Githubactions: CentOS7: Install glibc from source #25
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CentOS binaries | |
# This machine tests building the software on a both 32 and 64 Windows architecture. | |
on: [push] | |
jobs: | |
redhat_based: | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- environment: "centos:7" | |
cc: "gcc" | |
upload_for_test: "false" | |
name: build on ${{ matrix.environment }} | |
runs-on: ubuntu-latest | |
container: ${{ matrix.environment }} | |
steps: | |
- name: Setup OS | |
run: | | |
sed -i s/mirror.centos.org/vault.centos.org/g /etc/yum.repos.d/*.repo | |
sed -i s/^#.*baseurl=http/baseurl=http/g /etc/yum.repos.d/*.repo | |
sed -i s/^mirrorlist=http/#mirrorlist=http/g /etc/yum.repos.d/*.repo | |
yum -y update | |
yum -y install epel-release | |
yum -y install gcc gcc-c++ cmake gengetopt openssl openssl-devel libedit-devel libcurl-devel libusbx-devel | |
yum -y install pcsc-lite-devel help2man chrpath rpm-build redhat-rpm-config | |
yum -y install checksec procps-ng jq file which curl wget git | |
git clone https://sourceware.org/git/glibc.git -b glibc-2.28 --depth 1 | |
mkdir glibc/build | |
cd glibc/build | |
./../configure --prefix=/usr | |
make | |
make install | |
- name: install OpenSSL | |
run: | | |
wget https://github.com/openssl/openssl/releases/download/OpenSSL_1_1_1w/openssl-1.1.1w.tar.gz | |
tar xfz openssl-1.1.1w.tar.gz | |
cd openssl-1.1.1w | |
./config --prefix=$GITHUB_WORKSPACE/openssl --openssldir=$GITHUB_WORKSPACE/openssl | |
make | |
make install | |
- name: clone the Yubico/yubihsm-shell repository | |
run: | | |
git clone https://github.com/Yubico/yubihsm-shell.git -b 2.6.0 | |
- name: apply environment specific changes to CMakeLists.txt | |
working-directory: yubihsm-shell | |
if: ${{ matrix.environment == 'centos:7' }} | |
run: | | |
# centos 7 comes with cmake version 2.8, but the project requires 3.5 | |
# we downgrade that requirement for the centos 7 build | |
sed -i 's/cmake_minimum_required (VERSION 3.5)/cmake_minimum_required (VERSION 2.8)/' CMakeLists.txt | |
# we also remove the following policies which are not supported in the older cmake version | |
sed -i 's/cmake_policy(SET CMP0025 NEW)/#cmake_policy(SET CMP0025 NEW)/' CMakeLists.txt | |
sed -i 's/cmake_policy(SET CMP0042 NEW)/#cmake_policy(SET CMP0042 NEW)/' CMakeLists.txt | |
sed -i 's/cmake_policy(SET CMP0054 NEW)/#cmake_policy(SET CMP0054 NEW)/' CMakeLists.txt | |
sed -i 's/cmake_policy(SET CMP0091 NEW)/#cmake_policy(SET CMP0091 NEW)/' CMakeLists.txt | |
# append the following flags: -Wno-missing-braces -Wno-missing-field-initializers -Wno-implicit-function-declaration | |
sed -i 's/-Wall -Wextra -Werror/-Wall -Wextra -Werror -Wno-missing-braces -Wno-missing-field-initializers/' cmake/SecurityFlags.cmake | |
- name: extract platform name | |
env: | |
DOCKER_IMAGE: ${{ matrix.environment }} | |
run: | | |
# Remove everything from DOCKER_IMAGE that is not a letter or a number | |
PLATFORM=$(echo -n "$DOCKER_IMAGE" | sed -E 's/[^a-zA-Z0-9]//g') | |
echo "PLATFORM=$PLATFORM" >> $GITHUB_ENV | |
# - name: install dependencies | |
# env: | |
# PLATFORM: ${{ env.PLATFORM }} | |
# run: | | |
# cd yubihsm-shell/resources/release/linux | |
# ./install_redhat_dependencies.sh $PLATFORM | |
# | |
# if [ $PLATFORM = "centos7" ]; then | |
# # enable the epel repository for centos | |
# yum install -y epel-release | |
# fi | |
# yum install -y checksec procps-ng jq file which curl | |
- name: build release | |
working-directory: yubihsm-shell | |
env: | |
PLATFORM: ${{ env.PLATFORM }} | |
run: | | |
export CMAKE="cmake" | |
export INPUT=$GITHUB_WORKSPACE/yubihsm-shell | |
export OUTPUT=$GITHUB_WORKSPACE/$PLATFORM/yubihsm-shell | |
rm -rf $OUTPUT | |
mkdir -p $OUTPUT | |
export PKG_CONFIG_PATH=$GITHUB_WORKSPACE/openssl/lib/pkgconfig | |
# These 2 lines can be replaced by the command "rpmdev-setuptree", but this command seems to add macros that force check paths that do not exist | |
mkdir -p $GITHUB_WORKSPACE/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS} | |
echo '%_topdir %(echo $HOME)/rpmbuild' > $GITHUB_WORKSPACE/.rpmmacros | |
RPM_DIR=$GITHUB_WORKSPACE/rpmbuild | |
cp resources/release/linux/yubihsm-shell.spec $RPM_DIR/SPECS/ | |
QA_SKIP_BUILD_ROOT=1 QA_RPATHS=$(( 0x0001|0x0010 )) rpmbuild -bb $RPM_DIR/SPECS/yubihsm-shell.spec | |
cp /github/home/rpmbuild/RPMS/x86_64/*.rpm $OUTPUT/ | |
LICENSE_DIR="$OUTPUT/share/yubihsm-shell" | |
mkdir -p $LICENSE_DIR | |
cp -r $INPUT/resources/release/linux/licenses $LICENSE_DIR/ | |
for lf in $LICENSE_DIR/licenses/*; do | |
chmod 644 $lf | |
done | |
cd $OUTPUT | |
rm -f "yubihsm-shell-$PLATFORM-amd64.tar.gz" | |
tar -C ".." -zcvf "../yubihsm-shell-$PLATFORM-amd64.tar.gz" "yubihsm-shell" | |
rm -f *.rpm | |
rm -rf licenses | |
rm -rf ../yubihsm-shell | |
- name: install binaries | |
working-directory: /github/home/rpmbuild/RPMS/x86_64 | |
run: | | |
yum install -y ./yubihsm-shell-*.rpm | |
- name: check binaries for hardening | |
run: | | |
cs() { | |
checksec --file=/usr/bin/yubihsm-shell --format=json | jq -r ".[] | .$1" | |
} | |
if [ "`cs relro`" != "full" ]; then echo "relro is `cs relro`"; exit 1; fi | |
if [ "`cs canary`" != "yes" ]; then echo "canary is `cs canary`"; exit 1; fi | |
if [ "`cs nx`" != "yes" ]; then echo "nx is `cs nx`"; exit 1; fi | |
if [ "`cs pie`" != "yes" ]; then echo "pie is `cs pie`"; exit 1; fi | |
if [ "`cs fortify_source`" != "yes" ]; then echo "fortify_source is `cs fortify_source`"; exit 1; fi | |
- name: upload artifacts | |
uses: actions/upload-artifact@v3 | |
with: | |
name: "yubihsm-shell-${{ env.PLATFORM }}-amd64" | |
path: ${{ env.PLATFORM }} |