gitian-firefox.yml

---
name: "torbrowser-linux"
distro: "debian"
suites:
- "wheezy"
architectures:
- "i386"
- "amd64"
packages:
- "unzip"
- "zip"
- "autoconf2.13"
- "libgtk2.0-dev"
- "libdbus-glib-1-dev"
- "yasm"
- "libxt-dev"
- "hardening-wrapper"
# To pass configure since ESR 31.
- "libpulse-dev"
# To pass configure since ESR 45.
- "libgconf2-dev"
# To pass configure since ESR 52.
- "libx11-xcb-dev"
# We built GCC but not the libmpc2, thus we need to install it.
- "libmpc2"
reference_datetime: "2000-01-01 00:00:00"
remotes:
- "url": "https://git.torproject.org/tor-browser.git"
  "dir": "tor-browser"
files:
- "binutils-linux32-utils.zip"
- "binutils-linux64-utils.zip"
- "gcc-linux32-utils.zip"
- "gcc-linux64-utils.zip"
- "get-moz-build-date"
- "re-dzip.sh"
- "dzip.sh"
- "versions"
- "24052.patch"
- "24052_2.patch"
script: |
  source versions
  INSTDIR="$HOME/install"
  export REFERENCE_DATETIME
  export CFLAGS="-frandom-seed=tor"
  export CXXFLAGS="-frandom-seed=tor"
  export TZ=UTC
  export LC_ALL=C
  umask 0022
  #
  # Config options for hardening-wrapper
  export DEB_BUILD_HARDENING=1
  export DEB_BUILD_HARDENING_STACKPROTECTOR=1
  export DEB_BUILD_HARDENING_FORTIFY=1
  export DEB_BUILD_HARDENING_FORMAT=1
  export DEB_BUILD_HARDENING_PIE=1
  #
  # Preparing Binutils and GCC for Tor Browser
  unzip -d $INSTDIR binutils-linux$GBUILD_BITS-utils.zip
  # Make sure gold is used with the hardening wrapper for full RELRO, see
  # #13031.
  cd $INSTDIR/binutils/bin
  rm ld
  cp /usr/bin/hardened-ld ./
  mv ld.gold ld.gold.real
  ln -sf hardened-ld ld.gold
  ln -sf ld.gold ld
  cd ~/build
  unzip -d $INSTDIR gcc-linux$GBUILD_BITS-utils.zip
  # Make sure we use the hardening wrapper when compiling Tor Browser.
  cd $INSTDIR/gcc/bin
  cp /usr/bin/hardened-cc ./
  mv gcc gcc.real
  mv c++ c++.real
  mv g++ g++.real
  ln -sf hardened-cc gcc
  ln -sf hardened-cc c++
  ln -sf hardened-cc g++
  cd ~/build
  export PATH=$INSTDIR/gcc/bin:$INSTDIR/binutils/bin:$PATH
  ARCH=""
  if [ $GBUILD_BITS == "64" ];
  then
    ARCH="64"
  fi
  # Make sure our GCC gets properly used.
  export LD_LIBRARY_PATH=$INSTDIR/gcc/lib$ARCH
  #
  mkdir -p $INSTDIR/Browser/
  mkdir -p $INSTDIR/Debug/Browser/

  cd tor-browser
  patch -p1 < ../24052.patch
  patch -p1 < ../24052_2.patch
  # run get-moz-build-date before removing .git, which is used to get the year
  chmod +x ~/build/get-moz-build-date
  eval $(~/build/get-moz-build-date $(cat browser/config/version.txt))
  # .git and the src takes up a lot of useless space, and we need the space to build
  rm -rf .git
  find -type f -print0 | xargs -0 touch --date="$REFERENCE_DATETIME"
  rm -f configure
  rm -f js/src/configure
  make -f client.mk configure CONFIGURE_ARGS="--with-tor-browser-version=${TORBROWSER_VERSION} --with-distribution-id=org.torproject --enable-update-channel=${TORBROWSER_UPDATE_CHANNEL} --enable-bundled-fonts"
  find -type f -print0 | xargs -0 touch --date="$REFERENCE_DATETIME"
  make $MAKEOPTS -f client.mk build
  make -C obj-* package INNER_MAKE_PACKAGE=true
  cp -a obj-*/dist/firefox/* $INSTDIR/Browser/
  # Remove firefox-bin (we don't use it, see ticket #10126)
  rm -f $INSTDIR/Browser/firefox-bin
  # TODO: There goes FIPS-140.. We could upload these somewhere unique and
  # subsequent builds could test to see if they've been uploaded before...
  # But let's find out if it actually matters first..
  rm -f $INSTDIR/Browser/*.chk
  #
  # Make MAR-based update tools available for use during the bundle phase.
  # Note that mar and mbsdiff are standalone tools, compiled for the build
  # host's architecture.  We also include signmar, certutil, and the libraries
  # they require; these utilities and libraries are built for the target
  # architecture.
  MARTOOLS=~/build/mar-tools
  mkdir -p $MARTOOLS
  cp -p config/createprecomplete.py $MARTOOLS/
  cp -p tools/update-packaging/*.sh $MARTOOLS/
  cp -p obj-*/dist/host/bin/mar $MARTOOLS/
  cp -p obj-*/dist/host/bin/mbsdiff $MARTOOLS/
  cp -p obj-*/modules/libmar/tool/signmar $MARTOOLS/
  cp -p obj-*/security/nss/cmd/certutil/certutil $MARTOOLS/
  NSS_LIBS="libfreeblpriv3.so libmozsqlite3.so libnss3.so libnssdbm3.so libnssutil3.so libsmime3.so libsoftokn3.so libssl3.so"
  NSPR_LIBS="libnspr4.so libplc4.so libplds4.so"
  for LIB in $NSS_LIBS $NSPR_LIBS; do
    cp -p obj-*/dist/bin/$LIB $MARTOOLS/
  done
  cd ~/build
  ~/build/dzip.sh mar-tools-linux${GBUILD_BITS}.zip mar-tools
  cp -p mar-tools-linux${GBUILD_BITS}.zip $OUTDIR/
  #
  # Strip and generate debuginfo for the firefox binary that we keep, all *.so
  # files, the plugin-container, and the updater (see ticket #10126)
  cd $INSTDIR
  for LIB in Browser/*.so Browser/firefox Browser/plugin-container Browser/updater
  do
    objcopy --only-keep-debug $LIB Debug/$LIB
    strip $LIB
    objcopy --add-gnu-debuglink=./Debug/$LIB $LIB
  done
  #
  ~/build/re-dzip.sh Browser/omni.ja
  ~/build/re-dzip.sh Browser/browser/omni.ja
  ~/build/dzip.sh tor-browser-linux$GBUILD_BITS-gbuilt.zip Browser/
  ~/build/dzip.sh tor-browser-linux$GBUILD_BITS-debug.zip Debug/
  cp tor-browser-linux$GBUILD_BITS-gbuilt.zip $OUTDIR/
  cp tor-browser-linux$GBUILD_BITS-debug.zip $OUTDIR/
  #
  # XXX: Output the exact dpkgs we used to a txt file. Should this be
  # part of gitian?
  # dpkg-query -W -f='${Package}=${Version}\n' libglib2.0-dev >> $OUTDIR/bin/deps.txt