# dependencies
dnf install rust cargo protobuf-devel golang dbus-devel rpm-build
# rust dependencies
cargo install --git https://github.com/volta-cli/volta && volta setup
# the toolchain is managed by volta
# node.js and npm required
It has a build script and everything seems pretty easy done locally, but I dont understand any of the COPR fields at all.
I dont want to state the generalized repo name of all RPMs, and how do I install rust packages, their dependencies and initialize those?
How do I run this build script on the COPR server?
I would be so glad if someone could explain how COPR works, if it already has some really good building tool in the background that doesnt work with anything but source RPMs. Or if its more modular and allows things like that, which dont seem to be rare for me?
The app consists mainly of compiled rust packages. This build process is unsigned.
This is the build script
#!/usr/bin/env bash
# This script is used to build, and optionally sign the app.
# See `README.md` for further instructions.
set -eu
SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
cd "$SCRIPT_DIR"
source scripts/utils/log
################################################################################
# Analyze environment and parse arguments
################################################################################
RUSTC_VERSION=$(rustc --version)
CARGO_TARGET_DIR=${CARGO_TARGET_DIR:-"target"}
echo "Computing build version..."
PRODUCT_VERSION=$(cargo run -q --bin mullvad-version)
log_header "Building Mullvad VPN $PRODUCT_VERSION"
# If compiler optimization and artifact compression should be turned on or not
OPTIMIZE="false"
# If the produced binaries should be signed (Windows + macOS only)
SIGN="false"
# If the produced app and pkg should be notarized by apple (macOS only)
NOTARIZE="false"
# If a macOS build should create an installer artifact working on both
# Intel and Apple Silicon Macs
UNIVERSAL="false"
while [[ "$#" -gt 0 ]]; do
case $1 in
--optimize) OPTIMIZE="true";;
--sign) SIGN="true";;
--notarize) NOTARIZE="true";;
--universal)
if [[ "$(uname -s)" != "Darwin" ]]; then
log_error "--universal only works on macOS"
exit 1
fi
UNIVERSAL="true"
;;
*)
log_error "Unknown parameter: $1"
exit 1
;;
esac
shift
done
# Check if we are a building a release. Meaning we are configured to build with optimizations,
# sign the artifacts, AND we are currently building on a release git tag.
# Everything that is not a release build is called a "dev build" and has "-dev-{commit hash}"
# appended to the version name.
IS_RELEASE="false"
if [[ "$SIGN" == "true" && "$OPTIMIZE" == "true" && "$PRODUCT_VERSION" != *"-dev-"* ]]; then
IS_RELEASE="true"
fi
################################################################################
# Configure build
################################################################################
CARGO_ARGS=()
NPM_PACK_ARGS=()
if [[ -n ${TARGETS:-""} ]]; then
NPM_PACK_ARGS+=(--targets "${TARGETS[*]}")
fi
if [[ "$UNIVERSAL" == "true" ]]; then
if [[ -n ${TARGETS:-""} ]]; then
log_error "'TARGETS' and '--universal' cannot be specified simultaneously."
exit 1
fi
TARGETS=(x86_64-apple-darwin aarch64-apple-darwin)
NPM_PACK_ARGS+=(--universal)
fi
if [[ "$OPTIMIZE" == "true" ]]; then
CARGO_ARGS+=(--release)
RUST_BUILD_MODE="release"
CPP_BUILD_MODE="Release"
NPM_PACK_ARGS+=(--release)
else
RUST_BUILD_MODE="debug"
NPM_PACK_ARGS+=(--no-compression)
CPP_BUILD_MODE="Debug"
fi
if [[ "$SIGN" == "true" ]]; then
if [[ $(git diff --shortstat 2> /dev/null | tail -n1) != "" ]]; then
log_error "Dirty working directory!"
log_error "Will only build a signed app in a clean working directory"
exit 1
fi
if [[ "$(uname -s)" == "Darwin" || "$(uname -s)" == "MINGW"* ]]; then
log_info "Configuring environment for signing of binaries"
if [[ -z ${CSC_LINK-} ]]; then
log_error "The variable CSC_LINK is not set. It needs to point to a file containing the"
log_error "private key used for signing of binaries."
