Commit 6e5a163

pulse-michaelfincham pulse-michaelfincham

committed

Improve OpenSSL 1.1.1 build hardening flags, ensure git curl extensions are built

1 parent 76807ba commit 6e5a163Copy full SHA for 6e5a163

File tree

5 files changed

+36

-18

lines changed

Dockerfile.curl-7.79.1
Dockerfile.git-2.33.0
Dockerfile.openssl-1.1.1k
Makefile
git.build.yml

5 files changed

+36

-18

lines changed

`‎Dockerfile.curl-7.79.1`

Lines changed: 3 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -13,13 +13,14 @@ cd curl-* && \`
`13`	`13`	`echo '#!/bin/sh\nexec $MUSL_TARGET-gcc -static "$@"' > /usr/local/bin/gcc && \`
`14`	`14`	`chmod +x /usr/local/bin/gcc && \`
`15`	`15`	`export CC="/usr/local/bin/gcc" && \`
`16`		`-export CPPFLAGS="-I/output/include -frandom-seed=pulse" && \`
	`16`	`+export CFLAGS="-fPIC -frandom-seed=pulse" && \`
	`17`	`+export CPPFLAGS="-I/output/include" && \`
`17`	`18`	`export LDFLAGS="-L/output/lib" && \`
`18`	`19`	`./configure \`
`19`	`20`	`--disable-ldap \`
`20`		`---disable-shared \`
`21`	`21`	`--enable-ipv6 \`
`22`	`22`	`--enable-static \`
	`23`	`+--disable-shared \`
`23`	`24`	`--enable-threaded-resolver \`
`24`	`25`	`--host=$($MUSL_TARGET-gcc -dumpmachine) \`
`25`	`26`	`--prefix=/output \`

`‎Dockerfile.git-2.33.0`

Lines changed: 9 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,24 +1,26 @@`
`1`	`1`	`ARG MUSL_TARGET=x86_64-linux-musl`
`2`		`-FROM expat-2.4.1-${MUSL_TARGET} AS expat`
`3`	`2`	`FROM zlib-1.2.11-${MUSL_TARGET} AS zlib`
	`3`	`+FROM expat-2.4.1-${MUSL_TARGET} AS expat`
`4`	`4`	`FROM openssl-1.1.1k-${MUSL_TARGET} AS openssl`
`5`	`5`	`FROM curl-7.79.1-${MUSL_TARGET} AS curl`
`6`	`6`	`FROM musl-cross-make-$MUSL_TARGET`
`7`	`7`	`ARG MUSL_TARGET`
`8`	`8`
`9`		`-COPY --from=expat /output /output`
`10`	`9`	`COPY --from=zlib /output /output`
	`10`	`+COPY --from=expat /output /output`
`11`	`11`	`COPY --from=openssl /output /output`
`12`		`-COPY --from=openssl /output /output`
	`12`	`+COPY --from=curl /output /output`
`13`	`13`
`14`	`14`	`# Avoid generating translations by dummying out msgfmt, also makes dependency on gettext optional`
`15`	`15`	`WORKDIR /build`
`16`	`16`	`RUN download https://github.com/git/git/archive/refs/tags/v2.33.0.tar.gz source.tar.gz ac8bb4bd4f689ddacd1f17c13e519c78d0f38ffc7c41dc24a4dbeb576bc88e91 && tar xf source.tar.gz`
`17`		`-RUN export PATH=/build/cross/bin:$PATH && \`
	`17`	`+RUN export PATH=/build/cross/bin:/output/bin:$PATH && \`
`18`	`18`	`cd git-* && \`
`19`	`19`	`export CC="$MUSL_TARGET-gcc" && \`
`20`		`-export CFLAGS="-static -I/output/include -frandom-seed=pulse" && \`
	`20`	`+export CFLAGS="-static -frandom-seed=pulse" && \`
	`21`	`+export CPPFLAGS="-I/output/include" && \`
`21`	`22`	`export LDFLAGS="-L/output/lib" && \`
	`23`	`+export LIBS="-lssl -lcrypto -lz" && \`
`22`	`24`	`make configure && \`
`23`	`25`	`./configure \`
`24`	`26`	`--without-tcltk \`
`@@ -28,7 +30,7 @@ echo "#!/bin/sh\nexit 0" > /usr/local/bin/msgfmt && \`
`28`	`30`	`chmod +x /usr/local/bin/msgfmt && \`
`29`	`31`	`make -j$(nproc) && \`
`30`	`32`	`make install && \`
`31`		`-rm /output/bin/git-cvsserver && \`
`32`		`-${MUSL_TARGET}-strip /output/bin/git-*`
	`33`	`+cp /output/libexec/git-core/git-remote-http* /output/bin && \`
	`34`	`+${MUSL_TARGET}-strip /output/bin/* \|\| true`
`33`	`35`
`34`	`36`	`CMD bash`

