMAKE_PREFIX_PATH=$YOURPREFIX \
andre@1267:     -DUSE_CLANG=TRUE \
andre@1267:     -DCMAKE_VERBOSE_MAKEFILE=TRUE
andre@1267:     scan-build make
aheinecke@575: 
andre@876: I386
andre@876: ====
andre@876: Install dependencies (list might be incomplete)
andre@1253: 
andre@876:     apt-get install libx32stdc++-4.8-dev libc6:i386 g++-4.8-multilib \
andre@1253:      libxcb1:i386 libxcb1-dev:i386 libx11-xcb1:i386 libx11-xcb-dev:i386 libxcb-keysyms1:i386 \
andre@1253:      libxcb-keysyms1-dev:i386 libxcb-image0:i386 libxcb-image0-dev:i386 \
andre@1253:      libxcb-shm0:i386 libxcb-shm0-dev:i386 libxcb-icccm4:i386 \
andre@1253:      libxcb-icccm4-dev:i386 libxcb-sync-dev:i386 \
andre@1253:      libxcb-render-util0:i386 libxcb-render-util0-dev:i386 \
andre@1253:      libxcb-xfixes0-dev:i386 libxrender-dev:i386 libxcb-shape0-dev:i386 \
andre@1253:      libxcb-randr0-dev:i386 libxcb-glx0-dev:i386 libdbus-1-dev:i386 \
andre@1253:      libsm-dev:i386 libnss3-dev:i386
andre@876: 
andre@876: Create a new directory for qt. As qt has to build in source you need a different
andre@1253: directory:
andre@1253: 
andre@876:     mkdir i386
andre@876:     cd i386
andre@1192:     tar -xf ../qt-everywhere-opensource-src-5.3.2.tar.xz
andre@1192:     cd qt-everywhere-opensource-src-5.3.2/qtbase/
andre@876:     ./configure --prefix=$YOURPREFIX/i386 \
andre@876:     -opensource -platform linux-g++-32 \
andre@876:     -release  -nomake tests  -nomake examples  -confirm-license \
andre@876:     -static -no-cups -no-nis -no-icu \
andre@876:     -no-directfb -no-opengl -no-kms -no-eglfs -no-egl -no-openssl -no-glib \
andre@876:     -system-libpng -qpa xcb -qt-xcb -no-nis -no-libjpeg -no-gif -qt-zlib \
andre@1192:     -no-fontconfig -qt-freetype -qt-libpng -qt-xkbcommon -no-xinput2 \
andre@876:     && \
andre@887:     nice make -j`nproc` && \
andre@876:     make install
andre@876: 
andre@1253: Switch back to the polarssl directory:
andre@1253: 
andre@1342:     cd ../../../polarssl-1.3.9/
andre@876:     mkdir build-i386
andre@876:     cd build-i386
andre@876:     cmake .. -DCMAKE_C_FLAGS="-fpic -m32" -DCMAKE_INSTALL_PREFIX=$YOURPREFIX/i386 \
andre@876:          -DCMAKE_VERBOSE_MAKEFILE=True \
andre@876:          -DENABLE_TESTING=FALSE -DENABLE_PROGRAMS=FALSE && \
andre@887:     nice make -j`nproc` && \
andre@876:     make install
andre@876: 
andre@1253: Change to the curl directory:
andre@1253: 
andre@1089:     cd ../../curl-7.38.0/
andre@971:     mkdir build-i386
andre@971:     cd build-i386
andre@971:     CFLAGS="-fpic -m32" CPPFLAGS="-fpic -m32" ../configure --prefix=$YOURPREFIX/i386 \
andre@971:     --without-nghttp2 --without-libidn --without-winidn --without-libssh2 \
andre@971:     --without-librtmp --without-libmetalink --without-axtls --without-nss \
andre@971:     --without-cyassl --without-ssl  --without-gnutls --disable-gopher --disable-smtp \
andre@971:     --disable-imap --disable-pop3 --disable-tftp --disable-telnet --disable-dict \
andre@971:     --disable-rtsp --disable-ldaps --disable-ldap --disable-file \
andre@971:     --disable-ftp --enable-http --enable-shared=no -enable-static=yes \
andre@971:     --with-polarssl=$YOURPREFIX/i386 --without-ca-bundle --without-ca-path \
andre@971:     --without-zlib
andre@971:     make && make install
andre@971: 
andre@1264: Now for Trustbridge itself:
andre@1264: 
andre@876:     cd ../../trustbridge
andre@876:     mkdir build-i386
andre@876:     cd build-i386
andre@876:     cmake .. -DCMAKE_PREFIX_PATH="$YOURPREFIX/i386" \
andre@876:     -DCMAKE_VERBOSE_MAKEFILE=True \
andre@876:     -DCMAKE_C_FLAGS=-m32 \
andre@876:     -DCMAKE_CXX_FLAGS="-m32"
andre@876: 
aheinecke@585: Hiawatha (for Downloader unit test)
aheinecke@585: ===================================
aheinecke@585: Hiawatha is used in the downloader unit tests to provide a testbench
aheinecke@585: for the ssl connection. To build it you may need libxslt-dev as additional
aheinecke@585: dependency.
