changeset 28: |
242002f9f098 |
parent 27: |
529419ac94f3 |
child 29: |
7e640cebeada |
author: |
ellis <ellis@rwest.io> |
date: |
Tue, 06 Jun 2023 20:21:08 -0400 |
files: |
tools/dep.sh tools/deps.sh |
description: |
deps |
1.1--- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2+++ b/tools/dep.sh Tue Jun 06 20:21:08 2023 -0400
1.3@@ -0,0 +1,592 @@
1.4+#!/usr/bin/sh
1.5+# install demo build dependencies
1.6+set -u
1.7+PKG_URL_ROOT="${PKG_URL_ROOT:-https://rwest.io/otom8/packy/bundle}"
1.8+PKG_NAME="demo_build_deps"
1.9+check_proc() {
1.10+ # Check for /proc by looking for the /proc/self/exe link
1.11+ # This only run on Linux
1.12+ if ! test -L /proc/self/exe ; then
1.13+ err "fatal: Unable to find /proc/self/exe. Is /proc mounted?"
1.14+ fi
1.15+}
1.16+
1.17+get_bitness() {
1.18+ need_cmd head
1.19+ # Architecture detection without dependencies beyond coreutils.
1.20+ # ELF files start out "\x7fELF", and the following byte is
1.21+ # 0x01 for 32-bit and
1.22+ # 0x02 for 64-bit.
1.23+ # The printf builtin on some shells like dash only supports octal
1.24+ # escape sequences, so we use those.
1.25+ local _current_exe_head
1.26+ _current_exe_head=$(head -c 5 /proc/self/exe )
1.27+ if [ "$_current_exe_head" = "$(printf '\177ELF\001')" ]; then
1.28+ echo 32
1.29+ elif [ "$_current_exe_head" = "$(printf '\177ELF\002')" ]; then
1.30+ echo 64
1.31+ else
1.32+ err "unknown platform bitness"
1.33+ fi
1.34+}
1.35+
1.36+is_host_amd64_elf() {
1.37+ need_cmd head
1.38+ need_cmd tail
1.39+ # ELF e_machine detection without dependencies beyond coreutils.
1.40+ # Two-byte field at offset 0x12 indicates the CPU,
1.41+ # but we're interested in it being 0x3E to indicate amd64, or not that.
1.42+ local _current_exe_machine
1.43+ _current_exe_machine=$(head -c 19 /proc/self/exe | tail -c 1)
1.44+ [ "$_current_exe_machine" = "$(printf '\076')" ]
1.45+}
1.46+
1.47+get_endianness() {
1.48+ local cputype=$1
1.49+ local suffix_eb=$2
1.50+ local suffix_el=$3
1.51+
1.52+ # detect endianness without od/hexdump, like get_bitness() does.
1.53+ need_cmd head
1.54+ need_cmd tail
1.55+
1.56+ local _current_exe_endianness
1.57+ _current_exe_endianness="$(head -c 6 /proc/self/exe | tail -c 1)"
1.58+ if [ "$_current_exe_endianness" = "$(printf '\001')" ]; then
1.59+ echo "${cputype}${suffix_el}"
1.60+ elif [ "$_current_exe_endianness" = "$(printf '\002')" ]; then
1.61+ echo "${cputype}${suffix_eb}"
1.62+ else
1.63+ err "unknown platform endianness"
1.64+ fi
1.65+}
1.66+
1.67+get_architecture() {
1.68+ local _ostype _cputype _bitness _arch _clibtype
1.69+ _ostype="$(uname -s)"
1.70+ _cputype="$(uname -m)"
1.71+ _clibtype="gnu"
1.72+
1.73+ if [ "$_ostype" = Linux ]; then
1.74+ if [ "$(uname -o)" = Android ]; then
1.75+ _ostype=Android
1.76+ fi
1.77+ if ldd --version 2>&1 | grep -q 'musl'; then
1.78+ _clibtype="musl"
1.79+ fi
1.80+ fi
1.81+
1.82+ if [ "$_ostype" = Darwin ] && [ "$_cputype" = i386 ]; then
1.83+ # Darwin `uname -m` lies
1.84+ if sysctl hw.optional.x86_64 | grep -q ': 1'; then
1.85+ _cputype=x86_64
1.86+ fi
1.87+ fi
1.88+
1.89+ if [ "$_ostype" = SunOS ]; then
1.90+ # Both Solaris and illumos presently announce as "SunOS" in "uname -s"
1.91+ # so use "uname -o" to disambiguate. We use the full path to the
1.92+ # system uname in case the user has coreutils uname first in PATH,
1.93+ # which has historically sometimes printed the wrong value here.
