How do I use COPR with Rust and dependencies?

I want to make a COPR repo of the MulvadVPN Desktop client

It would add additional trust, as the COPR and their binaries could be compared, also updating is a total pain on ostree.

Here are the build instructions

# dependencies
dnf install rust cargo protobuf-devel golang dbus-devel rpm-build

# rust dependencies
cargo install --git https://github.com/volta-cli/volta && volta setup

# the toolchain is managed by volta
# node.js and npm required

It has a build script and everything seems pretty easy done locally, but I dont understand any of the COPR fields at all.

I dont want to state the generalized repo name of all RPMs, and how do I install rust packages, their dependencies and initialize those?

How do I run this build script on the COPR server?

I would be so glad if someone could explain how COPR works, if it already has some really good building tool in the background that doesnt work with anything but source RPMs. Or if its more modular and allows things like that, which dont seem to be rare for me?

Meanwhile building locally worked normally, here in a Fedora Distrobox:

sudo dnf install cargo rust golang protobuf-devel dbus-devel -y

cargo init

cargo install --git https://github.com/volta-cli/volta && volta setup

mkdir ~/Git && cd ~/Git
git clone https://github.com/mullvad/mullvadvpn-app.git
cd mullvadvpn-app
git submodule update --init

./build.sh

The app consists mainly of compiled rust packages. This build process is unsigned.

This is the build script

#!/usr/bin/env bash

# This script is used to build, and optionally sign the app.
# See `README.md` for further instructions.

set -eu

SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
cd "$SCRIPT_DIR"

source scripts/utils/log

################################################################################
# Analyze environment and parse arguments
################################################################################

RUSTC_VERSION=$(rustc --version)
CARGO_TARGET_DIR=${CARGO_TARGET_DIR:-"target"}

echo "Computing build version..."
PRODUCT_VERSION=$(cargo run -q --bin mullvad-version)
log_header "Building Mullvad VPN $PRODUCT_VERSION"

# If compiler optimization and artifact compression should be turned on or not
OPTIMIZE="false"
# If the produced binaries should be signed (Windows + macOS only)
SIGN="false"
# If the produced app and pkg should be notarized by apple (macOS only)
NOTARIZE="false"
# If a macOS build should create an installer artifact working on both
# Intel and Apple Silicon Macs
UNIVERSAL="false"

while [[ "$#" -gt 0 ]]; do
    case $1 in
        --optimize) OPTIMIZE="true";;
        --sign)     SIGN="true";;
        --notarize) NOTARIZE="true";;
        --universal)
            if [[ "$(uname -s)" != "Darwin" ]]; then
                log_error "--universal only works on macOS"
                exit 1
            fi
            UNIVERSAL="true"
            ;;
        *)
            log_error "Unknown parameter: $1"
            exit 1
            ;;
    esac
    shift
done

# Check if we are a building a release. Meaning we are configured to build with optimizations,
# sign the artifacts, AND we are currently building on a release git tag.
# Everything that is not a release build is called a "dev build" and has "-dev-{commit hash}"
# appended to the version name.
IS_RELEASE="false"
if [[ "$SIGN" == "true" && "$OPTIMIZE" == "true" && "$PRODUCT_VERSION" != *"-dev-"* ]]; then
    IS_RELEASE="true"
fi

################################################################################
# Configure build
################################################################################

CARGO_ARGS=()
NPM_PACK_ARGS=()

if [[ -n ${TARGETS:-""} ]]; then
    NPM_PACK_ARGS+=(--targets "${TARGETS[*]}")
fi

if [[ "$UNIVERSAL" == "true" ]]; then
    if [[ -n ${TARGETS:-""} ]]; then
        log_error "'TARGETS' and '--universal' cannot be specified simultaneously."
        exit 1
    fi

    TARGETS=(x86_64-apple-darwin aarch64-apple-darwin)
    NPM_PACK_ARGS+=(--universal)
fi

if [[ "$OPTIMIZE" == "true" ]]; then
    CARGO_ARGS+=(--release)
    RUST_BUILD_MODE="release"
    CPP_BUILD_MODE="Release"
    NPM_PACK_ARGS+=(--release)
else
    RUST_BUILD_MODE="debug"
    NPM_PACK_ARGS+=(--no-compression)
    CPP_BUILD_MODE="Debug"
fi

if [[ "$SIGN" == "true" ]]; then
    if [[ $(git diff --shortstat 2> /dev/null | tail -n1) != "" ]]; then
        log_error "Dirty working directory!"
        log_error "Will only build a signed app in a clean working directory"
        exit 1
    fi