aheinecke@585: 
bernhard@1285:     curl -O https://www.hiawatha-webserver.org/files/hiawatha-9.7.tar.gz
andre@1089:     sha256sum hiawatha-9.7.tar.gz
aheinecke@585: 
andre@1089: e8581336883b7b963f38572f6396f8c47b43e5bedd3147d052fa3652e6c0ed86 hiawatha-9.7.tar.gz
andre@1089: 
andre@1089:     tar -xf hiawatha-9.7.tar.gz
andre@1089:     cd hiawatha-9.7
aheinecke@585:     mkdir build
aheinecke@585:     cd build
aheinecke@585:     cmake .. -DCMAKE_INSTALL_PREFIX=$YOURPREFIX
aheinecke@585:     make && make install
aheinecke@585: 
andre@998: 
andre@635: Osslsigncode (for binverify unit test)
andre@635: ======================================
andre@635: Osslsigncode is used to create PKCS#7 embedded signatures for Windows Authenticode
andre@635: it is needed for the Windows part of the binverify unit test on the build system.
andre@635: 
bernhard@1285:     curl -L --max-redirs=1 -O http://downloads.sourceforge.net/project/osslsigncode/osslsigncode/osslsigncode-1.7.1.tar.gz
andre@847:     sha256sum osslsigncode-1.7.1.tar.gz
andre@1253: f9a8cdb38b9c309326764ebc937cba1523a3a751a7ab05df3ecc99d18ae466c9
andre@847:     tar -xf osslsigncode-1.7.1.tar.gz
andre@847:     cd osslsigncode-1.7.1
andre@847:     ./configure --without-curl --prefix=$YOURPREFIX
andre@635:     make && make install
andre@635: 
andre@1253: #for a windows binary (optional):
andre@635:     OPENSSL_CFLAGS=-I$MXETARGET/include OPENSSL_LIBS="-L$MXETARGET/lib -lcrypto -lz -lgdi32" ./configure --without-curl --host=i686-w64-mingw32 --prefix=$MXETARGET
andre@635: 
aheinecke@575: For Microsoft Windows
aheinecke@575: =====================
aheinecke@575: The Windows variant can be cross compiled on Debian based GNU / Linux systems.
bernhard@598: The minimum requirement is Debian stable.
bernhard@598: Tested development platform: Ubuntu 13.10.
aheinecke@575: 
aheinecke@575: Dependencies on the Host system:
andre@1253: 
andre@1253:     apt-get install git autoconf automake bash bison bzip2 \
aheinecke@575:     cmake flex gettext git g++ intltool \
aheinecke@575:     libffi-dev libtool libltdl-dev libssl-dev \
aheinecke@575:     libxml-parser-perl make openssl patch perl \
bernhard@1285:     pkg-config scons sed unzip curl xz-utils autopoint \
aheinecke@575:     gperf
aheinecke@575: 
aheinecke@577: Build the windows binaries:
andre@1253: 
aheinecke@575:     MXEPATH=$YOURPREFIX/win
andre@949:     git clone https://github.com/Intevation/mxe.git $MXEPATH
aheinecke@575:     cd $MXEPATH
andre@958:     git checkout trustbridge
aheinecke@575:     echo "MXE_TARGETS := i686-w64-mingw32.static" > settings.mk
aheinecke@575:     make polarssl
aheinecke@575:     make qtbase
andre@1253: 
andre@1253: (optional)
andre@1253: 
andre@1253:     make curl
aheinecke@575: 
andre@1019: Add CMAKE_STRIP to the toolchain file:
andre@1253: 
andre@1019:     echo "set(CMAKE_STRIP $MXEPATH/usr/bin/i686-w64-mingw32.static-strip)" >> \
andre@1019:         "$MXEPATH/usr/i686-w64-mingw32.static/share/cmake/mxe-conf.cmake"
andre@1019: 
aheinecke@575: Workaround Qt CMake Bugs:
andre@1253: 
aheinecke@575:     find $MXEPATH/usr/i686-w64-mingw32.static/qt5/lib/cmake -name \*.cmake | \
aheinecke@575:         xargs sed -i 's/\/\([a-z]*\)\.lib/\/lib\1\.a/g'
aheinecke@575:     sed -i 's/^_qt5gui_find_extra_libs.*//' \
aheinecke@575:         $MXEPATH/usr/i686-w64-mingw32.static/qt5/lib/cmake/Qt5Gui/Qt5GuiConfigExtras.cmake
aheinecke@575: 
aheinecke@575: Compile the software:
andre@1253: 
aheinecke@575:     cd trustbridge
aheinecke@575:     mkdir build-windows
aheinecke@575:     cd build-windows
aheinecke@575:     MXETARGET=$MXEPATH/usr/i686-w64-mingw32.static/
aheinecke@575:     cmake .. \
aheinecke@575:         -DCMAKE_PREFIX_PATH="$MXETARGET/qt5;$MXETARGET;" \
aheinecke@575:         -DCMAKE_TOOLCHAIN_FILE="$MXETARGET/share/cmake/mxe-conf.cmake" \
andre@1024:         -DCMAKE_VERBOSE_MAKEFILE=True
andre@848: 
andre@848: Runtime Depdendencies
andre@848: =====================
andre@848: The Admin tool needs some additional software to be able to create installtion
andre@848: packages:
andre@848: 
andre@848:     apt-get install nsis wine sharutils
andre@1253: */