1.94+ if [ "$(/usr/bin/uname -o)" = illumos ]; then
1.95+ _ostype=illumos
1.96+ fi
1.97+
1.98+ # illumos systems have multi-arch userlands, and "uname -m" reports the
1.99+ # machine hardware name; e.g., "i86pc" on both 32- and 64-bit x86
1.100+ # systems. Check for the native (widest) instruction set on the
1.101+ # running kernel:
1.102+ if [ "$_cputype" = i86pc ]; then
1.103+ _cputype="$(isainfo -n)"
1.104+ fi
1.105+ fi
1.106+
1.107+ case "$_ostype" in
1.108+
1.109+ Android)
1.110+ _ostype=linux-android
1.111+ ;;
1.112+
1.113+ Linux)
1.114+ check_proc
1.115+ _ostype=unknown-linux-$_clibtype
1.116+ _bitness=$(get_bitness)
1.117+ ;;
1.118+
1.119+ FreeBSD)
1.120+ _ostype=unknown-freebsd
1.121+ ;;
1.122+
1.123+ NetBSD)
1.124+ _ostype=unknown-netbsd
1.125+ ;;
1.126+
1.127+ DragonFly)
1.128+ _ostype=unknown-dragonfly
1.129+ ;;
1.130+
1.131+ Darwin)
1.132+ _ostype=apple-darwin
1.133+ ;;
1.134+
1.135+ illumos)
1.136+ _ostype=unknown-illumos
1.137+ ;;
1.138+
1.139+ MINGW* | MSYS* | CYGWIN*)
1.140+ _ostype=pc-windows-gnu
1.141+ ;;
1.142+
1.143+ *)
1.144+ err "unrecognized OS type: $_ostype"
1.145+ ;;
1.146+
1.147+ esac
1.148+
1.149+ case "$_cputype" in
1.150+
1.151+ i386 | i486 | i686 | i786 | x86)
1.152+ _cputype=i686
1.153+ ;;
1.154+
1.155+ xscale | arm)
1.156+ _cputype=arm
1.157+ if [ "$_ostype" = "linux-android" ]; then
1.158+ _ostype=linux-androideabi
1.159+ fi
1.160+ ;;
1.161+
1.162+ armv6l)
1.163+ _cputype=arm
1.164+ if [ "$_ostype" = "linux-android" ]; then
1.165+ _ostype=linux-androideabi
1.166+ else
1.167+ _ostype="${_ostype}eabihf"
1.168+ fi
1.169+ ;;
1.170+
1.171+ armv7l | armv8l)
1.172+ _cputype=armv7
1.173+ if [ "$_ostype" = "linux-android" ]; then
1.174+ _ostype=linux-androideabi
1.175+ else
1.176+ _ostype="${_ostype}eabihf"
1.177+ fi
1.178+ ;;
1.179+
1.180+ aarch64 | arm64)
1.181+ _cputype=aarch64
1.182+ ;;
1.183+
1.184+ x86_64 | x86-64 | x64 | amd64)
1.185+ _cputype=x86_64
1.186+ ;;
1.187+
1.188+ mips)
1.189+ _cputype=$(get_endianness mips '' el)
1.190+ ;;
1.191+
1.192+ mips64)
1.193+ if [ "$_bitness" -eq 64 ]; then
1.194+ # only n64 ABI is supported for now
1.195+ _ostype="${_ostype}abi64"
1.196+ _cputype=$(get_endianness mips64 '' el)
1.197+ fi
1.198+ ;;
1.199+
1.200+ ppc)
1.201+ _cputype=powerpc
1.202+ ;;
1.203+
1.204+ ppc64)
1.205+ _cputype=powerpc64
1.206+ ;;
1.207+
1.208+ ppc64le)
1.209+ _cputype=powerpc64le
1.210+ ;;
1.211+
1.212+ s390x)
1.213+ _cputype=s390x
1.214+ ;;
1.215+ riscv64)
1.216+ _cputype=riscv64gc
1.217+ ;;
1.218+ *)
1.219+ err "unknown CPU type: $_cputype"
1.220+
1.221+ esac
1.222+
1.223+ # Detect 64-bit linux with 32-bit userland
1.224+ if [ "${_ostype}" = unknown-linux-gnu ] && [ "${_bitness}" -eq 32 ]; then
1.225+ case $_cputype in
1.226+ x86_64)
1.227+ if [ -n "${BABEL_CPUTYPE:-}" ]; then
1.228+ _cputype="$BABEL_CPUTYPE"
1.229+ else {
1.230+ # 32-bit executable for amd64 = x32
1.231+ if is_host_amd64_elf; then {
1.232+ echo "This host is running an x32 userland; as it stands, x32 support is poor," 1>&2
1.233+ echo "and there isn't a native toolchain -- you will have to install" 1>&2
1.234+ echo "multiarch compatibility with i686 and/or amd64, then select one" 1>&2
1.235+ echo "by re-running this script with the BABEL_CPUTYPE environment variable" 1>&2
1.236+ echo "set to i686 or x86_64, respectively." 1>&2
1.237+ echo 1>&2
1.238+ exit 1
1.239+ }; else
1.240+ _cputype=i686
1.241+ fi
1.242+ }; fi
1.243+ ;;
1.244+ mips64)
1.245+ _cputype=$(get_endianness mips '' el)
1.246+ ;;
1.247+ powerpc64)
1.248+ _cputype=powerpc
1.249+ ;;
1.250+ aarch64)
1.251+ _cputype=armv7
1.252+ if [ "$_ostype" = "linux-android" ]; then
1.253+ _ostype=linux-androideabi
1.254+ else
1.255+ _ostype="${_ostype}eabihf"
1.256+ fi
1.257+ ;;
1.258+ riscv64gc)
1.259+ err "riscv64 with 32-bit userland unsupported"
1.260+ ;;
1.261+ esac
1.262+ fi
1.263+
1.264+ # Detect armv7 but without the CPU features Rust needs in that build,
1.265+ # and fall back to arm.