    if [[ "$(uname -s)" == "Darwin" || "$(uname -s)" == "MINGW"* ]]; then
        log_info "Configuring environment for signing of binaries"
        if [[ -z ${CSC_LINK-} ]]; then
            log_error "The variable CSC_LINK is not set. It needs to point to a file containing the"
            log_error "private key used for signing of binaries."
            exit 1
        fi
        if [[ -z ${CSC_KEY_PASSWORD-} ]]; then
            read -rsp "CSC_KEY_PASSWORD = " CSC_KEY_PASSWORD
            echo ""
            export CSC_KEY_PASSWORD
        fi
        # macOS: This needs to be set to 'true' to activate signing, even when CSC_LINK is set.
        export CSC_IDENTITY_AUTO_DISCOVERY=true

        if [[ "$(uname -s)" == "MINGW"* ]]; then
            CERT_FILE=$CSC_LINK
            CERT_PASSPHRASE=$CSC_KEY_PASSWORD
            unset CSC_LINK CSC_KEY_PASSWORD
            export CSC_IDENTITY_AUTO_DISCOVERY=false
        fi
    else
        unset CSC_LINK CSC_KEY_PASSWORD
        export CSC_IDENTITY_AUTO_DISCOVERY=false
    fi
else
    log_info "!! Unsigned build. Not for general distribution !!"
    unset CSC_LINK CSC_KEY_PASSWORD
    export CSC_IDENTITY_AUTO_DISCOVERY=false
fi

if [[ "$NOTARIZE" == "true" ]]; then
    NPM_PACK_ARGS+=(--notarize)
fi

if [[ "$IS_RELEASE" == "true" ]]; then
    log_info "Removing old Rust build artifacts..."
    cargo clean

    # Will not allow an outdated lockfile in releases
    CARGO_ARGS+=(--locked)
else
    # Allow dev builds to override which API server to use at runtime.
    CARGO_ARGS+=(--features api-override)
fi

# Make Windows builds include a manifest in the daemon binary declaring it must
# be run as admin.
if [[ "$(uname -s)" == "MINGW"* ]]; then
    export MULLVAD_ADD_MANIFEST="1"
fi

################################################################################
# Compile and build
################################################################################

# Sign all binaries passed as arguments to this function
function sign_win {
    local NUM_RETRIES=3

    for binary in "$@"; do
        # Try multiple times in case the timestamp server cannot
        # be contacted.
        for i in $(seq 0 ${NUM_RETRIES}); do
            log_info "Signing $binary..."
            if signtool sign \
                -tr http://timestamp.digicert.com -td sha256 \
                -fd sha256 -d "Mullvad VPN" \
                -du "https://github.com/mullvad/mullvadvpn-app#readme" \
                -f "$CERT_FILE" \
                -p "$CERT_PASSPHRASE" "$binary"
            then
                break
            fi

            if [ "$i" -eq "${NUM_RETRIES}" ]; then
                return 1
            fi

            sleep 1
        done
    done
    return 0
}

# Build the daemon and other Rust/C++ binaries, optionally
# sign them, strip them of debug symbols and copy to `dist-assets/`.
function build {
    local current_target=${1:-""}
    local for_target_string=""
    local stripbin="strip"
    if [[ -n $current_target ]]; then
        for_target_string=" for $current_target"

        if [[ "$current_target" == "aarch64-unknown-linux-gnu" && "$(uname -m)" != "aarch64" ]]; then
            stripbin="aarch64-linux-gnu-strip"
        fi
    fi

    ################################################################################
    # Compile and link all binaries.
    ################################################################################

    if [[ "$(uname -s)" != "MINGW"* ]]; then
        log_header "Building wireguard-go$for_target_string"
        ./wireguard/build-wireguard-go.sh "$current_target"
    fi

    log_header "Building Rust code in $RUST_BUILD_MODE mode using $RUSTC_VERSION$for_target_string"

    local cargo_target_arg=()
    if [[ -n $current_target ]]; then
        cargo_target_arg+=(--target="$current_target")
    fi
    local cargo_crates_to_build=(
        -p mullvad-daemon --bin mullvad-daemon
        -p mullvad-cli --bin mullvad
        -p mullvad-setup --bin mullvad-setup
        -p mullvad-problem-report --bin mullvad-problem-report
        -p talpid-openvpn-plugin --lib
    )
    if [[ ("$(uname -s)" == "Linux") ]]; then
        cargo_crates_to_build+=(-p mullvad-exclude --bin mullvad-exclude)
    fi
    cargo build "${cargo_target_arg[@]}" "${CARGO_ARGS[@]}" "${cargo_crates_to_build[@]}"