exit 1
fi
if [[ -z ${CSC_KEY_PASSWORD-} ]]; then
read -rsp "CSC_KEY_PASSWORD = " CSC_KEY_PASSWORD
echo ""
export CSC_KEY_PASSWORD
fi
# macOS: This needs to be set to 'true' to activate signing, even when CSC_LINK is set.
export CSC_IDENTITY_AUTO_DISCOVERY=true
if [[ "$(uname -s)" == "MINGW"* ]]; then
CERT_FILE=$CSC_LINK
CERT_PASSPHRASE=$CSC_KEY_PASSWORD
unset CSC_LINK CSC_KEY_PASSWORD
export CSC_IDENTITY_AUTO_DISCOVERY=false
fi
else
unset CSC_LINK CSC_KEY_PASSWORD
export CSC_IDENTITY_AUTO_DISCOVERY=false
fi
else
log_info "!! Unsigned build. Not for general distribution !!"
unset CSC_LINK CSC_KEY_PASSWORD
export CSC_IDENTITY_AUTO_DISCOVERY=false
fi
if [[ "$NOTARIZE" == "true" ]]; then
NPM_PACK_ARGS+=(--notarize)
fi
if [[ "$IS_RELEASE" == "true" ]]; then
log_info "Removing old Rust build artifacts..."
cargo clean
# Will not allow an outdated lockfile in releases
CARGO_ARGS+=(--locked)
else
# Allow dev builds to override which API server to use at runtime.
CARGO_ARGS+=(--features api-override)
fi
# Make Windows builds include a manifest in the daemon binary declaring it must
# be run as admin.
if [[ "$(uname -s)" == "MINGW"* ]]; then
export MULLVAD_ADD_MANIFEST="1"
fi
################################################################################
# Compile and build
################################################################################
# Sign all binaries passed as arguments to this function
function sign_win {
local NUM_RETRIES=3
for binary in "$@"; do
# Try multiple times in case the timestamp server cannot
# be contacted.
for i in $(seq 0 ${NUM_RETRIES}); do
log_info "Signing $binary..."
if signtool sign \
-tr http://timestamp.digicert.com -td sha256 \
-fd sha256 -d "Mullvad VPN" \
-du "https://github.com/mullvad/mullvadvpn-app#readme" \
-f "$CERT_FILE" \
-p "$CERT_PASSPHRASE" "$binary"
then
break
fi
if [ "$i" -eq "${NUM_RETRIES}" ]; then
return 1
fi
sleep 1
done
done
return 0
}
# Build the daemon and other Rust/C++ binaries, optionally
# sign them, strip them of debug symbols and copy to `dist-assets/`.
function build {
local current_target=${1:-""}
local for_target_string=""
local stripbin="strip"
if [[ -n $current_target ]]; then
for_target_string=" for $current_target"
if [[ "$current_target" == "aarch64-unknown-linux-gnu" && "$(uname -m)" != "aarch64" ]]; then
stripbin="aarch64-linux-gnu-strip"
