starwels
/
starwels
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 2 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8186 Commits
3 Branches
Tree: 1e3473d384
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1e3473d384'
${ noResults }
starwels/doc/README_osx.txt

README_osx.txt 4.7KB
Raw Blame History

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283 
  1. Deterministic OSX Dmg Notes.

  2. 

  3. Working OSX DMG's are created in Linux by combining a recent clang,

  4. the Apple's binutils (ld, ar, etc), and DMG authoring tools.

  5. 

  6. Apple uses clang extensively for development and has upstreamed the necessary

  7. functionality so that a vanilla clang can take advantage. It supports the use

  8. of -F, -target, -mmacosx-version-min, and --sysroot, which are all necessary

  9. when building for OSX. A pre-compiled version of 3.2 is used because it was not

  10. available in the Precise repositories at the time this work was started. In the

  11. future, it can be switched to use system packages instead.

  12. 

  13. Apple's version of binutils (called cctools) contains lots of functionality

  14. missing in the FSF's binutils. In addition to extra linker options for

  15. frameworks and sysroots, several other tools are needed as well such as

  16. install_name_tool, lipo, and nmedit. These do not build under linux, so they

  17. have been patched to do so. The work here was used as a starting point:

  18. https://github.com/mingwandroid/toolchain4

  19. 

  20. In order to build a working toolchain, the following source packages are needed

  21. from Apple: cctools, dyld, and ld64.

  22. 

  23. These tools inject timestamps by default, which produce non-deterministic

  24. binaries. The ZERO_AR_DATE environment variable is used to disable that.

  25. 

  26. This version of cctools has been patched to use the current version of clang's

  27. headers and and its libLTO.so rather than those from llvmgcc, as it was

  28. originally done in toolchain4.

  29. 

  30. To complicate things further, all builds must target an Apple SDK. These SDKs

  31. are free to download, but not redistributable.

  32. To obtain it, register for a developer account, then download the XCode 6.1.1 dmg:

  33. https://developer.apple.com/downloads/download.action?path=Developer_Tools/xcode_6.1.1/xcode_6.1.1.dmg

  34. 

  35. This file is several gigabytes in size, but only a single directory inside is

  36. needed: Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.9.sdk

  37. 

  38. Unfortunately, the usual linux tools (7zip, hpmount, loopback mount) are incapable of opening this file.

  39. To create a tarball suitable for gitian input, mount the dmg in OSX, then create it with:

  40.   $ tar -C /Volumes/Xcode/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/ -czf MacOSX10.9.sdk.tar.gz MacOSX10.9.sdk

  41. 

  42. 

  43. The gitian descriptors build 2 sets of files: Linux tools, then Apple binaries

  44. which are created using these tools. The build process has been designed to

  45. avoid including the SDK's files in Gitian's outputs. All interim tarballs are

  46. fully deterministic and may be freely redistributed.

  47. 

  48. genisoimage is used to create the initial DMG. It is not deterministic as-is,

  49. so it has been patched. A system genisoimage will work fine, but it will not

  50. be deterministic because the file-order will change between invocations.

  51. The patch can be seen here:

  52. https://raw.githubusercontent.com/theuni/osx-cross-depends/master/patches/cdrtools/genisoimage.diff

  53. No effort was made to fix this cleanly, so it likely leaks memory badly. But

  54. it's only used for a single invocation, so that's no real concern.

  55. 

  56. genisoimage cannot compress DMGs, so afterwards, the 'dmg' tool from the

  57. libdmg-hfsplus project is used to compress it. There are several bugs in this

  58. tool and its maintainer has seemingly abandoned the project. It has been forked

  59. and is available (with fixes) here: https://github.com/theuni/libdmg-hfsplus .

  60. 

  61. The 'dmg' tool has the ability to create DMG's from scratch as well, but this

  62. functionality is broken. Only the compression feature is currently used.

  63. Ideally, the creation could be fixed and genisoimage would no longer be necessary.

  64. 

  65. Background images and other features can be added to DMG files by inserting a

  66. .DS_Store before creation. The easiest way to create this file is to build a

  67. DMG without one, move it to a device running OSX, customize the layout, then

  68. grab the .DS_Store file for later use. That is the approach taken here.

  69. 

  70. As of OSX Mavericks (10.9), using an Apple-blessed key to sign binaries is a

  71. requirement in order to satisfy the new Gatekeeper requirements. Because this

  72. private key cannot be shared, we'll have to be a bit creative in order for the

  73. build process to remain somewhat deterministic. Here's how it works:

  74. 

  75. - Builders use gitian to create an unsigned release. This outputs an unsigned

  76.   dmg which users may choose to bless and run. It also outputs an unsigned app

  77.   structure in the form of a tarball, which also contains all of the tools

  78.   that have been previously (deterministically) built in order to create a

  79.   final dmg.

  80. - The Apple keyholder uses this unsigned app to create a detached signature,

  81.   using the script that is also included there.

  82. - Builders feed the unsigned app + detached signature back into gitian. It

  83.   uses the pre-built tools to recombine the pieces into a deterministic dmg.