On Mon, Sep 01, 2025 at 10:16:25AM +0100, Colin Watson wrote:
The important bit of the build log diff seems to be:
-/usr/bin/cc -fPIC -g -O2 -Werror=implicit-function-declaration
-ffile-prefix-map=/build/reproducible-path/yubihsm-shell-2.7.0=.
-fstack-protector-strong -fstack-clash-protection -Wformat
-Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2
-I/usr/include/PCSC -flto -Wno-missing-braces -Wno-missing-field-initializers
-Wl,--dependency-file=CMakeFiles/yubihsm.dir/link.d -Wl,-z,relro
-fstack-protector-all -pie -Wl,-z,noexecstack -Wl,-z,relro,-z,now -shared
-Wl,-soname,libyubihsm.so.2 -o libyubihsm.so.2.7.0
CMakeFiles/yubihsm.dir/__/aes_cmac/aes.c.o
CMakeFiles/yubihsm.dir/__/aes_cmac/aes_cmac.c.o
CMakeFiles/yubihsm.dir/__/common/hash.c.o
CMakeFiles/yubihsm.dir/__/common/pkcs5.c.o
CMakeFiles/yubihsm.dir/__/common/rand.c.o
CMakeFiles/yubihsm.dir/__/common/ecdh.c.o CMakeFiles/yubihsm.dir/error.c.o
CMakeFiles/yubihsm.dir/lib_util.c.o CMakeFiles/yubihsm.dir/yubihsm.c.o
CMakeFiles/yubihsm.dir/data_compress.c.o -L/usr/lib/x86_64-linux-gnu -lcrypto
-ldl /usr/lib/x86_64-linux-gnu/libz.so
+/usr/bin/cc -fPIC -g -O2 -Werror=implicit-function-declaration
-ffile-prefix-map=/build/reproducible-path/yubihsm-shell-2.7.0=.
-fstack-protector-strong -fstack-clash-protection -Wformat
-Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2
-I/usr/include/PCSC -flto -Wno-missing-braces -Wno-missing-field-initializers
-Wl,--dependency-file=CMakeFiles/yubihsm.dir/link.d -shared -Wl,-z,relro
-fstack-protector-all -pie -Wl,-z,noexecstack -Wl,-z,relro,-z,now
-Wl,-soname,libyubihsm.so.2 -o libyubihsm.so.2.7.0
CMakeFiles/yubihsm.dir/__/aes_cmac/aes.c.o
CMakeFiles/yubihsm.dir/__/aes_cmac/aes_cmac.c.o
CMakeFiles/yubihsm.dir/__/common/hash.c.o
CMakeFiles/yubihsm.dir/__/common/pkcs5.c.o
CMakeFiles/yubihsm.dir/__/common/rand.c.o
CMakeFiles/yubihsm.dir/__/common/ecdh.c.o CMakeFiles/yubihsm.dir/error.c.o
CMakeFiles/yubihsm.dir/lib_util.c.o CMakeFiles/yubihsm.dir/yubihsm.c.o
CMakeFiles/yubihsm.dir/data_compress.c.o -L/usr/lib/x86_64-linux-gnu -lcrypto
-ldl /usr/lib/x86_64-linux-gnu/libz.so
... i.e. the "-shared" option has been moved before "-Wl,-z,relro
-fstack-protector-all -pie -Wl,-z,noexecstack -Wl,-z,relro,-z,now".
This appears to be enough to break the shared library link, but I
can't figure out where it was changed.
-DCMAKE_POLICY_VERSION_MINIMUM=3.31 seems to make no difference. Do
you have any pointers?
I guess the problem is using -pie when linking a shared library, which
doesn't obviously make sense. Disabling that seems to fix the failure,
so I'll do that.
--
Colin Watson (he/him) [[email protected]]