1.266+ # See https://github.com/rust-lang/rustup.rs/issues/587.
1.267+ if [ "$_ostype" = "unknown-linux-gnueabihf" ] && [ "$_cputype" = armv7 ]; then
1.268+ if ensure grep '^Features' /proc/cpuinfo | grep -q -v neon; then
1.269+ # At least one processor does not have NEON.
1.270+ _cputype=arm
1.271+ fi
1.272+ fi
1.273+
1.274+ _arch="${_cputype}-${_ostype}"
1.275+
1.276+ RETVAL="$_arch"
1.277+}
1.278+say() {
1.279+ printf 'dep.sh: %s\n' "$1"
1.280+}
1.281+err() {
1.282+ say "$1" >&2; exit 1
1.283+}
1.284+need_cmd() {
1.285+ if ! check_cmd "$1"; then
1.286+ err "need '$1' (command not found)"
1.287+ fi
1.288+}
1.289+check_cmd() {
1.290+ command -v "$1" > /dev/null 2>&1
1.291+}
1.292+assert_nz() {
1.293+ if [ -z "$1" ]; then err "assert_nz $2"; fi
1.294+}
1.295+ensure() {
1.296+ if ! "$@"; then err "command failed: $*"; fi
1.297+}
1.298+ignore() {
1.299+ "$@"
1.300+}
1.301+main () {
1.302+ need_cmd chmod
1.303+ need_cmd mkdir
1.304+ need_cmd rm
1.305+
1.306+ get_architecture || return 1
1.307+ local _arch="$RETVAL"
1.308+ assert_nz "$_arch" "arch"
1.309+
1.310+ # no extension unless on windows
1.311+ local _ext=""
1.312+ case "$_arch" in
1.313+ *windows*)
1.314+ _ext=".exe"
1.315+ ;;
1.316+ esac
1.317+
1.318+ local _url="${PKG_URL_ROOT}/bin/dist/${_arch}/${PKG_NAME}${_ext}"
1.319+
1.320+ local _dir
1.321+ _dir="$(ensure mktemp -d)"
1.322+ local _file="${_dir}/${PKG_NAME}${_ext}"
1.323+
1.324+ local _ansi_escapes_are_valid=false
1.325+ if [ -t 2 ]; then
1.326+ if [ "${TERM+set}" = 'set' ]; then
1.327+ case "$TERM" in
1.328+ xterm*|rxvt*|urxvt*|linux*|vt*)
1.329+ _ansi_escapes_are_valid=true
1.330+ ;;
1.331+ esac
1.332+ fi
1.333+ fi
1.334+
1.335+ # check if we have to use /dev/tty to prompt the user
1.336+ local need_tty=yes
1.337+ for arg in "$@"; do
1.338+ case "$arg" in
1.339+ q)
1.340+ # user wants to skip the prompt --
1.341+ # we don't need /dev/tty
1.342+ need_tty=no
1.343+ ;;
1.344+ *)
1.345+ ;;
1.346+ esac
1.347+ done
1.348+
1.349+ if $_ansi_escapes_are_valid; then
1.350+ printf "\33[1minfo:\33[0m downloading $PKG_NAME\n" 1>&2
1.351+ else
1.352+ printf '%s\n' 'info: downloading $PKG_NAME' 1>&2
1.353+ fi
1.354+
1.355+ ensure mkdir -p "$_dir"
1.356+ ensure dl "$_url" "$_file" "$_arch"
1.357+ ensure chmod u+x "$_file"
1.358+ if [ ! -x "$_file" ]; then
1.359+ printf '%s\n' "Cannot execute $_file (likely because of mounting /tmp as noexec)." 1>&2
1.360+ printf '%s\n' "Please copy the file to a location where you can execute binaries and run ./${PKG_NAME}${_ext}." 1>&2
1.361+ exit 1
1.362+ fi
1.363+
1.364+ if [ "$need_tty" = "yes" ]; then
1.365+ # The installer is going to want to ask for confirmation by
1.366+ # reading stdin. This script was piped into `sh` though and
1.367+ # doesn't have stdin to pass to its children. Instead we're going
1.368+ # to explicitly connect /dev/tty to the installer's stdin.
