diff --git a/.github/workflows/build-manylinux-container-images.yml b/.github/workflows/build-manylinux-container-images.yml index f9d45c903..03556d67c 100644 --- a/.github/workflows/build-manylinux-container-images.yml +++ b/.github/workflows/build-manylinux-container-images.yml @@ -48,6 +48,8 @@ jobs: - 2014 - _2_24 # PEP 600 - _2_28 + runner-vm-os: + - ubuntu-24.04 include: - IMAGE: ARCH: x86_64 @@ -57,6 +59,11 @@ jobs: ARCH: x86_64 QEMU_ARCH: amd64 YEAR: 2010 + - IMAGE: + ARCH: armv7l + QEMU_ARCH: arm/v7 + YEAR: _2_31 # There are no base images prior to 2.31 for this arch + runner-vm-os: ubuntu-24.04-arm env: LIBSSH_VERSION: 0.9.6 diff --git a/build-scripts/manylinux-container-image/Dockerfile b/build-scripts/manylinux-container-image/Dockerfile index ff0e8c19b..2d5c61c06 100644 --- a/build-scripts/manylinux-container-image/Dockerfile +++ b/build-scripts/manylinux-container-image/Dockerfile @@ -5,13 +5,34 @@ ARG LIBSSH_VERSION=0.9.6 MAINTAINER Python Cryptographic Authority WORKDIR /root +RUN \ + if [ $(uname -m) = "x86_64" ]; \ + then \ + if stat /etc/redhat-release 1>&2 2>/dev/null; then \ + yum -y install binutils perl perl-IPC-Cmd && \ + yum -y clean all && \ + rm -rf /var/cache/yum; \ + fi; \ + fi + +# This is done as two separate steps because readelf (binutils) is not available on +# aarch64. +RUN \ + if [ $(uname -m) = "aarch64" ]; \ + then \ + if stat /etc/redhat-release 1>&2 2>/dev/null; then \ + yum -y install perl perl-IPC-Cmd && \ + yum -y clean all && \ + rm -rf /var/cache/yum; \ + fi; \ + fi + ADD build_utils.sh /root/build_utils.sh -ADD install_perl.sh /root/install_perl.sh -RUN ./install_perl.sh "${RELEASE}" ADD install_libffi.sh /root/install_libffi.sh RUN ./install_libffi.sh "${RELEASE}" ADD install_openssl.sh /root/install_openssl.sh ADD openssl-version.sh /root/openssl-version.sh +ADD list-util-pairs-25367.patch /root/list-util-pairs-25367.patch RUN ./install_openssl.sh "${RELEASE}" ADD install_virtualenv.sh /root/install_virtualenv.sh diff --git a/build-scripts/manylinux-container-image/install_libssh.sh b/build-scripts/manylinux-container-image/install_libssh.sh index f323c9e2e..78ab1a182 100755 --- a/build-scripts/manylinux-container-image/install_libssh.sh +++ b/build-scripts/manylinux-container-image/install_libssh.sh @@ -39,7 +39,7 @@ fi # make[2]: *** [examples/libssh_scp] Error 1 # make[1]: *** [examples/CMakeFiles/libssh_scp.dir/all] Error 2 # make: *** [all] Error 2 -export LDFLAGS="-pthread -ldl" +export LDFLAGS="-pthread" # NOTE: `PKG_CONFIG_PATH` is necessary for `cmake` to be able to locate # NOTE: C-headers files `*.h`. Otherwise, the error is: diff --git a/build-scripts/manylinux-container-image/install_openssl.sh b/build-scripts/manylinux-container-image/install_openssl.sh index b9fe900d6..03177c903 100755 --- a/build-scripts/manylinux-container-image/install_openssl.sh +++ b/build-scripts/manylinux-container-image/install_openssl.sh @@ -8,21 +8,29 @@ MY_DIR=$(dirname "${BASH_SOURCE[0]}") # Get build utilities source $MY_DIR/build_utils.sh + +OPENSSL_URL="https://github.com/openssl/openssl/releases/download" source /root/openssl-version.sh -fetch_source "openssl-${OPENSSL_VERSION}.tar.gz" "https://www.openssl.org/source/" -check_sha256sum "openssl-${OPENSSL_VERSION}.tar.gz" ${OPENSSL_SHA256} -tar zxf openssl-${OPENSSL_VERSION}.tar.gz +curl -#LO "${OPENSSL_URL}/${OPENSSL_VERSION}/${OPENSSL_VERSION}.tar.gz" +check_sha256sum "${OPENSSL_VERSION}.tar.gz" ${OPENSSL_SHA256} +tar zxf ${OPENSSL_VERSION}.tar.gz -pushd openssl-${OPENSSL_VERSION} +pushd ${OPENSSL_VERSION} if [[ "$1" =~ '^manylinux1_.*$' ]]; then PATH=/opt/perl/bin:$PATH fi -./config $OPENSSL_BUILD_FLAGS --prefix=/opt/pyca/cryptography/openssl --openssldir=/opt/pyca/cryptography/openssl +BUILD_FLAGS="$OPENSSL_BUILD_FLAGS" +# Can't use `$(uname -m) = "armv7l"` because that returns what kernel we're +# using, and we build for armv7l with an ARM64 host. +if [ "$(readelf -h /proc/self/exe | grep -o 'Machine:.