    ################################################################################
    # Move binaries to correct locations in dist-assets
    ################################################################################

    # All the binaries produced by cargo that we want to include in the app
    if [[ ("$(uname -s)" == "Darwin") ]]; then
        BINARIES=(
            mullvad-daemon
            mullvad
            mullvad-problem-report
            libtalpid_openvpn_plugin.dylib
            mullvad-setup
        )
    elif [[ ("$(uname -s)" == "Linux") ]]; then
        BINARIES=(
            mullvad-daemon
            mullvad
            mullvad-problem-report
            libtalpid_openvpn_plugin.so
            mullvad-setup
            mullvad-exclude
        )
    elif [[ ("$(uname -s)" == "MINGW"*) ]]; then
        BINARIES=(
            mullvad-daemon.exe
            mullvad.exe
            mullvad-problem-report.exe
            talpid_openvpn_plugin.dll
            mullvad-setup.exe
        )
    fi

    if [[ -n $current_target ]]; then
        local cargo_output_dir="$CARGO_TARGET_DIR/$current_target/$RUST_BUILD_MODE"
        # To make it easier to package multiple targets, the binaries are
        # located in a directory with the name of the target triple.
        local destination_dir="dist-assets/$current_target"
        mkdir -p "$destination_dir"
    else
        local cargo_output_dir="$CARGO_TARGET_DIR/$RUST_BUILD_MODE"
        local destination_dir="dist-assets"
    fi

    for binary in ${BINARIES[*]}; do
        local source="$cargo_output_dir/$binary"
        local destination="$destination_dir/$binary"

        if [[ "$(uname -s)" == "MINGW"* || "$binary" == *.dylib ]]; then
            log_info "Copying $source => $destination"
            cp "$source" "$destination"
        else
            log_info "Stripping $source => $destination"
            "${stripbin}" "$source" -o "$destination"
        fi

        if [[ "$SIGN" == "true" && "$(uname -s)" == "MINGW"* ]]; then
            sign_win "$destination"
        fi
    done
}

if [[ "$(uname -s)" == "MINGW"* ]]; then
    log_header "Building C++ code in $CPP_BUILD_MODE mode"
    CPP_BUILD_MODES=$CPP_BUILD_MODE IS_RELEASE=$IS_RELEASE ./build-windows-modules.sh

    if [[ "$SIGN" == "true" ]]; then
        CPP_BINARIES=(
            "windows/winfw/bin/x64-$CPP_BUILD_MODE/winfw.dll"
            "windows/driverlogic/bin/x64-$CPP_BUILD_MODE/driverlogic.exe"
            # The nsis plugin is always built in 32 bit release mode
            windows/nsis-plugins/bin/Win32-Release/*.dll
        )
        sign_win "${CPP_BINARIES[@]}"
    fi
fi

# Compile for all defined targets, or the current architecture if unspecified.
if [[ -n ${TARGETS:-""} ]]; then
    for t in ${TARGETS[*]}; do
        source env.sh "$t"
        build "$t"
    done
else
    source env.sh ""
    if [[ "$(uname -s)" == "Darwin" ]]; then
        # Provide target for non-universal macOS builds to use the same output location as for
        # universal builds
        build "$ENV_TARGET"
    else
        build
    fi
fi

################################################################################
# Package app.
################################################################################

log_header "Preparing for packaging Mullvad VPN $PRODUCT_VERSION"

if [[ "$(uname -s)" == "Darwin" || "$(uname -s)" == "Linux" ]]; then
    mkdir -p "build/shell-completions"
    for sh in bash zsh fish; do
        log_info "Generating shell completion script for $sh..."
        cargo run --bin mullvad "${CARGO_ARGS[@]}" -- shell-completions "$sh" \
            "build/shell-completions/"
    done
fi

log_info "Updating relays.json..."
cargo run --bin relay_list "${CARGO_ARGS[@]}" > build/relays.json


log_header "Installing JavaScript dependencies"

pushd gui
npm ci

log_header "Packing Mullvad VPN $PRODUCT_VERSION artifact(s)"

case "$(uname -s)" in
    Linux*)     npm run pack:linux -- "${NPM_PACK_ARGS[@]}";;
    Darwin*)    npm run pack:mac -- "${NPM_PACK_ARGS[@]}";;
    MINGW*)     npm run pack:win -- "${NPM_PACK_ARGS[@]}";;
esac
popd

# sign installer on Windows
if [[ "$SIGN" == "true" && "$(uname -s)" == "MINGW"* ]]; then
    for installer_path in dist/*"$PRODUCT_VERSION"*.exe; do
        log_info "Signing $installer_path"
        sign_win "$installer_path"
    done
fi

log_success "**********************************"
log_success ""
log_success " The build finished successfully! "
log_success " You have built:"
log_success ""
log_success " $PRODUCT_VERSION"
log_success ""
log_success "**********************************"

I had to solve this issue for one of my projects.

