nix: Make status-go mobile artifacts reproducible

- Replace random build paths in with fixed string - Remove build ID sections
2019-05-14 19:29:36 +02:00 · 2019-05-14 19:29:36 +02:00 · 0ed6ef59ba
parent c051efb508
commit 0ed6ef59ba
6 changed files with 56 additions and 7 deletions
--- a/derivation.nix
+++ b/derivation.nix
@ -8,9 +8,10 @@ let
  # TODO: Try to use stdenv for iOS. The problem is with building iOS as the build is trying to pass parameters to Apple's ld that are meant for GNU's ld (e.g. -dynamiclib)
  stdenv = pkgs.stdenvNoCC;
  gradle = pkgs.gradle_4_10;
-  go = pkgs.go_1_11;
+  baseGo = pkgs.go_1_11;
+  go = pkgs.callPackage ./nix/patched-go { inherit baseGo; };
  buildGoPackage = pkgs.buildGoPackage.override { inherit go; };
-  statusDesktop = pkgs.callPackage ./nix/desktop { inherit target-os stdenv status-go pkgs nodejs go; inherit (pkgs) darwin; };
+  statusDesktop = pkgs.callPackage ./nix/desktop { inherit target-os stdenv status-go pkgs nodejs; inherit (pkgs) darwin; go = baseGo; };
  statusMobile = pkgs.callPackage ./nix/mobile { inherit target-os config stdenv pkgs nodejs status-go gradle; inherit (pkgs.xcodeenv) composeXcodeWrapper; };
  status-go = pkgs.callPackage ./nix/status-go { inherit target-os go buildGoPackage; inherit (pkgs.xcodeenv) composeXcodeWrapper; inherit (statusMobile) xcodewrapperArgs; androidPkgs = statusMobile.androidComposition; };
  nodejs = pkgs.nodejs-10_x;
@ -35,7 +36,7 @@ in with stdenv; mkDerivation rec {
  ] ++ nodePkgBuildInputs
    ++ lib.optional isDarwin cocoapods
    ++ lib.optional (isDarwin && !platform.targetIOS) clang
-    ++ lib.optional (!isDarwin) gcc7
+    ++ lib.optional (!isDarwin) gcc8
    ++ lib.catAttrs "buildInputs" selectedSources;
  shellHook = lib.concatStrings (lib.catAttrs "shellHook" selectedSources);
 }
--- a/nix/patched-go/default.nix
+++ b/nix/patched-go/default.nix
@ -0,0 +1,23 @@
+#
+# Patch the Go compiler so that we can have a say (using a NIX_GOWORKDIR environment variable) as to the temporary directory it uses for linking,
+#  since that directory path ends up in the string table and .gnu.version_d ELF header
+#
+
+{ baseGo }:
+
+let
+  go = baseGo.overrideDerivation(oldAttrs: {
+    postPatch = (oldAttrs.postPatch or "") + ''
+      substituteInPlace "src/cmd/go/internal/work/action.go" --replace \
+        'tmp, err := ioutil.TempDir(os.Getenv("GOTMPDIR"), "go-build")' \
+        'var err error
+		tmp := os.Getenv("NIX_GOWORKDIR")
+		if tmp == "" {
+			tmp, err = ioutil.TempDir(os.Getenv("GOTMPDIR"), "go-build")
+		}'
+      # Disable chown tests, they fail with 'invalid argument'
+      rm src/os/os_unix_test.go
+    '';
+  });
+
+in go
--- a/nix/status-go/build-mobile-status-go.nix
+++ b/nix/status-go/build-mobile-status-go.nix
@ -21,13 +21,18 @@ let
    buildMessage = "Building mobile library for ${targetConfig.name}";
    # Build mobile libraries
    buildPhase = ''
+      mkdir $NIX_BUILD_TOP/go-build
+
      GOPATH=${gomobile.dev}:$GOPATH \
      PATH=${lib.makeBinPath [ gomobile.bin ]}:$PATH \
      ${lib.concatStringsSep " " targetConfig.envVars} \
+      NIX_GOWORKDIR=$NIX_BUILD_TOP/go-build \
      gomobile bind ${goBuildFlags} -target=${targetConfig.name} ${lib.concatStringsSep " " targetConfig.gomobileExtraFlags} \
                    -o ${targetConfig.outputFileName} \
                    ${goBuildLdFlags} \
                    ${goPackagePath}/mobile
+
+      rm -rf $NIX_BUILD_TOP/go-build
    '';

    installPhase = ''
--- a/nix/status-go/build-status-go.nix
+++ b/nix/status-go/build-status-go.nix
@ -5,6 +5,7 @@
  buildPhase, buildMessage,
  installPhase ? "",
  postInstall ? "",
+  preFixup ? "",
  outputs, meta } @ args':

 with stdenv;
@ -17,7 +18,9 @@ let
  buildStatusGo = buildGoPackage (args // {
    name = "${repo}-${version}-${host}";

-    nativeBuildInputs = nativeBuildInputs ++ lib.optional isDarwin xcodeWrapper;
+    nativeBuildInputs = 
+      nativeBuildInputs ++
+      lib.optional isDarwin xcodeWrapper;

    # Fixes Cgo related build failures (see https://github.com/NixOS/nixpkgs/issues/25959 )
    hardeningDisable = [ "fortify" ];
@ -64,8 +67,10 @@ let
      runHook postInstall
    '';

-    # remove hardcoded paths to go package in /nix/store, otherwise Nix will fail the build
+    # replace hardcoded paths to go package in /nix/store, otherwise Nix will fail the build
    preFixup = ''
+      ${preFixup}
+
      find $out -type f -exec ${removeExpr removeReferences} '{}' + || true
      return
    '';
@ -82,4 +87,4 @@ let
    };
  });

-in buildStatusGo
+in buildStatusGo
--- a/nix/status-go/default.nix
+++ b/nix/status-go/default.nix
@ -50,7 +50,7 @@ let
  currentHostConfig = if isDarwin then hostConfigs.darwin else hostConfigs.linux;

  goBuildFlags = "-v";
-  # TODO: Manage to pass -s -w to -ldflags. Seems to only accept a single flag
+  # TODO: Manage to pass "-s -w" to -ldflags. Seems to only accept a single flag
  goBuildLdFlags = "-ldflags=-s";

  xcodeWrapper = composeXcodeWrapper xcodewrapperArgs;
--- a/nix/status-go/gomobile/default.nix
+++ b/nix/status-go/gomobile/default.nix
@ -31,12 +31,27 @@ in buildGoPackage rec {
    lib.optionalString platform.targetAndroid ''
    substituteInPlace cmd/gomobile/install.go --replace "\`adb\`" "\`${platform-tools}/bin/adb\`"
    '' + ''
+    WORK=$NIX_BUILD_TOP/gomobile-work
+
+    # Prevent a non-deterministic temporary directory from polluting the resulting object files
+    substituteInPlace cmd/gomobile/env.go --replace \
+      'tmpdir, err = ioutil.TempDir("", "gomobile-work-")' \
+      "tmpdir = \"$WORK\"" \
+      --replace '"io/ioutil"' ""
+
    echo "Creating $dev"
    mkdir -p $dev/src/$goPackagePath
    echo "Copying from $src"
    cp -a $src/. $dev/src/$goPackagePath
  '';

+  preBuild = ''
+    mkdir $WORK
+  '';
+  postBuild = ''
+    rm -rf $WORK
+  '';
+
  postInstall = ''
    mkdir -p $out $bin/lib