* ARM')" ]; then + BUILD_FLAGS="$OPENSSL_BUILD_FLAGS_ARMV7L" +fi +./config $BUILD_FLAGS --prefix=/opt/pyca/cryptography/openssl --openssldir=/opt/pyca/cryptography/openssl make depend make -j4 # avoid installing the docs # https://github.com/openssl/openssl/issues/6685#issuecomment-403838728 make install_sw install_ssldirs popd -rm -rf openssl-${OPENSSL_VERSION} +rm -rf ${OPENSSL_VERSION} diff --git a/build-scripts/manylinux-container-image/install_perl.sh b/build-scripts/manylinux-container-image/install_perl.sh deleted file mode 100755 index 27e70a9f6..000000000 --- a/build-scripts/manylinux-container-image/install_perl.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/bash -set -xe - -unset RELEASE - -# Get script directory -MY_DIR=$(dirname "${BASH_SOURCE[0]}") - -# Get build utilities -source $MY_DIR/build_utils.sh - -PERL_SHA256="e6c185c9b09bdb3f1b13f678999050c639859a7ef39c8cad418448075f5918af" -PERL_VERSION="5.24.1" - -if [[ "$1" =~ "^manylinux1_*" ]]; then - fetch_source "perl-${PERL_VERSION}.tar.gz" "https://www.cpan.org/src/5.0" - check_sha256sum "perl-${PERL_VERSION}.tar.gz" ${PERL_SHA256} - - tar zxf perl-$PERL_VERSION.tar.gz && \ - cd perl-$PERL_VERSION && \ - ./Configure -des -Dprefix=/opt/perl && \ - make -j && make install -fi diff --git a/build-scripts/manylinux-container-image/list-util-pairs-25367.patch b/build-scripts/manylinux-container-image/list-util-pairs-25367.patch new file mode 100644 index 000000000..cb6d1a712 --- /dev/null +++ b/build-scripts/manylinux-container-image/list-util-pairs-25367.patch @@ -0,0 +1,51 @@ +diff --git a/util/mkinstallvars.pl b/util/mkinstallvars.pl +index 52a3d607bd..b67a1c477f 100644 +--- a/util/mkinstallvars.pl ++++ b/util/mkinstallvars.pl +@@ -10,8 +10,14 @@ + # form, or passed as variable assignments on the command line. + # The result is a Perl module creating the package OpenSSL::safe::installdata. + ++use 5.10.0; ++use strict; ++use warnings; ++use Carp; ++ + use File::Spec; +-use List::Util qw(pairs); ++#use List::Util qw(pairs); ++sub _pairs (@); + + # These are expected to be set up as absolute directories + my @absolutes = qw(PREFIX libdir); +@@ -19,9 +25,9 @@ my @absolutes = qw(PREFIX libdir); + # as subdirectories to PREFIX or LIBDIR. The order of the pairs is important, + # since the LIBDIR subdirectories depend on the calculation of LIBDIR from + # PREFIX. +-my @subdirs = pairs (PREFIX => [ qw(BINDIR LIBDIR INCLUDEDIR APPLINKDIR) ], +- LIBDIR => [ qw(ENGINESDIR MODULESDIR PKGCONFIGDIR +- CMAKECONFIGDIR) ]); ++my @subdirs = _pairs (PREFIX => [ qw(BINDIR LIBDIR INCLUDEDIR APPLINKDIR) ], ++ LIBDIR => [ qw(ENGINESDIR MODULESDIR PKGCONFIGDIR ++ CMAKECONFIGDIR) ]); + # For completeness, other expected variables + my @others = qw(VERSION LDLIBS); + +@@ -151,3 +157,17 @@ our \@LDLIBS = + + 1; + _____ ++ ++######## Helpers ++ ++sub _pairs (@) { ++ croak "Odd number of arguments" if @_ & 1; ++ ++ my @pairlist = (); ++ ++ while (@_) { ++ my $x = [ shift, shift ]; ++ push @pairlist, $x; ++ } ++ return @pairlist; ++} diff --git a/build-scripts/manylinux-container-image/openssl-version.sh b/build-scripts/manylinux-container-image/openssl-version.sh index 3fe167cc3..51f7fd4f4 100644 --- a/build-scripts/manylinux-container-image/openssl-version.sh +++ b/build-scripts/manylinux-container-image/openssl-version.sh @@ -1,6 +1,7 @@ -export OPENSSL_VERSION="1.1.1k" -export OPENSSL_SHA256="892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5" +export OPENSSL_VERSION="openssl-3.4.1" +export OPENSSL_SHA256="002a2d6b30b58bf4bea46c43bdd96365aaf8daa6c428782aa4feee06da197df3" # We need a base set of flags because on Windows using MSVC # enable-ec_nistp_64_gcc_128 doesn't work since there's no 128-bit type -export OPENSSL_BUILD_FLAGS_WINDOWS="no-ssl3 no-ssl3-method no-zlib no-shared no-comp no-dynamic-engine" +export OPENSSL_BUILD_FLAGS_WINDOWS="no-ssl3 no-ssl3-method no-zlib no-shared no-module no-comp no-dynamic-engine no-apps no-docs no-sm2-precomp no-atexit" +export OPENSSL_BUILD_FLAGS_ARMV7L="linux-armv4 ${OPENSSL_BUILD_FLAGS_WINDOWS}" export OPENSSL_BUILD_FLAGS="${OPENSSL_BUILD_FLAGS_WINDOWS} enable-ec_nistp_64_gcc_128"