1.369+ if [ ! -t 1 ]; then
1.370+ err "Unable to run interactively. Run with -y to accept defaults"
1.371+ fi
1.372+
1.373+ ignore "$_file" "$@" < /dev/tty
1.374+ else
1.375+ ignore "$_file" "$@"
1.376+ fi
1.377+
1.378+ local _retval=$?
1.379+
1.380+ ignore rm "$_file"
1.381+ ignore rmdir "$_dir"
1.382+
1.383+ return "$_retval"
1.384+}
1.385+
1.386+dl() { # curl || wget
1.387+ local _dld
1.388+ local _ciphersuites
1.389+ local _err
1.390+ local _status
1.391+ if check_cmd curl; then
1.392+ _dld=curl
1.393+ elif check_cmd wget; then
1.394+ _dld=wget
1.395+ else
1.396+ _dld='curl or wget' # to be used in error message of need_cmd
1.397+ fi
1.398+
1.399+ if [ "$1" = --check ]; then
1.400+ need_cmd "$_dld"
1.401+ elif [ "$_dld" = curl ]; then
1.402+ get_ciphersuites_for_curl
1.403+ _ciphersuites="$RETVAL"
1.404+ if [ -n "$_ciphersuites" ]; then
1.405+ _err=$(curl --proto '=https' --tlsv1.2 --ciphers "$_ciphersuites" --silent --show-error --fail --location "$1" --output "$2" 2>&1)
1.406+ _status=$?
1.407+ else
1.408+ echo "Warning: Not enforcing strong cipher suites for TLS, this is potentially less secure"
1.409+ if ! check_help_for "$3" curl --proto --tlsv1.2; then
1.410+ echo "Warning: Not enforcing TLS v1.2, this is potentially less secure"
1.411+ _err=$(curl --silent --show-error --fail --location "$1" --output "$2" 2>&1)
1.412+ _status=$?
1.413+ else
1.414+ _err=$(curl --proto '=https' --tlsv1.2 --silent --show-error --fail --location "$1" --output "$2" 2>&1)
1.415+ _status=$?
1.416+ fi
1.417+ fi
1.418+ if [ -n "$_err" ]; then
1.419+ echo "$_err" >&2
1.420+ if echo "$_err" | grep -q 404$; then
1.421+ err "installer for platform '$3' not found 8^C - ask ellis to support your platform"
1.422+ fi
1.423+ fi
1.424+ return $_status
1.425+ elif [ "$_dld" = wget ]; then
1.426+ get_ciphersuites_for_wget
1.427+ _ciphersuites="$RETVAL"
1.428+ if [ -n "$_ciphersuites" ]; then
1.429+ _err=$(wget --https-only --secure-protocol=TLSv1_2 --ciphers "$_ciphersuites" "$1" -O "$2" 2>&1)
1.430+ _status=$?
1.431+ else
1.432+ echo "Warning: Not enforcing strong cipher suites for TLS, this is potentially less secure"
1.433+ if ! check_help_for "$3" wget --https-only --secure-protocol; then
1.434+ echo "Warning: Not enforcing TLS v1.2, this is potentially less secure"
1.435+ _err=$(wget "$1" -O "$2" 2>&1)
1.436+ _status=$?
1.437+ else
1.438+ _err=$(wget --https-only --secure-protocol=TLSv1_2 "$1" -O "$2" 2>&1)
1.439+ _status=$?
1.440+ fi
1.441+ fi
1.442+ if [ -n "$_err" ]; then
1.443+ echo "$_err" >&2
1.444+ if echo "$_err" | grep -q ' 404 Not Found$'; then
1.445+ err "installer for platform '$3' not found!"
1.446+ fi
1.447+ fi
1.448+ return $_status
1.449+ else
1.450+ err "Unknown dl program" # should not reach here
1.451+ fi
1.452+}
1.453+
1.454+check_help_for() {
1.455+ local _arch
1.456+ local _cmd
1.457+ local _arg
1.458+ _arch="$1"
1.459+ shift
1.460+ _cmd="$1"
1.461+ shift
1.462+
1.463+ local _category
1.464+ if "$_cmd" --help | grep -q 'For all options use the manual or "--help all".'; then
1.465+ _category="all"
1.466+ else
1.467+ _category=""
1.468+ fi
1.469+
1.470+ case "$_arch" in
1.471+
1.472+ *darwin*)
1.473+ if check_cmd sw_vers; then
1.474+ case $(sw_vers -productVersion) in
1.475+ 10.*)
1.476+ # If we're running on macOS, older than 10.13, then we always
1.477+ # fail to find these options to force fallback
1.478+ if [ "$(sw_vers -productVersion | cut -d. -f2)" -lt 13 ]; then
1.479+ # Older than 10.13
1.480+ echo "Warning: Detected macOS platform older than 10.13"
1.481+ return 1
1.482+ fi
1.483+ ;;
1.484+ 11.*)
1.485+ # We assume Big Sur will be OK for now
1.486+ ;;
1.487+ *)
1.488+ # Unknown product version, warn and continue
1.489+ echo "Warning: Detected unknown macOS major version: $(sw_vers -productVersion)"
1.490+ echo "Warning TLS capabilities detection may fail"
1.491+ ;;
1.492+ esac
1.493+ fi
1.494+ ;;
1.495+
1.496+ esac
1.497+
1.498+ for _arg in "$@"; do
1.499+ if ! "$_cmd" --help $_category | grep -q -- "$_arg"; then
1.500+ return 1
1.501+ fi
1.502+ done
1.503+
1.504+ true # not strictly needed
1.505+}
1.506+
1.507+# Return cipher suite string specified by user, otherwise return strong TLS 1.2-1.3 cipher suites
1.508+# if support by local tools is detected. Detection currently supports these curl backends:
1.509+# GnuTLS and OpenSSL (possibly also LibreSSL and BoringSSL). Return value can be empty.
