From 8e79faeab09aad2b8d6861dd2baa95b419255c90 Mon Sep 17 00:00:00 2001 From: quapka Date: Fri, 20 Jun 2025 22:56:33 +0200 Subject: Wrap building applet, reader and common with Nix --- README.md | 20 ++++++++++++++++++ flake.nix | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 91 insertions(+) diff --git a/README.md b/README.md index 5c43f2d..ab4ec9e 100644 --- a/README.md +++ b/README.md @@ -358,6 +358,26 @@ with a given library version and arguments do: nix run "?submodules=1#libressl.v392" -- test default LibreSSL ``` +To build the JavaCard applets: +```shell +nix build "?submodules=1#applets" +# or individually +nix build "?submodules=1#applet222" +nix build "?submodules=1#applet305" +nix build "?submodules=1#applet320" +``` + +To build or run the reader you can: +```shell +nix build '.?submodules=1#reader' +nix run '.?submodules=1#reader' +``` + +If needed, you can also build the `common` library: +```shell +nix build '.?submodules=1#common' +``` + #### Gradle ```shell diff --git a/flake.nix b/flake.nix index 6ca0ef9..9ede30e 100644 --- a/flake.nix +++ b/flake.nix @@ -689,6 +689,63 @@ } ); + buildReader = { jdkVersion ? pkgs.jdk17_headless }: with pkgs; gradle2nix.builders.${system}.buildGradlePackage rec { + pname = "ECTesterReader"; + version = "0.3.3"; + lockFile = ./gradle.lock; + buildJdk = pkgs.jdk_headless; + gradleBuildFlags = [ ":reader:uberJar" ]; + src = ./.; + + installPhase = '' + mkdir -p $out + cp -r reader/build $out + ''; + + nativeBuildInputs = [ makeWrapper ]; + + postFixup = '' + makeWrapper \ + ${jdk_headless}/bin/java $out/bin/${pname} \ + --add-flags "-Dstdout.encoding=UTF8 -Dstderr.encoding=UTF8 -jar $out/build/libs/${pname}.jar" + ''; + }; + + buildApplet = { jdkVersion ? pkgs.jdk8_headless }: with pkgs; gradle2nix.builders.${system}.buildGradlePackage rec { + pname = "applet"; + # since the gradle target builds applets for multiple JC SDKs, the + # single version cannot reflet that + version = "0.3.3"; + lockFile = ./gradle.lock; + buildJdk = jdkVersion; + gradleBuildFlags = [ ":applet:buildJavaCard" ]; + src = ./.; + + installPhase = '' + mkdir --parents $out + cp --recursive applet/build/* $out + ''; + + nativeBuildInputs = [ makeWrapper ]; + }; + + buildCommon = { jdkVersion ? pkgs.jdk17_headless }: with pkgs; gradle2nix.builders.${system}.buildGradlePackage rec { + pname = "common"; + version = "0.3.3"; + lockFile = ./gradle.lock; + buildJdk = jdkVersion; + gradleBuildFlags = [ ":common:build" ]; + src = ./.; + + installPhase = '' + mkdir --parents $out + cp --recursive common/build/* $out + ''; + + nativeBuildInputs = [ makeWrapper ]; + }; + + defaultVersion = # Default version is the last one, aka the newest that we fetched libName: @@ -774,6 +831,20 @@ function = buildECTesterStandalone; }; + reader = buildReader {}; + common = buildCommon {}; + applets = pkgs.buildEnv { + name = "applets"; + paths = [ + applet222 + applet305 + applet320 + ]; + }; + applet222 = buildApplet { jdkVersion = pkgs.jdk8_headless; }; + applet305 = buildApplet { jdkVersion = pkgs.jdk8_headless; }; + applet320 = buildApplet { jdkVersion = pkgs.jdk17_headless; }; + shim = { tomcrypt = loadVersionsForShim { libName = "tomcrypt"; -- cgit v1.2.3-70-g09d2 From f46cbc450e81ce1a61980c724ab0f9f470f47ade Mon Sep 17 00:00:00 2001 From: quapka Date: Sat, 21 Jun 2025 12:29:49 +0200 Subject: Add building reader via Nix to CI --- .github/workflows/nix.yml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml index 71efe06..45a2348 100644 --- a/.github/workflows/nix.yml +++ b/.github/workflows/nix.yml @@ -50,3 +50,32 @@ jobs: - name: List library run: nix run ".?submodules=1#${{ matrix.library }}.default" -- list-libs + + reader: + runs-on: ubuntu-latest + permissions: + contents: read + + name: Build reader + steps: + - uses: actions/checkout@v4 + with: + submodules: recursive + fetch-tags: true + fetch-depth: -1 + + - uses: DeterminateSystems/nix-installer-action@v13 + with: + diagnostic-endpoint: "" + + - uses: DeterminateSystems/magic-nix-cache-action@v7 + with: + diagnostic-endpoint: "" + + - name: Build reader + run: | + nix build ".?submodules=1#reader" + + - name: Show reader --help + run: | + nix build ".?submodules=1#reader" -- --help -- cgit v1.2.3-70-g09d2 From 314d08d47af142633a9b12fef64193c47f37a96b Mon Sep 17 00:00:00 2001 From: quapka Date: Sat, 21 Jun 2025 12:38:26 +0200 Subject: Run, not build the reader as part of CI --- .github/workflows/nix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml index 45a2348..c5dde32 100644 --- a/.github/workflows/nix.yml +++ b/.github/workflows/nix.yml @@ -78,4 +78,4 @@ jobs: - name: Show reader --help run: | - nix build ".?submodules=1#reader" -- --help + nix run ".?submodules=1#reader" -- --help -- cgit v1.2.3-70-g09d2 From de71e98a2f73be5dc4b6cc35feb3db4aca648a85 Mon Sep 17 00:00:00 2001 From: quapka Date: Sat, 21 Jun 2025 12:44:18 +0200 Subject: Add building applets via Nix to CI --- .github/workflows/nix.yml | 50 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml index c5dde32..405f619 100644 --- a/.github/workflows/nix.yml +++ b/.github/workflows/nix.yml @@ -79,3 +79,53 @@ jobs: - name: Show reader --help run: | nix run ".?submodules=1#reader" -- --help + + applet: + runs-on: ubuntu-latest + permissions: + contents: read + + strategy: + matrix: + sdk: [ "222", "305", "320" ] + fail-fast: false + + name: Build applet ${{ matrix.sdk }} + steps: + - uses: actions/checkout@v4 + with: + submodules: recursive + fetch-tags: true + fetch-depth: -1 + + - uses: DeterminateSystems/nix-installer-action@v13 + with: + diagnostic-endpoint: "" + + - uses: DeterminateSystems/magic-nix-cache-action@v7 + with: + diagnostic-endpoint: "" + + - name: Build applet + run: | + nix build ".?submodules=1#applet${{ matrix.sdk }}" + + name: Build all applets at once + steps: + - uses: actions/checkout@v4 + with: + submodules: recursive + fetch-tags: true + fetch-depth: -1 + + - uses: DeterminateSystems/nix-installer-action@v13 + with: + diagnostic-endpoint: "" + + - uses: DeterminateSystems/magic-nix-cache-action@v7 + with: + diagnostic-endpoint: "" + + - name: Build all applets + run: | + nix build ".?submodules=1#applets" -- cgit v1.2.3-70-g09d2 From abdb7c6c564fa61103bd7a79f073c67b0030bebc Mon Sep 17 00:00:00 2001 From: quapka Date: Sat, 21 Jun 2025 12:47:17 +0200 Subject: Build also all applets as part of the matrix strategy --- .github/workflows/nix.yml | 22 +--------------------- flake.nix | 2 +- 2 files changed, 2 insertions(+), 22 deletions(-) diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml index 405f619..9c3ff62 100644 --- a/.github/workflows/nix.yml +++ b/.github/workflows/nix.yml @@ -87,7 +87,7 @@ jobs: strategy: matrix: - sdk: [ "222", "305", "320" ] + sdk: [ "222", "305", "320", "All" ] fail-fast: false name: Build applet ${{ matrix.sdk }} @@ -109,23 +109,3 @@ jobs: - name: Build applet run: | nix build ".?submodules=1#applet${{ matrix.sdk }}" - - name: Build all applets at once - steps: - - uses: actions/checkout@v4 - with: - submodules: recursive - fetch-tags: true - fetch-depth: -1 - - - uses: DeterminateSystems/nix-installer-action@v13 - with: - diagnostic-endpoint: "" - - - uses: DeterminateSystems/magic-nix-cache-action@v7 - with: - diagnostic-endpoint: "" - - - name: Build all applets - run: | - nix build ".?submodules=1#applets" diff --git a/flake.nix b/flake.nix index 9ede30e..e476541 100644 --- a/flake.nix +++ b/flake.nix @@ -833,7 +833,7 @@ reader = buildReader {}; common = buildCommon {}; - applets = pkgs.buildEnv { + appletAll = pkgs.buildEnv { name = "applets"; paths = [ applet222 -- cgit v1.2.3-70-g09d2 From 8506e63eeea9623d1235b7245aced7f952622b78 Mon Sep 17 00:00:00 2001 From: quapka Date: Sat, 21 Jun 2025 14:21:09 +0200 Subject: Show how to preserve Nix build results locally --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index ab4ec9e..1db16ef 100644 --- a/README.md +++ b/README.md @@ -349,9 +349,9 @@ nix build "?submodules=1#gcrypt.v194" nix build "?submodules=1#" ``` -Each of the build steps above puts (symlinks really) its results into `./result` directory. -However, subsequent builds then replace that with their own results. To run ECTesterStandalone -with a given library version and arguments do: +Each of the build steps above puts (symlinks really) its results into `./result` directory (use `-o/--out-link {path}` +to change that directory). However, subsequent builds then replace that with their own results. To run +ECTesterStandalone with a given library version and arguments do: ```shell # This runs the default test-suite agains LibreSSL 3.9.2 -- cgit v1.2.3-70-g09d2 From ab6363f6cb92b3de9015f665bea6f87e2be7fb4c Mon Sep 17 00:00:00 2001 From: quapka Date: Sat, 21 Jun 2025 15:13:34 +0200 Subject: Autoformat with Neoformat --- flake.nix | 126 ++++++++++++++++++++++++++++++++++---------------------------- 1 file changed, 70 insertions(+), 56 deletions(-) diff --git a/flake.nix b/flake.nix index e476541..ac41b2d 100644 --- a/flake.nix +++ b/flake.nix @@ -689,62 +689,76 @@ } ); - buildReader = { jdkVersion ? pkgs.jdk17_headless }: with pkgs; gradle2nix.builders.${system}.buildGradlePackage rec { - pname = "ECTesterReader"; - version = "0.3.3"; - lockFile = ./gradle.lock; - buildJdk = pkgs.jdk_headless; - gradleBuildFlags = [ ":reader:uberJar" ]; - src = ./.; - - installPhase = '' - mkdir -p $out - cp -r reader/build $out - ''; - - nativeBuildInputs = [ makeWrapper ]; - - postFixup = '' - makeWrapper \ - ${jdk_headless}/bin/java $out/bin/${pname} \ - --add-flags "-Dstdout.encoding=UTF8 -Dstderr.encoding=UTF8 -jar $out/build/libs/${pname}.jar" - ''; - }; - - buildApplet = { jdkVersion ? pkgs.jdk8_headless }: with pkgs; gradle2nix.builders.${system}.buildGradlePackage rec { - pname = "applet"; - # since the gradle target builds applets for multiple JC SDKs, the - # single version cannot reflet that - version = "0.3.3"; - lockFile = ./gradle.lock; - buildJdk = jdkVersion; - gradleBuildFlags = [ ":applet:buildJavaCard" ]; - src = ./.; - - installPhase = '' - mkdir --parents $out - cp --recursive applet/build/* $out - ''; - - nativeBuildInputs = [ makeWrapper ]; - }; - - buildCommon = { jdkVersion ? pkgs.jdk17_headless }: with pkgs; gradle2nix.builders.${system}.buildGradlePackage rec { - pname = "common"; - version = "0.3.3"; - lockFile = ./gradle.lock; - buildJdk = jdkVersion; - gradleBuildFlags = [ ":common:build" ]; - src = ./.; - - installPhase = '' - mkdir --parents $out - cp --recursive common/build/* $out - ''; + buildReader = + { + jdkVersion ? pkgs.jdk17_headless, + }: + with pkgs; + gradle2nix.builders.${system}.buildGradlePackage rec { + pname = "ECTesterReader"; + version = "0.3.3"; + lockFile = ./gradle.lock; + buildJdk = pkgs.jdk_headless; + gradleBuildFlags = [ ":reader:uberJar" ]; + src = ./.; + + installPhase = '' + mkdir -p $out + cp -r reader/build $out + ''; + + nativeBuildInputs = [ makeWrapper ]; + + postFixup = '' + makeWrapper \ + ${jdk_headless}/bin/java $out/bin/${pname} \ + --add-flags "-Dstdout.encoding=UTF8 -Dstderr.encoding=UTF8 -jar $out/build/libs/${pname}.jar" + ''; + }; - nativeBuildInputs = [ makeWrapper ]; - }; + buildApplet = + { + jdkVersion ? pkgs.jdk8_headless, + }: + with pkgs; + gradle2nix.builders.${system}.buildGradlePackage rec { + pname = "applet"; + # since the gradle target builds applets for multiple JC SDKs, the + # single version cannot reflet that + version = "0.3.3"; + lockFile = ./gradle.lock; + buildJdk = jdkVersion; + gradleBuildFlags = [ ":applet:buildJavaCard" ]; + src = ./.; + + installPhase = '' + mkdir --parents $out + cp --recursive applet/build/* $out + ''; + + nativeBuildInputs = [ makeWrapper ]; + }; + buildCommon = + { + jdkVersion ? pkgs.jdk17_headless, + }: + with pkgs; + gradle2nix.builders.${system}.buildGradlePackage rec { + pname = "common"; + version = "0.3.3"; + lockFile = ./gradle.lock; + buildJdk = jdkVersion; + gradleBuildFlags = [ ":common:build" ]; + src = ./.; + + installPhase = '' + mkdir --parents $out + cp --recursive common/build/* $out + ''; + + nativeBuildInputs = [ makeWrapper ]; + }; defaultVersion = # Default version is the last one, aka the newest that we fetched @@ -831,8 +845,8 @@ function = buildECTesterStandalone; }; - reader = buildReader {}; - common = buildCommon {}; + reader = buildReader { }; + common = buildCommon { }; appletAll = pkgs.buildEnv { name = "applets"; paths = [ -- cgit v1.2.3-70-g09d2 From dc4dd14faf1af0676003c1dc6e31fff5a05342cb Mon Sep 17 00:00:00 2001 From: quapka Date: Sat, 21 Jun 2025 15:19:36 +0200 Subject: Simplify build functions --- flake.nix | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/flake.nix b/flake.nix index ac41b2d..446c495 100644 --- a/flake.nix +++ b/flake.nix @@ -690,10 +690,10 @@ ); buildReader = + with pkgs; { - jdkVersion ? pkgs.jdk17_headless, + jdkVersion ? jdk17_headless, }: - with pkgs; gradle2nix.builders.${system}.buildGradlePackage rec { pname = "ECTesterReader"; version = "0.3.3"; @@ -717,10 +717,10 @@ }; buildApplet = + with pkgs; { - jdkVersion ? pkgs.jdk8_headless, + jdkVersion ? jdk8_headless, }: - with pkgs; gradle2nix.builders.${system}.buildGradlePackage rec { pname = "applet"; # since the gradle target builds applets for multiple JC SDKs, the @@ -735,15 +735,13 @@ mkdir --parents $out cp --recursive applet/build/* $out ''; - - nativeBuildInputs = [ makeWrapper ]; }; buildCommon = + with pkgs; { - jdkVersion ? pkgs.jdk17_headless, + jdkVersion ? jdk17_headless, }: - with pkgs; gradle2nix.builders.${system}.buildGradlePackage rec { pname = "common"; version = "0.3.3"; @@ -756,8 +754,6 @@ mkdir --parents $out cp --recursive common/build/* $out ''; - - nativeBuildInputs = [ makeWrapper ]; }; defaultVersion = -- cgit v1.2.3-70-g09d2 From 1f582350e4c938265e0cb7f2d6369ee08d9ae4a9 Mon Sep 17 00:00:00 2001 From: quapka Date: Sat, 21 Jun 2025 15:39:20 +0200 Subject: Be consistent in nix build calls I've prefix the build path with a dot (`'.?submodules=1'` instead of `'?submodules=1'`). With an older Nix, the dot was needed. Also, the whole submodules part might not be necessary anymore, but I need it on my local machines and thus prefer to keep it for now. --- README.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 1db16ef..345bb97 100644 --- a/README.md +++ b/README.md @@ -341,12 +341,12 @@ nix build "#lib.openssl.v331" # To build a shim using a given version of a library (example mbedTLS 3.5): nix build "#shim.mbedtls.v35" # To build ECTesterStandalone.jar with a given version of a library (example libgcrypt 1.9.4): -nix build "?submodules=1#gcrypt.v194" +nix build ".?submodules=1#gcrypt.v194" # The available versions of the libraries are in the nix/*_pkg_versions.json files. # The "default" version always points to the most recent version. # To build ECTesterStandalone with all the libraries in default versions: -nix build "?submodules=1#" +nix build ".?submodules=1#" ``` Each of the build steps above puts (symlinks really) its results into `./result` directory (use `-o/--out-link {path}` @@ -355,16 +355,16 @@ ECTesterStandalone with a given library version and arguments do: ```shell # This runs the default test-suite agains LibreSSL 3.9.2 -nix run "?submodules=1#libressl.v392" -- test default LibreSSL +nix run ".?submodules=1#libressl.v392" -- test default LibreSSL ``` To build the JavaCard applets: ```shell -nix build "?submodules=1#applets" +nix build ".?submodules=1#applets" # or individually -nix build "?submodules=1#applet222" -nix build "?submodules=1#applet305" -nix build "?submodules=1#applet320" +nix build ".?submodules=1#applet222" +nix build ".?submodules=1#applet305" +nix build ".?submodules=1#applet320" ``` To build or run the reader you can: -- cgit v1.2.3-70-g09d2