You can read the script I use to build on copr and locally with mock.

Script: https://github.com/barry-scott/sfind/blob/main/build-for-fedora.sh

2 Likes

awesome project! I will have to try it. So COPR is a program with its own config file and all?

copr is a Fedora service, to use it you need a Fedora account (aka FAS).
I cannot recall what the requirements are on getting an account.

Hosted: https://copr.fedorainfracloud.org/

Oh, and thank you for interest in sfind - its my first non-trivia rust program.
I still have a lot to learn about rust!

Oh, and thank you for interest in sfind - its my first non-trivia rust program.
I still have a lot to learn about rust!

My copr home page is barryascott/tools Copr
where you can see the instructions on adding my copr repo to your system so that you then dnf install sfind.

1 Like

For building on COPR, you would need to wrap everything up into an RPM package. Once you have a “source rpm” (aka SRPM aka .src.rpm file), you can upload that to a COPR you created, where it will be built into installable RPMs, and COPR will provide repository definitions, so it can be added as an additional package source by users.

This looks like you would need to package two things separately - volta (it seems to be the build tool for the Mullvad VPN client?), and the Mullvad VPN client itself.

I can’t speak to how to build the latter, but for building projects with cargo, you will need to supply it will all the Rust dependencies it needs. One way to do that is to allow internet access during the build (but that would undermine the “trust” argument), or you supply all dependencies as additional sources (i.e. a compressed “vendor” directory that was generated by “cargo vendor”).

It looks like the Mullvad VPN desktop client is an electron app, so you will likely need to enable internet access for building that, as well :frowning:

1 Like

Fedora packages lots of the rust crates. By using rust2rpm you get the .src.rpm that has the dependencies from Cargo.toml expressed as RPM dependencies.
If any crates are missing then “just” package them using rust2rpm as well.

Copr will not allow network access, so that is not an option.

1 Like

rust2rpm itself is a RPM program right? I would need to install this on some kind of server, where I can then update all the packages constantly, as otherwise they would be outdated I guess. Create always new .src.rpm files and upload them to COPR.

Okay, so electron Apps need internet access during build? COPR had a checkbox “internet access during build”, why is that not working?

I understand why so many COPR repos have a single package, thats like three years old, now

You install the rpm to have the program available, just like every thing else on fedora.

Constantly? What once every 10 minutes?
You will only need to run the rpm making process each time you think it is required to sync with upstream.

As you can see from my script you can automate the process so that it is not a burden.

I am a Fedora packaged and like that network access is not used in builds.
This help prevents a number of possible security issues as well as meaning you have predicable builds.

1 Like

There are lots of experimental builds on copr that are not suitable for general release. Those that are you hope the package will keep updated.

Copr, by default, deletes repos when the release goes end-of-life.
Which is a little over 1 year for fedora repos on copr.
3 year old packages I guess must be for EPEL?

1 Like

COPR does allow network access if you configure it that way.

The internet access thing was for downloading the Rust dependencies, not something specific to electron. But when using rust2rpm for generating RPM spec files for Rust crates, it specifically configures the package’s build system to NOT load dependencies over the internet, because that is not allowed (and would fail) in most environments. If you want to do this, you will need to make adjustments to the spec file that is generated by rust2rpm.

I’m not sure we’re on the same page here. rust2rpm is a Python program - while it’s not published on PyPI, it is packaged as an RPM for Fedora. I guess what you’re getting at is that you’d want to run rust2rpm for every new version of a Rust crate, and package that automatically? There’s no support for “crate” sources built-in to COPR yet (unlike Ruby gems or R packages). And even if it were, there would still need to be some kind of external thing that actually triggers builds for new versions.


Long story short, I think having the Mullvad VPN client available as a package for Fedora would be great – however, judging from the questions you’re asking here, I think starting with something simpler for your first RPM package (just to understand how all the pieces fit together) would be an easier approach to this problem than jumping head first into cold water :slight_smile:

There’s plenty documentation for doing RPM packaging, and the RPM Packaging Guide is probably a good starting point:

https://rpm-packaging-guide.github.io/

Once those basics are clear, you should be able to build a simple package in COPR. And then for more advanced and more in-depth topics, there’s the Packaging Guidelines for Fedora, which have comprehensive rules and documentation for how to approach packaging different types of projects:

Hope that helps.