1.510+get_ciphersuites_for_curl() {
1.511+ if [ -n "${BABEL_TLS_CIPHERSUITES-}" ]; then
1.512+ # user specified custom cipher suites, assume they know what they're doing
1.513+ RETVAL="$BABEL_TLS_CIPHERSUITES"
1.514+ return
1.515+ fi
1.516+
1.517+ local _openssl_syntax="no"
1.518+ local _gnutls_syntax="no"
1.519+ local _backend_supported="yes"
1.520+ if curl -V | grep -q ' OpenSSL/'; then
1.521+ _openssl_syntax="yes"
1.522+ elif curl -V | grep -iq ' LibreSSL/'; then
1.523+ _openssl_syntax="yes"
1.524+ elif curl -V | grep -iq ' BoringSSL/'; then
1.525+ _openssl_syntax="yes"
1.526+ elif curl -V | grep -iq ' GnuTLS/'; then
1.527+ _gnutls_syntax="yes"
1.528+ else
1.529+ _backend_supported="no"
1.530+ fi
1.531+
1.532+ local _args_supported="no"
1.533+ if [ "$_backend_supported" = "yes" ]; then
1.534+ # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc.
1.535+ if check_help_for "notspecified" "curl" "--tlsv1.2" "--ciphers" "--proto"; then
1.536+ _args_supported="yes"
1.537+ fi
1.538+ fi
1.539+
1.540+ local _cs=""
1.541+ if [ "$_args_supported" = "yes" ]; then
1.542+ if [ "$_openssl_syntax" = "yes" ]; then
1.543+ _cs=$(get_strong_ciphersuites_for "openssl")
1.544+ elif [ "$_gnutls_syntax" = "yes" ]; then
1.545+ _cs=$(get_strong_ciphersuites_for "gnutls")
1.546+ fi
1.547+ fi
1.548+
1.549+ RETVAL="$_cs"
1.550+}
1.551+
1.552+# Return cipher suite string specified by user, otherwise return strong TLS 1.2-1.3 cipher suites
1.553+# if support by local tools is detected. Detection currently supports these wget backends:
1.554+# GnuTLS and OpenSSL (possibly also LibreSSL and BoringSSL). Return value can be empty.
1.555+get_ciphersuites_for_wget() {
1.556+ if [ -n "${BABEL_TLS_CIPHERSUITES-}" ]; then
1.557+ # user specified custom cipher suites, assume they know what they're doing
1.558+ RETVAL="$BABEL_TLS_CIPHERSUITES"
1.559+ return
1.560+ fi
1.561+
1.562+ local _cs=""
1.563+ if wget -V | grep -q '\-DHAVE_LIBSSL'; then
1.564+ # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc.
1.565+ if check_help_for "notspecified" "wget" "TLSv1_2" "--ciphers" "--https-only" "--secure-protocol"; then
1.566+ _cs=$(get_strong_ciphersuites_for "openssl")
1.567+ fi
1.568+ elif wget -V | grep -q '\-DHAVE_LIBGNUTLS'; then
1.569+ # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc.
1.570+ if check_help_for "notspecified" "wget" "TLSv1_2" "--ciphers" "--https-only" "--secure-protocol"; then
1.571+ _cs=$(get_strong_ciphersuites_for "gnutls")
1.572+ fi
1.573+ fi
1.574+
1.575+ RETVAL="$_cs"
1.576+}
1.577+
1.578+# Return strong TLS 1.2-1.3 cipher suites in OpenSSL or GnuTLS syntax. TLS 1.2
1.579+# excludes non-ECDHE and non-AEAD cipher suites. DHE is excluded due to bad
1.580+# DH params often found on servers (see RFC 7919). Sequence matches or is
1.581+# similar to Firefox 68 ESR with weak cipher suites disabled via about:config.
1.582+# $1 must be openssl or gnutls.