fi
fi
################################################################################
# Compile and link all binaries.
################################################################################
if [[ "$(uname -s)" != "MINGW"* ]]; then
log_header "Building wireguard-go$for_target_string"
./wireguard/build-wireguard-go.sh "$current_target"
fi
log_header "Building Rust code in $RUST_BUILD_MODE mode using $RUSTC_VERSION$for_target_string"
local cargo_target_arg=()
if [[ -n $current_target ]]; then
cargo_target_arg+=(--target="$current_target")
fi
local cargo_crates_to_build=(
-p mullvad-daemon --bin mullvad-daemon
-p mullvad-cli --bin mullvad
-p mullvad-setup --bin mullvad-setup
-p mullvad-problem-report --bin mullvad-problem-report
-p talpid-openvpn-plugin --lib
)
if [[ ("$(uname -s)" == "Linux") ]]; then
cargo_crates_to_build+=(-p mullvad-exclude --bin mullvad-exclude)
fi
cargo build "${cargo_target_arg[@]}" "${CARGO_ARGS[@]}" "${cargo_crates_to_build[@]}"
################################################################################
# Move binaries to correct locations in dist-assets
################################################################################
# All the binaries produced by cargo that we want to include in the app
if [[ ("$(uname -s)" == "Darwin") ]]; then
BINARIES=(
mullvad-daemon
mullvad
mullvad-problem-report
libtalpid_openvpn_plugin.dylib
mullvad-setup
)
elif [[ ("$(uname -s)" == "Linux") ]]; then
BINARIES=(
mullvad-daemon
mullvad
mullvad-problem-report
libtalpid_openvpn_plugin.so
mullvad-setup
mullvad-exclude
)
elif [[ ("$(uname -s)" == "MINGW"*) ]]; then
BINARIES=(
mullvad-daemon.exe
mullvad.exe
mullvad-problem-report.exe
talpid_openvpn_plugin.dll
mullvad-setup.exe
)
fi
if [[ -n $current_target ]]; then
local cargo_output_dir="$CARGO_TARGET_DIR/$current_target/$RUST_BUILD_MODE"
# To make it easier to package multiple targets, the binaries are
# located in a directory with the name of the target triple.
local destination_dir="dist-assets/$current_target"
mkdir -p "$destination_dir"
else
local cargo_output_dir="$CARGO_TARGET_DIR/$RUST_BUILD_MODE"
local destination_dir="dist-assets"
fi
for binary in ${BINARIES[*]}; do
local source="$cargo_output_dir/$binary"
local destination="$destination_dir/$binary"
if [[ "$(uname -s)" == "MINGW"* || "$binary" == *.dylib ]]; then
log_info "Copying $source => $destination"
cp "$source" "$destination"
else
log_info "Stripping $source => $destination"
"${stripbin}" "$source" -o "$destination"
fi
if [[ "$SIGN" == "true" && "$(uname -s)" == "MINGW"* ]]; then
sign_win "$destination"
fi
done
}
if [[ "$(uname -s)" == "MINGW"* ]]; then
log_header "Building C++ code in $CPP_BUILD_MODE mode"
CPP_BUILD_MODES=$CPP_BUILD_MODE IS_RELEASE=$IS_RELEASE ./build-windows-modules.sh
if [[ "$SIGN" == "true" ]]; then
CPP_BINARIES=(
"windows/winfw/bin/x64-$CPP_BUILD_MODE/winfw.dll"
"windows/driverlogic/bin/x64-$CPP_BUILD_MODE/driverlogic.exe"
# The nsis plugin is always built in 32 bit release mode
windows/nsis-plugins/bin/Win32-Release/*.dll
)
sign_win "${CPP_BINARIES[@]}"
fi
fi
# Compile for all defined targets, or the current architecture if unspecified.
if [[ -n ${TARGETS:-""} ]]; then
for t in ${TARGETS[*]}; do
source env.sh "$t"
build "$t"
done
else
source env.sh ""
if [[ "$(uname -s)" == "Darwin" ]]; then
# Provide target for non-universal macOS builds to use the same output location as for
# universal builds
build "$ENV_TARGET"
else
build
fi
fi
################################################################################
# Package app.
################################################################################
log_header "Preparing for packaging Mullvad VPN $PRODUCT_VERSION"
if [[ "$(uname -s)" == "Darwin" || "$(uname -s)" == "Linux" ]]; then
mkdir -p "build/shell-completions"
for sh in bash zsh fish; do
log_info "Generating shell completion script for $sh..."
cargo run --bin mullvad "${CARGO_ARGS[@]}" -- shell-completions "$sh" \
"build/shell-completions/"
done
fi
log_info "Updating relays.json..."
cargo run --bin relay_list "${CARGO_ARGS[@]}" > build/relays.json
log_header "Installing JavaScript dependencies"
pushd gui
npm ci
log_header "Packing Mullvad VPN $PRODUCT_VERSION artifact(s)"
case "$(uname -s)" in
Linux*) npm run pack:linux -- "${NPM_PACK_ARGS[@]}";;
Darwin*) npm run pack:mac -- "${NPM_PACK_ARGS[@]}";;
MINGW*) npm run pack:win -- "${NPM_PACK_ARGS[@]}";;
esac
popd
# sign installer on Windows
if [[ "$SIGN" == "true" && "$(uname -s)" == "MINGW"* ]]; then
for installer_path in dist/*"$PRODUCT_VERSION"*.exe; do
log_info "Signing $installer_path"
sign_win "$installer_path"
done
fi
log_success "**********************************"
log_success ""
log_success " The build finished successfully! "
log_success " You have built:"
log_success ""
log_success " $PRODUCT_VERSION"
log_success ""
log_success "**********************************"
Oh, and thank you for interest in sfind - its my first non-trivia rust program.