`‎Dockerfile.openssl-1.1.1k`

Lines changed: 2 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,21 +1,18 @@`
`1`	`1`	`ARG MUSL_TARGET=x86_64-linux-musl`
`2`		`-FROM zlib-1.2.11-${MUSL_TARGET} AS zlib`
`3`	`2`	`FROM musl-cross-make-${MUSL_TARGET}`
`4`	`3`	`ARG MUSL_TARGET`
`5`	`4`
`6`		`-COPY --from=zlib /output /output`
`7`		`-`
`8`	`5`	`WORKDIR /build`
`9`	`6`	`RUN download https://www.openssl.org/source/openssl-1.1.1k.tar.gz source.tar.gz 892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5 && tar xf source.tar.gz`
`10`	`7`	`RUN export PATH=/build/cross/bin:$PATH && \`
`11`	`8`	`cd openssl-* && \`
`12`	`9`	`CC="gcc" \`
`13`		`-CFLAGS="-static -frandom-seed=pulse -I/output/include" \`
	`10`	`+CFLAGS="-static -fPIC -frandom-seed=pulse -I/output/include" \`
`14`	`11`	`LDFLAGS="-L/output/lib" \`
`15`	`12`	`./Configure \`
`16`	`13`	`--cross-compile-prefix=$MUSL_TARGET- \`
`17`	`14`	`-static \`
`18`		`-no-shared no-engine zlib \`
	`15`	`+no-shared no-engine no-idea no-mdc2 no-rc5 no-zlib no-ssl3 no-capieng \`
`19`	`16`	`--prefix=/output \`
`20`	`17`	`$(if echo "$MUSL_TARGET" \| grep 64 >/dev/null; then echo linux-generic64; else echo linux-generic32; fi) && \`
`21`	`18`	`make -j$(nproc) && \`

`‎Makefile`

Lines changed: 6 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@ all: busybox-1.33.1 curl-7.79.1 git-2.33.0 loggedfs-0.9 nmap-7.90 openssl-1.1.1k`
`7`	`7`
`8`	`8`	`check:`
`9`	`9`	`@echo "These binaries are not built properly:"`
`10`		`- @echo $(shell file output// \| grep -E -v "statically linked, stripped$$")`
	`10`	`+ @echo "$(shell file output// \| grep -E -v "statically linked, stripped$$")"`
`11`	`11`
`12`	`12`	`## Dependencies`
`13`	`13`
`@@ -55,7 +55,7 @@ openssl-0.9.8zh: zlib-1.2.11`
`55`	`55`	`$(GRABBY_HANDS) /output/bin/openssl /grabby/$@`
`56`	`56`
`57`	`57`	`# Produces both libssl and the openssl command line tool.`
`58`		`-openssl-1.1.1k: zlib-1.2.11`
	`58`	`+openssl-1.1.1k: musl-cross-make`
`59`	`59`	`$(DOCKER_BUILD)`
`60`	`60`	`$(GRABBY_HANDS) /output/bin/openssl /grabby/$@`
`61`	`61`
`@@ -81,7 +81,9 @@ busybox-1.33.1: musl-cross-make`
`81`	`81`	`$(DOCKER_BUILD)`
`82`	`82`	`$(GRABBY_HANDS) /output/bin/busybox /grabby/$@`
`83`	`83`
`84`		`-# Other git tools (e.g. git-shell) are built but not copied out at the moment. The 'git-versuin' binary will need to be renamed to just 'git' to work.`
`85`		`-git-2.33.0: expat-2.4.1 zlib-1.2.11 openssl-1.1.1k curl-7.79.1`
	`84`	`+# Other git tools (e.g. git-shell) are built but not copied out at the moment. The 'git-version' binary will need to be renamed to just 'git' to work.`
	`85`	`+git-2.33.0: expat-2.4.1 openssl-1.1.1k curl-7.79.1 zlib-1.2.11`
`86`	`86`	`$(DOCKER_BUILD)`
`87`	`87`	`$(GRABBY_HANDS) /output/bin/git /grabby/$@`
	`88`	`+ $(GRABBY_HANDS) /output/bin/git-remote-http /grabby/git-remote-http-2.33.0`
	`89`	`+ $(GRABBY_HANDS) /output/bin/git-remote-https /grabby/git-remote-https-2.33.0`

`‎git.build.yml`

Lines changed: 16 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,16 @@`
	`1`	`+image: alpine/edge`
	`2`	`+packages:`
	`3`	`+ - docker`
	`4`	`+sources:`
	`5`	`+ - https://git.sr.ht/~fincham/static-binary-zoo`
	`6`	`+tasks:`
	`7`	`+ - build: \|`
	`8`	`+ sudo service docker start`
	`9`	`+ sleep 3`
	`10`	`+ sudo chmod 666 /var/run/docker.sock`
	`11`	`+ cd static-binary-zoo \|\| exit 1`
	`12`	`+ make git-2.33.0`
	`13`	`+ - bundle: \|`
	`14`	`+ tar -C static-binary-zoo/output -z -c -v -f git-2.33.0.tar.gz *`
	`15`	`+artifacts:`
	`16`	`+ - git-2.33.0.tar.gz`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit 6e5a163

File tree

5 files changed

5 files changed

`‎Dockerfile.curl-7.79.1`

`‎Dockerfile.git-2.33.0`

`‎Dockerfile.openssl-1.1.1k`

`‎Makefile`

`‎git.build.yml`

0 commit comments