1.583+get_strong_ciphersuites_for() {
1.584+ if [ "$1" = "openssl" ]; then
1.585+ # OpenSSL is forgiving of unknown values, no problems with TLS 1.3 values on versions that don't support it yet.
1.586+ echo "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"
1.587+ elif [ "$1" = "gnutls" ]; then
1.588+ # GnuTLS isn't forgiving of unknown values, so this may require a GnuTLS version that supports TLS 1.3 even if wget doesn't.
1.589+ # Begin with SECURE128 (and higher) then remove/add to build cipher suites. Produces same 9 cipher suites as OpenSSL but in slightly different order.
1.590+ echo "SECURE128:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS-ALL:-CIPHER-ALL:-MAC-ALL:-KX-ALL:+AEAD:+ECDHE-ECDSA:+ECDHE-RSA:+AES-128-GCM:+CHACHA20-POLY1305:+AES-256-GCM"
1.591+ fi
1.592+}
1.593+
1.594+main "$@" || exit 1
1.595+
2.1--- a/tools/deps.sh Tue Jun 06 18:55:17 2023 -0400
2.2+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
2.3@@ -1,309 +0,0 @@
2.4-#!/usr/bin/sh
2.5-# install demo build dependencies
2.6-set -u
2.7-PKG_URL_ROOT="${PKG_URL_ROOT:-https://rwest.io/otom8/packy/bundle}"
2.8-PKG_NAME="demo_build_deps"
2.9-say() {printf 'babel-installer: %s\n' "$1"}
2.10-err() {say "$1" >&2; exit 1}
2.11-need_cmd() {
2.12- if ! check_cmd "$1"; then
2.13- err "need '$1' (command not found)"
2.14- fi}
2.15-check_cmd() {command -v "$1" > /dev/null 2>&1}
2.16-ensure() {if ! "$@"; then err "command failed: $*"; fi}
2.17-ignore() {"$@"}
2.18-
2.19-main () {
2.20- need_cmd chmod
2.21- need_cmd mkdir
2.22- need_cmd rm
2.23-
2.24- get_architecture || return 1
2.25- local _arch="$RETVAL"
2.26- assert_nz "$_arch" "arch"
2.27-
2.28- # no extension unless on windows
2.29- local _ext=""
2.30- case "$_arch" in
2.31- *windows*)
2.32- _ext=".exe"
2.33- ;;
2.34- esac
2.35-
2.36- local _url="${PKG_URL_ROOT}/bin/dist/${_arch}/${PKG_NAME}${_ext}"
2.37-
2.38- local _dir
2.39- _dir="$(ensure mktemp -d)"
2.40- local _file="${_dir}/${PKG_NAME}${_ext}"
2.41-
2.42- local _ansi_escapes_are_valid=false
2.43- if [ -t 2 ]; then
2.44- if [ "${TERM+set}" = 'set' ]; then
2.45- case "$TERM" in
2.46- xterm*|rxvt*|urxvt*|linux*|vt*)
2.47- _ansi_escapes_are_valid=true
2.48- ;;
2.49- esac
2.50- fi
2.51- fi
2.52-
2.53- # check if we have to use /dev/tty to prompt the user
2.54- local need_tty=yes
2.55- for arg in "$@"; do
2.56- case "$arg" in
2.57- q)
2.58- # user wants to skip the prompt --
2.59- # we don't need /dev/tty
2.60- need_tty=no
2.61- ;;
2.62- *)
2.63- ;;
2.64- esac
2.65- done
2.66-
2.67- if $_ansi_escapes_are_valid; then
2.68- printf "\33[1minfo:\33[0m downloading $PKG_NAME\n" 1>&2
2.69- else
2.70- printf '%s\n' 'info: downloading $PKG_NAME' 1>&2
2.71- fi
2.72-
2.73- ensure mkdir -p "$_dir"
2.74- ensure downloader "$_url" "$_file" "$_arch"
2.75- ensure chmod u+x "$_file"
2.76- if [ ! -x "$_file" ]; then
2.77- printf '%s\n' "Cannot execute $_file (likely because of mounting /tmp as noexec)." 1>&2
2.78- printf '%s\n' "Please copy the file to a location where you can execute binaries and run ./${PKG_NAME}${_ext}." 1>&2
2.79- exit 1
2.80- fi
2.81-
2.82- if [ "$need_tty" = "yes" ]; then
2.83- # The installer is going to want to ask for confirmation by
2.84- # reading stdin. This script was piped into `sh` though and
2.85- # doesn't have stdin to pass to its children. Instead we're going
2.86- # to explicitly connect /dev/tty to the installer's stdin.
2.87- if [ ! -t 1 ]; then
2.88- err "Unable to run interactively. Run with -y to accept defaults"
2.89- fi
2.90-
2.91- ignore "$_file" "$@" < /dev/tty
2.92- else
2.93- ignore "$_file" "$@"
2.94- fi
2.95-
2.96- local _retval=$?