I still have a lot to learn about rust!
My copr home page is barryascott/tools Copr
where you can see the instructions on adding my copr repo to your system so that you then dnf install sfind.
For building on COPR, you would need to wrap everything up into an RPM package. Once you have a “source rpm” (aka SRPM aka .src.rpm file), you can upload that to a COPR you created, where it will be built into installable RPMs, and COPR will provide repository definitions, so it can be added as an additional package source by users.
This looks like you would need to package two things separately - volta (it seems to be the build tool for the Mullvad VPN client?), and the Mullvad VPN client itself.
I can’t speak to how to build the latter, but for building projects with cargo, you will need to supply it will all the Rust dependencies it needs. One way to do that is to allow internet access during the build (but that would undermine the “trust” argument), or you supply all dependencies as additional sources (i.e. a compressed “vendor” directory that was generated by “cargo vendor”).
It looks like the Mullvad VPN desktop client is an electron app, so you will likely need to enable internet access for building that, as well
Fedora packages lots of the rust crates. By using rust2rpm you get the .src.rpm that has the dependencies from Cargo.toml expressed as RPM dependencies.
If any crates are missing then “just” package them using rust2rpm as well.
Copr will not allow network access, so that is not an option.
rust2rpm itself is a RPM program right? I would need to install this on some kind of server, where I can then update all the packages constantly, as otherwise they would be outdated I guess. Create always new .src.rpm files and upload them to COPR.
Okay, so electron Apps need internet access during build? COPR had a checkbox “internet access during build”, why is that not working?
I understand why so many COPR repos have a single package, thats like three years old, now
You install the rpm to have the program available, just like every thing else on fedora.
Constantly? What once every 10 minutes?
You will only need to run the rpm making process each time you think it is required to sync with upstream.
As you can see from my script you can automate the process so that it is not a burden.
I am a Fedora packaged and like that network access is not used in builds.
This help prevents a number of possible security issues as well as meaning you have predicable builds.
There are lots of experimental builds on copr that are not suitable for general release. Those that are you hope the package will keep updated.
Copr, by default, deletes repos when the release goes end-of-life.
Which is a little over 1 year for fedora repos on copr.
3 year old packages I guess must be for EPEL?
COPR does allow network access if you configure it that way.
The internet access thing was for downloading the Rust dependencies, not something specific to electron. But when using rust2rpm for generating RPM spec files for Rust crates, it specifically configures the package’s build system to NOT load dependencies over the internet, because that is not allowed (and would fail) in most environments. If you want to do this, you will need to make adjustments to the spec file that is generated by rust2rpm.
I’m not sure we’re on the same page here. rust2rpm is a Python program - while it’s not published on PyPI, it is packaged as an RPM for Fedora. I guess what you’re getting at is that you’d want to run rust2rpm for every new version of a Rust crate, and package that automatically? There’s no support for “crate” sources built-in to COPR yet (unlike Ruby gems or R packages). And even if it were, there would still need to be some kind of external thing that actually triggers builds for new versions.
Long story short, I think having the Mullvad VPN client available as a package for Fedora would be great – however, judging from the questions you’re asking here, I think starting with something simpler for your first RPM package (just to understand how all the pieces fit together) would be an easier approach to this problem than jumping head first into cold water
There’s plenty documentation for doing RPM packaging, and the RPM Packaging Guide is probably a good starting point:
Once those basics are clear, you should be able to build a simple package in COPR. And then for more advanced and more in-depth topics, there’s the Packaging Guidelines for Fedora, which have comprehensive rules and documentation for how to approach packaging different types of projects:
