From 47603f0f740fe3e8be9f981ea6e33988d4eed8f7 Mon Sep 17 00:00:00 2001 From: Vladimir Panteleev Date: Sat, 9 Mar 2024 10:38:56 +0000 Subject: [PATCH 1/7] modules/signing.nix: Fix generateKeysScript build --- modules/signing.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/signing.nix b/modules/signing.nix index 150a7bbc..db02dc4a 100644 --- a/modules/signing.nix +++ b/modules/signing.nix @@ -209,7 +209,7 @@ in ${config.source.dirs."system/extras".src}/verity/generate_verity_key.c \ ${config.source.dirs."system/core".src}/libcrypto_utils/android_pubkey.c${lib.optionalString (config.androidVersion >= 12) "pp"} \ -I ${config.source.dirs."system/core".src}/libcrypto_utils/include/ \ - -I ${pkgs.boringssl}/include ${pkgs.boringssl}/lib/libssl.a ${pkgs.boringssl}/lib/libcrypto.a -lpthread + -I ${pkgs.boringssl.dev}/include ${pkgs.boringssl}/lib/libssl.a ${pkgs.boringssl}/lib/libcrypto.a -lpthread cp ${config.source.dirs."external/avb".src}/avbtool $out/bin/avbtool From 2553ed654a1f017cfdecbac0beb51a4e82811db4 Mon Sep 17 00:00:00 2001 From: Atemu Date: Fri, 10 Mar 2023 19:51:30 +0100 Subject: [PATCH 2/7] base: use python3 --- modules/release.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/release.nix b/modules/release.nix index e570d752..4c14b5f5 100644 --- a/modules/release.nix +++ b/modules/release.nix @@ -12,7 +12,7 @@ let jre = if (config.androidVersion >= 11) then pkgs.jdk11_headless else pkgs.jre8_headless; deps = with pkgs; [ otaTools openssl jre zip unzip pkgs.getopt which toybox vboot_reference util-linux - python # ota_from_target_files invokes, brillo_update_payload which has "truncate_file" which invokes python + python3 # ota_from_target_files invokes, brillo_update_payload which has "truncate_file" which invokes python ]; in '' export PATH=${lib.makeBinPath deps}:$PATH From 3f2c93d1cbcc8d305e1c0f9ecc4f7bc8f323bba1 Mon Sep 17 00:00:00 2001 From: Atemu Date: Thu, 29 Dec 2022 18:17:24 +0100 Subject: [PATCH 3/7] pkgs/fetchgit: override without duplicating code --- pkgs/fetchgit/builder.sh | 17 ------- pkgs/fetchgit/default.nix | 94 --------------------------------------- 2 files changed, 111 deletions(-) delete mode 100644 pkgs/fetchgit/builder.sh delete mode 100644 pkgs/fetchgit/default.nix diff --git a/pkgs/fetchgit/builder.sh b/pkgs/fetchgit/builder.sh deleted file mode 100644 index 0047a335..00000000 --- a/pkgs/fetchgit/builder.sh +++ /dev/null @@ -1,17 +0,0 @@ -# tested so far with: -# - no revision specified and remote has a HEAD which is used -# - revision specified and remote has a HEAD -# - revision specified and remote without HEAD -source $stdenv/setup - -header "exporting $url (rev $rev) into $out" - -$SHELL $fetcher --builder --url "$url" --out "$out" --rev "$rev" \ - ${leaveDotGit:+--leave-dotGit} \ - ${fetchLFS:+--fetch-lfs} \ - ${deepClone:+--deepClone} \ - ${fetchSubmodules:+--fetch-submodules} \ - ${branchName:+--branch-name "$branchName"} - -runHook postFetch -stopNest diff --git a/pkgs/fetchgit/default.nix b/pkgs/fetchgit/default.nix deleted file mode 100644 index bccfbb25..00000000 --- a/pkgs/fetchgit/default.nix +++ /dev/null @@ -1,94 +0,0 @@ -{lib, stdenvNoCC, git, git-lfs, cacert}: let - urlToName = url: rev: let - inherit (lib) removeSuffix splitString last; - base = last (splitString ":" (baseNameOf (removeSuffix "/" url))); - - matched = builtins.match "(.*)\\.git" base; - - short = builtins.substring 0 7 rev; - - appendShort = if (builtins.match "[a-f0-9]*" rev) != null - then "-${short}" - else ""; - in "${if matched == null then base else builtins.head matched}${appendShort}"; -in -{ url, rev ? "HEAD", md5 ? "", sha256 ? "", hash ? "", leaveDotGit ? deepClone -, fetchSubmodules ? true, deepClone ? false -, branchName ? null -, name ? urlToName url rev -, # Shell code executed after the file has been fetched - # successfully. This can do things like check or transform the file. - postFetch ? "" -, preferLocalBuild ? true -, fetchLFS ? false -, # Shell code to build a netrc file for BASIC auth - netrcPhase ? null -, # Impure env vars (https://nixos.org/nix/manual/#sec-advanced-attributes) - # needed for netrcPhase - netrcImpureEnvVars ? [] -}: - -/* NOTE: - fetchgit has one problem: git fetch only works for refs. - This is because fetching arbitrary (maybe dangling) commits may be a security risk - and checking whether a commit belongs to a ref is expensive. This may - change in the future when some caching is added to git (?) - Usually refs are either tags (refs/tags/*) or branches (refs/heads/*) - Cloning branches will make the hash check fail when there is an update. - But not all patches we want can be accessed by tags. - - The workaround is getting the last n commits so that it's likely that they - still contain the hash we want. - - for now : increase depth iteratively (TODO) - - real fix: ask git folks to add a - git fetch $HASH contained in $BRANCH - facility because checking that $HASH is contained in $BRANCH is less - expensive than fetching --depth $N. - Even if git folks implemented this feature soon it may take years until - server admins start using the new version? -*/ - -assert deepClone -> leaveDotGit; - -if md5 != "" then - throw "fetchgit does not support md5 anymore, please use sha256" -else if hash != "" && sha256 != "" then - throw "Only one of sha256 or hash can be set" -else -stdenvNoCC.mkDerivation { - inherit name; - builder = ./builder.sh; - fetcher = ./nix-prefetch-git; # This must be a string to ensure it's called with bash. - - nativeBuildInputs = [ git ] - ++ lib.optionals fetchLFS [ git-lfs ]; - - outputHashAlgo = if hash != "" then null else "sha256"; - outputHashMode = "recursive"; - outputHash = if hash != "" then - hash - else if sha256 != "" then - sha256 - else - lib.fakeSha256; - - inherit url rev leaveDotGit fetchLFS fetchSubmodules deepClone branchName postFetch; - - postHook = if netrcPhase == null then null else '' - ${netrcPhase} - # required that git uses the netrc file - mv {,.}netrc - export HOME=$PWD - ''; - - GIT_SSL_CAINFO = "${cacert}/etc/ssl/certs/ca-bundle.crt"; - - impureEnvVars = lib.fetchers.proxyImpureEnvVars ++ netrcImpureEnvVars ++ [ - "GIT_PROXY_COMMAND" "NIX_GIT_SSL_CAINFO" "SOCKS_SERVER" - "ROBOTNIX_GIT_MIRRORS" - ]; - - inherit preferLocalBuild; -} From 014f1ae01dcee45853c279245909932c9bc6bb35 Mon Sep 17 00:00:00 2001 From: Vladimir Panteleev Date: Sat, 9 Mar 2024 12:54:46 +0000 Subject: [PATCH 4/7] modules/apps/fdroid.nix: Update F-Droid APK URL The old URL is now a 404. --- modules/apps/fdroid.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/apps/fdroid.nix b/modules/apps/fdroid.nix index 7c2d9215..33bb8ced 100644 --- a/modules/apps/fdroid.nix +++ b/modules/apps/fdroid.nix @@ -76,8 +76,8 @@ in config = mkIf cfg.enable { apps.prebuilt."F-Droid" = { apk = pkgs.fetchurl { - url = "https://f-droid.org/repo/org.fdroid.fdroid_1017050.apk"; - sha256 = "sha256-3Du4j2QZ7n3efRVHpBVpqgMoL+AODcQ84DXv18nSfXU="; + url = "https://f-droid.org/repo/org.fdroid.fdroid_1019051.apk"; + sha256 = "sha256-FiyxS5O9m2Zf/0JWtPyRz+dftyM1oCsdD+vmBiILUPQ="; }; fingerprint = mkIf (!config.signing.enable) "7352DAE94B237866E7FB44FD94ADE44E8B6E05397E7D1FB45616A00E225063FF"; From 0e0b82c683b56f76638d631e5865baf4449f88d8 Mon Sep 17 00:00:00 2001 From: Vladimir Panteleev Date: Sun, 10 Mar 2024 08:34:12 +0000 Subject: [PATCH 5/7] modules/signing.nix: Add additional keys I'm not sure what the exact conditions are for requiring these keys, but they seem to be at least required for a LineageOS instantnoodlep build with signing without MicroG. --- modules/signing.