2.97-
2.98- ignore rm "$_file"
2.99- ignore rmdir "$_dir"
2.100-
2.101- return "$_retval"
2.102-}
2.103-
2.104-dl() { # curl || wget
2.105- local _dld
2.106- local _ciphersuites
2.107- local _err
2.108- local _status
2.109- if check_cmd curl; then
2.110- _dld=curl
2.111- elif check_cmd wget; then
2.112- _dld=wget
2.113- else
2.114- _dld='curl or wget' # to be used in error message of need_cmd
2.115- fi
2.116-
2.117- if [ "$1" = --check ]; then
2.118- need_cmd "$_dld"
2.119- elif [ "$_dld" = curl ]; then
2.120- get_ciphersuites_for_curl
2.121- _ciphersuites="$RETVAL"
2.122- if [ -n "$_ciphersuites" ]; then
2.123- _err=$(curl --proto '=https' --tlsv1.2 --ciphers "$_ciphersuites" --silent --show-error --fail --location "$1" --output "$2" 2>&1)
2.124- _status=$?
2.125- else
2.126- echo "Warning: Not enforcing strong cipher suites for TLS, this is potentially less secure"
2.127- if ! check_help_for "$3" curl --proto --tlsv1.2; then
2.128- echo "Warning: Not enforcing TLS v1.2, this is potentially less secure"
2.129- _err=$(curl --silent --show-error --fail --location "$1" --output "$2" 2>&1)
2.130- _status=$?
2.131- else
2.132- _err=$(curl --proto '=https' --tlsv1.2 --silent --show-error --fail --location "$1" --output "$2" 2>&1)
2.133- _status=$?
2.134- fi
2.135- fi
2.136- if [ -n "$_err" ]; then
2.137- echo "$_err" >&2
2.138- if echo "$_err" | grep -q 404$; then
2.139- err "installer for platform '$3' not found 8^C - ask ellis to support your platform"
2.140- fi
2.141- fi
2.142- return $_status
2.143- elif [ "$_dld" = wget ]; then
2.144- get_ciphersuites_for_wget
2.145- _ciphersuites="$RETVAL"
2.146- if [ -n "$_ciphersuites" ]; then
2.147- _err=$(wget --https-only --secure-protocol=TLSv1_2 --ciphers "$_ciphersuites" "$1" -O "$2" 2>&1)
2.148- _status=$?
2.149- else
2.150- echo "Warning: Not enforcing strong cipher suites for TLS, this is potentially less secure"
2.151- if ! check_help_for "$3" wget --https-only --secure-protocol; then
2.152- echo "Warning: Not enforcing TLS v1.2, this is potentially less secure"
2.153- _err=$(wget "$1" -O "$2" 2>&1)
2.154- _status=$?
2.155- else
2.156- _err=$(wget --https-only --secure-protocol=TLSv1_2 "$1" -O "$2" 2>&1)
2.157- _status=$?
2.158- fi
2.159- fi
2.160- if [ -n "$_err" ]; then
2.161- echo "$_err" >&2
2.162- if echo "$_err" | grep -q ' 404 Not Found$'; then
2.163- err "installer for platform '$3' not found!"
2.164- fi
2.165- fi
2.166- return $_status
2.167- else
2.168- err "Unknown downloader" # should not reach here
2.169- fi
2.170-}
2.171-
2.172-check_help_for() {
2.173- local _arch
2.174- local _cmd
2.175- local _arg
2.176- _arch="$1"
2.177- shift
2.178- _cmd="$1"
2.179- shift
2.180-
2.181- local _category
2.182- if "$_cmd" --help | grep -q 'For all options use the manual or "--help all".'; then
2.183- _category="all"
2.184- else
2.185- _category=""
2.186- fi
2.187-
2.188- case "$_arch" in
2.189-
2.190- *darwin*)
2.191- if check_cmd sw_vers; then
2.192- case $(sw_vers -productVersion) in
2.193- 10.*)
2.194- # If we're running on macOS, older than 10.13, then we always
2.195- # fail to find these options to force fallback
2.196- if [ "$(sw_vers -productVersion | cut -d. -f2)" -lt 13 ]; then
2.197- # Older than 10.13
2.198- echo "Warning: Detected macOS platform older than 10.13"
2.199- return 1
2.200- fi
2.201- ;;
2.202- 11.*)
2.203- # We assume Big Sur will be OK for now
2.204- ;;
2.205- *)
2.206- # Unknown product version, warn and continue
2.207- echo "Warning: Detected unknown macOS major version: $(sw_vers -productVersion)"
2.208- echo "Warning TLS capabilities detection may fail"
2.209- ;;
2.210- esac
2.211- fi
2.212- ;;
2.213-
2.214- esac
2.215-
2.216- for _arg in "$@"; do
2.217- if ! "$_cmd" --help $_category | grep -q -- "$_arg"; then
2.218- return 1
2.219- fi
2.220- done
2.221-
2.222- true # not strictly needed
2.223-}
2.224-
2.225-# Return cipher suite string specified by user, otherwise return strong TLS 1.2-1.3 cipher suites
2.226-# if support by local tools is detected. Detection currently supports these curl backends:
2.227-# GnuTLS and OpenSSL (possibly also LibreSSL and BoringSSL). Return value can be empty.
2.228-get_ciphersuites_for_curl() {
2.229- if [ -n "${BABEL_TLS_CIPHERSUITES-}" ]; then
2.230- # user specified custom cipher suites, assume they know what they're doing
2.231- RETVAL="$BABEL_TLS_CIPHERSUITES"
2.232- return
2.233- fi
2.234-
2.235- local _openssl_syntax="no"
2.236- local _gnutls_syntax="no"
2.237- local _backend_supported="yes"
2.238- if curl -V | grep -q ' OpenSSL/'; then
2.239- _openssl_syntax="yes"
2.240- elif curl -V | grep -iq ' LibreSSL/'; then
2.241- _openssl_syntax="yes"
2.242- elif curl -V | grep -iq ' BoringSSL/'; then
2.243- _openssl_syntax="yes"
2.244- elif curl -V | grep -iq ' GnuTLS/'; then
2.245- _gnutls_syntax="yes"
2.246- else
2.247- _backend_supported="no"
2.248- fi
2.249-
2.250- local _args_supported="no"
2.251- if [ "$_backend_supported" = "yes" ]; then
2.252- # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc.
2.253- if check_help_for "notspecified" "curl" "--tlsv1.2" "--ciphers" "--proto"; then
2.254- _args_supported="yes"
2.255- fi
2.256- fi
2.257-
2.258- local _cs=""
2.259- if [ "$_args_supported" = "yes" ]; then
2.260- if [ "$_openssl_syntax" = "yes" ]; then
2.261- _cs=$(get_strong_ciphersuites_for "openssl")
2.262- elif [ "$_gnutls_syntax" = "yes" ]; then
2.263- _cs=$(get_strong_ciphersuites_for "gnutls")
2.264- fi
2.265- fi
2.266-
2.267- RETVAL="$_cs"
2.268-}
2.269-
2.270-# Return cipher suite string specified by user, otherwise return strong TLS 1.2-1.3 cipher suites
2.271-# if support by local tools is detected. Detection currently supports these wget backends:
2.272-# GnuTLS and OpenSSL (possibly also LibreSSL and BoringSSL). Return value can be empty.
2.273-get_ciphersuites_for_wget() {
2.274- if [ -n "${BABEL_TLS_CIPHERSUITES-}" ]; then
2.275- # user specified custom cipher suites, assume they know what they're doing
2.276- RETVAL="$BABEL_TLS_CIPHERSUITES"
2.277- return
2.278- fi
2.279-
2.280- local _cs=""
2.281- if wget -V | grep -q '\-DHAVE_LIBSSL'; then
2.282- # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc.
2.283- if check_help_for "notspecified" "wget" "TLSv1_2" "--ciphers" "--https-only" "--secure-protocol"; then
2.284- _cs=$(get_strong_ciphersuites_for "openssl")
2.285- fi
2.286- elif wget -V | grep -q '\-DHAVE_LIBGNUTLS'; then
2.287- # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc.
2.288- if check_help_for "notspecified" "wget" "TLSv1_2" "--ciphers" "--https-only" "--secure-protocol"; then
2.289- _cs=$(get_strong_ciphersuites_for "gnutls")
2.290- fi
2.291- fi
2.292-
2.293- RETVAL="$_cs"
2.294-}
2.295-
2.296-# Return strong TLS 1.2-1.3 cipher suites in OpenSSL or GnuTLS syntax. TLS 1.2
2.297-# excludes non-ECDHE and non-AEAD cipher suites. DHE is excluded due to bad
2.298-# DH params often found on servers (see RFC 7919). Sequence matches or is
2.299-# similar to Firefox 68 ESR with weak cipher suites disabled via about:config.
2.300-# $1 must be openssl or gnutls.
2.301-get_strong_ciphersuites_for() {
2.302- if [ "$1" = "openssl" ]; then
2.303- # OpenSSL is forgiving of unknown values, no problems with TLS 1.3 values on versions that don't support it yet.
2.304- echo "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"
2.305- elif [ "$1" = "gnutls" ]; then
2.306- # GnuTLS isn't forgiving of unknown values, so this may require a GnuTLS version that supports TLS 1.3 even if wget doesn't.
2.307- # Begin with SECURE128 (and higher) then remove/add to build cipher suites. Produces same 9 cipher suites as OpenSSL but in slightly different order.
2.308- echo "SECURE128:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS-ALL:-CIPHER-ALL:-MAC-ALL:-KX-ALL:+AEAD:+ECDHE-ECDSA:+ECDHE-RSA:+AES-128-GCM:+CHACHA20-POLY1305:+AES-256-GCM"
2.309- fi
2.310-}
2.311-
2.312-main "$@" || exit 1