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/modules/signing.nix b/modules/signing.nix index db02dc4a..f5ea4a67 100644 --- a/modules/signing.nix +++ b/modules/signing.nix @@ -17,6 +17,9 @@ let ++ (lib.optionals (config.androidVersion >= 10) [ "${config.device}/networkstack" ]) ++ (lib.optionals (config.androidVersion >= 11) [ "com.android.hotspot2.osulogin" "com.android.wifi.resources" ]) ++ (lib.optionals (config.androidVersion >= 12) [ "com.android.connectivity.resources" ]) + ++ (lib.optionals (config.androidVersion >= 13) [ "com.android.adservices.api" "com.android.safetycenter.resources" + "com.android.nearby.halfsheet" "com.android.uwb.resources" + "com.android.wifi.dialog"]) ++ (lib.optional config.signing.apex.enable config.signing.apex.packageNames) ++ (lib.mapAttrsToList (name: prebuilt: prebuilt.certificate) @@ -182,6 +185,13 @@ in "packages/modules/Wifi/service/ServiceWifiResources/resources-certs/com.android.wifi.resources" = "com.android.wifi.resources"; "packages/modules/Connectivity/service/ServiceConnectivityResources/resources-certs/com.android.connectivity.resources" = "com.android.connectivity.resources"; } + // lib.optionalAttrs (config.androidVersion >= 13) { + "packages/modules/AdServices/adservices/apk/com.android.adservices.api" = "com.android.adservices.api"; + "packages/modules/Permission/SafetyCenter/Resources/com.android.safetycenter.resources" = "com.android.safetycenter.resources"; + "packages/modules/Connectivity/nearby/halfsheet/apk-certs/com.android.nearby.halfsheet" = "com.android.nearby.halfsheet"; + "packages/modules/Uwb/service/ServiceUwbResources/resources-certs/com.android.uwb.resources" = "com.android.uwb.resources"; + "packages/modules/Wifi/WifiDialog/certs/com.android.wifi.dialog" = "com.android.wifi.dialog"; + } # App-specific keys // lib.mapAttrs' (name: prebuilt: lib.nameValuePair "robotnix/prebuilt/${prebuilt.name}/${prebuilt.certificate}" prebuilt.certificate) From aae5b11cd644780295d6b2090cca30ab908171be Mon Sep 17 00:00:00 2001 From: Vladimir Panteleev Date: Thu, 16 May 2024 18:07:03 +0000 Subject: [PATCH 6/7] modules/apps/chromium.nix: Fix building aapt2 with latest nixpkgs Fixes e.g.: setting interpreter of /nix/store/0gyvs0njhf433bbi0c5wgf6627c8c3xz-aapt2/bin/aapt2 searching for dependencies of /nix/store/0gyvs0njhf433bbi0c5wgf6627c8c3xz-aapt2/bin/aapt2 libgcc_s.so.1 -> not found! Unfortunately, it is not enough to allow chromium to build, but it does fix that particular error. --- modules/apps/chromium.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/apps/chromium.nix b/modules/apps/chromium.nix index 27faedde..a4a66386 100644 --- a/modules/apps/chromium.nix +++ b/modules/apps/chromium.nix @@ -19,6 +19,7 @@ let version = "O9eXFyC5ZkcYvDfHRLKPO1g1Xwf7M33wT3cuJtyfc0sC"; sha256 = "0bv8qx7snyyndk5879xjbj3ncsb5yxcgp8w0wwfrif3m22d1fn84"; }; + buildInputs = [ pkgs.libgcc ]; nativeBuildInputs = [ pkgs.autoPatchelfHook ]; installPhase = "mkdir -p $out/bin && cp aapt2 $out/bin/"; } + "/bin/aapt2"; From 9413cf3efc429a38c36dd24cd6d11824f2987bdd Mon Sep 17 00:00:00 2001 From: Vladimir Panteleev Date: Thu, 16 May 2024 18:46:20 +0000 Subject: [PATCH 7/7] apks/chromium/default.nix: Fix a Python version incompatibility Fixes e.g.: python3 ../../tools/grit/grit.py -i ../../chrome/app/generated_resources.grd build -o gen/chrome --depdir . --depfile gen/chrome/app/generated_resources_grit.d --write-only-new=1 --depend-on-stamp -E root_gen_dir=gen -E root_src_dir=../../ -D SHARED_INTERMEDIATE_DIR=gen -D DEVTOOLS_GRD_PATH=gen/third_party/devtools-frontend/src/front_end/devtools_resources -D _chromium -E CHROMIUM_BUILD=chromium -E ANDROID_JAVA_TAGGED_ONLY=true -t android -D enable_arcore=false -D enable_background_mode=false -D enable_background_contents=false -D enable_extensions=false -D enable_hangout_services_extension=false -D enable_plugins=false -D enable_print_preview=false -D enable_printing=true -D enable_service_discovery=false -D enable_side_search=false -D enable_supervised_users=true -D enable_vr=false -D enable_webui_tab_strip=false -D safe_browsing_mode=2 -D optimize_webui=true -D enable_feed_v2=true -D use_nss_certs=false -f gen/tools/gritsettings/default_resource_ids --assert-file-list obj/chrome/app/generated_resources_expected_outputs.txt --allowlist-support --js-minifier ../../tools/grit/minify_with_uglify.py --css-minifier ../../tools/grit/minimize_css.py Traceback (most recent call last): File "/build/chromium-100.0.4896.127-src/src/out/Release/../../tools/grit/grit.py", line 29, in sys.exit(grit.grit_runner.Main(sys.argv[1:])) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/build/chromium-100.0.4896.127-src/src/tools/grit/grit/grit_runner.py", line 314, in Main return toolobject.Run(options, args[1:]) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/build/chromium-100.0.4896.127-src/src/tools/grit/grit/tool/build.py", line 255, in Run self.res = grd_reader.Parse(opts.input, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/build/chromium-100.0.4896.127-src/src/tools/grit/grit/grd_reader.py", line 231, in Parse handler.root.AssignFirstIds(filename_or_stream, defines) File "/build/chromium-100.0.4896.127-src/src/tools/grit/grit/node/misc.py", line 611, in AssignFirstIds src_root_dir, first_ids = _ReadFirstIdsFromFile(first_ids_filename, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/build/chromium-100.0.4896.127-src/src/tools/grit/grit/node/misc.py", line 67, in _ReadFirstIdsFromFile first_ids_dict = eval(util.ReadFile(filename, 'utf-8')) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/build/chromium-100.0.4896.127-src/src/tools/grit/grit/util.py", line 214, in ReadFile with io.open(filename, mode, encoding=encoding) as f: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ValueError: invalid mode: 'rU' Unfortunately, it is not enough to allow chromium to build, but it does fix that particular error. --- apks/chromium/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/apks/chromium/default.nix b/apks/chromium/default.nix index e8228430..a47f903e 100644 --- a/apks/chromium/default.nix +++ b/apks/chromium/default.nix @@ -2,7 +2,7 @@ # SPDX-License-Identifier: MIT { pkgs, callPackage, stdenv, stdenvNoCC, lib, fetchgit, fetchurl, fetchcipd, runCommand, symlinkJoin, writeScript, buildFHSUserEnv, autoPatchelfHook, buildPackages -, python2, python3, ninja, llvmPackages_11, nodejs, jre8, bison, gperf, pkg-config, protobuf, bsdiff +, python2, python310, ninja, llvmPackages_11, nodejs, jre8, bison, gperf, pkg-config, protobuf, bsdiff , dbus, systemd, glibc, at-spi2-atk, atk, at-spi2-core, nspr, nss, pciutils, util-linux, libkrb5, gdk-pixbuf , glib, gtk3, alsa-lib, pulseaudio, xdg-utils, libXScrnSaver, libXcursor, libXtst, libXdamage , libdrm, libxkbcommon @@ -143,6 +143,8 @@ let ''; }; + python3 = python310; + in stdenvNoCC.mkDerivation rec { pname = name; inherit version src;