blog-contributions/opsec/compilation/index.html
2024-10-03 21:57:20 +02:00

322 lines
14 KiB
HTML

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="">
<meta name="author" content="">
<link rel="shortcut icon" href="../../../../../../assets/img/favicon.png">
<title>How to compile open source software + How to verify software integrity</title>
<!-- Bootstrap core CSS -->
<link href="../../assets/css/bootstrap.css" rel="stylesheet">
<link href="../../assets/css/xt256.css" rel="stylesheet">
<!-- Custom styles for this template -->
<link href="../../assets/css/main.css" rel="stylesheet">
<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
<script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script>
<![endif]-->
</head>
<body>
<!-- Static navbar -->
<div class="navbar navbar-inverse-anon navbar-static-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand-anon" href="\index.html">nihilist`s Blog</a>
</div>
<div class="navbar-collapse collapse">
<ul class="nav navbar-nav navbar-right">
<li><a href="/about.html">About</a></li>
<li><a href="/blog.html">Categories</a></li>
<li><a href="https://blog.nowhere.moe/donate.html">Donate</a></li>
<li><a href="/contact.html">Contact</a></li>
</ul>
</div><!--/.nav-collapse -->
</div>
</div>
<!-- +++++ Posts Lists +++++ -->
<!-- +++++ First Post +++++ -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<a href="../index.html">Previous Page</a></br></br><p><img src="../../assets/img/user.png" width="50px" height="50px"> <ba>nihilist@mainpc - 2024-06-28</ba></p>
<h1>How to compile open source software + How to verify software integrity </h1>
<p><h2><u>OPSEC Recommendations:</u></h2></p>
<ol>
<li><p>Hardware : PC / Laptop / Homeserver / Remote Server</p></li>
<li><p>OS : <a href="../linux/index.html">Linux</a></p></li>
</ol>
<p>I recommend using this setup for <a href="../privacy/index.html">Private use</a>, as per the <a href="../opsec4levels/index.html">4 basic OPSEC levels</a>.</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /grey -->
<!-- +++++ Second Post +++++ -->
<div id="anon3">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Why compile even compile software yourself ? </b></h2>
<p>as we have discussed <a href="../closedsource/index.html">previously</a>, software needs to first be written by a developer, then compiled to produce a binary file (like an .exe file on windows, or a binary file on debian) to be used.</p>
<img src="../closedsource/1.png" class="imgRz">
<p>The largest website to find open-source software repositories is <a href="https://github.com">Github</a>, where we can find open source projects.</p>
<p>In this case, Bob wants to have a screenshot software on debian, and he wants it to be open-source:</p>
<img src="1.png" class="imgRz">
<p>Here we see that there is a popular screenshot software called "Flameshot" that is available on github:</p>
<img src="2.png" class="imgRz">
<p>All of the sourcecode is available, and Bob if is concerned that there may be spyware, he can browse all of the code to check if there is any spyware in it or not.</p>
<img src="3.png" class="imgRz">
<p>Next, Bob can find the compiled binaries of flameshot in the releases tab:</p>
<img src="4.png" class="imgRz">
<p>But! Bob is an open-source purist, he thinks that the flameshot developers intentionally compiled the software with spyware into it, <b>Bob doesn't trust that they could compile the software for him, hence he wants to compile the software himself.</b></p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>How to compile software (ex: C++)</b></h2> </br> </br>
<p>Each software can come with different compilation requirements, make sure you read their documentation on how to compile software, for example <a href="https://github.com/flameshot-org/flameshot?tab=readme-ov-file#compilation">flameshot</a> has specific instructions to compile their software: </p>
<pre><code class="nim">
[ mainpc ] [ /dev/pts/4 ] [~]
→ cd Documents
[ mainpc ] [ /dev/pts/4 ] [~/Documents]
→ git clone https://github.com/flameshot-org/flameshot
Cloning into 'flameshot'...
remote: Enumerating objects: 18204, done.
remote: Counting objects: 100% (5467/5467), done.
remote: Compressing objects: 100% (339/339), done.
remote: Total 18204 (delta 5251), reused 5155 (delta 5128), pack-reused 12737
Receiving objects: 100% (18204/18204), 23.03 MiB | 2.38 MiB/s, done.
Resolving deltas: 100% (13494/13494), done.
[ mainpc ] [ /dev/pts/4 ] [~/Documents]
→ cd flameshot
# Compile-time
sudo apt install g++ cmake build-essential qtbase5-dev qttools5-dev-tools libqt5svg5-dev qttools5-dev -y
# Run-time
sudo apt install libqt5dbus5 libqt5network5 libqt5core5a libqt5widgets5 libqt5gui5 libqt5svg5 -y
# Optional
sudo apt install git openssl ca-certificates -y
</pre></code>
<p>Now that the dependencies are installed, we start to compile flameshot:</p>
<pre><code class="nim">
[ mainpc ] [ /dev/pts/4 ] [~/Documents/flameshot]
→ cmake -S . -B build && cmake --build build
-- The CXX compiler identification is GNU 12.2.0
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Check for working CXX compiler: /usr/bin/c++ - skipped
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Setting build type to 'RelWithDebInfo' as none was specified.
CMake Warning at cmake/Cache.cmake:28 (message):
ccache is enabled but was not found. Not using it
Call Stack (most recent call first):
CMakeLists.txt:84 (include)
-- Performing Test Wall_FLAG_SUPPORTED
-- Performing Test Wall_FLAG_SUPPORTED - Success
-- Performing Test pedantic_FLAG_SUPPORTED
-- Performing Test pedantic_FLAG_SUPPORTED - Success
-- Performing Test Wextra_FLAG_SUPPORTED
-- Performing Test Wextra_FLAG_SUPPORTED - Success
Flameshot predefined color palette large: false
-- Found Git: /usr/bin/git (found version "2.39.2")
git found: /usr/bin/git in version 2.39.2
FLAMESHOT_GIT_HASH: c1dac522
-- Configuring done
-- Generating done
-- Build files have been written to: /home/nihilist/Documents/flameshot/build
[ 1%] Automatic MOC for target SingleApplication
[ 1%] Built target SingleApplication_autogen
[ 2%] Building CXX object external/singleapplication/CMakeFiles/SingleApplication.dir/SingleApplication_autogen/mocs_compilation.cpp.o
[...]
</code></pre>
<p>Here, it's starting to compile, wait for it to reach 100%, then you can run the binary file as follows:</p>
<img src="" class="imgRz">
<pre><code class="nim">
[...]
[ 96%] Building CXX object src/CMakeFiles/flameshot.dir/tools/abstracttwopointtool.cpp.o
[ 97%] Building CXX object src/CMakeFiles/flameshot.dir/tools/capturecontext.cpp.o
[ 97%] Building CXX object src/CMakeFiles/flameshot.dir/tools/toolfactory.cpp.o
[ 98%] Building CXX object src/CMakeFiles/flameshot.dir/main.cpp.o
[ 98%] Building CXX object src/CMakeFiles/flameshot.dir/flameshot_autogen/IJ3KGTTQ5V/qrc_graphics.cpp.o
[100%] Linking CXX executable flameshot
[100%] Built target flameshot
[ mainpc ] [ /dev/pts/4 ] [~/Documents/flameshot]
→ ls
appveyor.yml CMakeLists.txt docs LICENSE scripts src
build CODE_OF_CONDUCT.md external packaging shell.nix tests
cmake data flameshot.example.ini README.md snapcraft.yaml
[ mainpc ] [ /dev/pts/4 ] [~/Documents/flameshot]
→ ls -lash build/src/flameshot
49M -rwxr-xr-x 1 nihilist nihilist 49M Jun 28 14:14 build/src/flameshot
[ mainpc ] [ /dev/pts/4 ] [~/Documents/flameshot]
→ ./build/src/flameshot
</code></pre>
<p> if you want to be able to launch the flameshot binary without specifying the full path each time, you can add it to your system PATH:</p>
<pre><code class="nim">
[ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshot]
→ ls -lash build/src/flameshot
49M -rwxr-xr-x 1 nihilist nihilist 49M Jun 28 14:14 build/src/flameshot
[ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshot]
→ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
[ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshot]
→ ln -s $(pwd)/build/src/flameshot /usr/local/bin/flameshot
ln: failed to create symbolic link '/usr/local/bin/flameshot': Permission denied
[ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshot]
→ sudo ln -s $(pwd)/build/src/flameshot /usr/local/bin/flameshot
[sudo] password for nihilist:
[ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshot]
→ which flameshot
/usr/bin/flameshot
[ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshot]
→ flameshot
</code></pre>
<p>As we run the binary from the commandline, we then see the flameshot program opening here:</p>
<img src="5.png" class="imgRz">
<p>as we click on the logo, we can enter the screenshot mode:</p>
<img src="5.5.png" class="imgRz">
<p>then we click and drag to select the area of the screenshot:</p>
<img src="6.png" class="imgRz">
<p>Then we can click the "save" icon to save the image somewhere:</p>
<img src="7.png" class="imgRz">
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<!-- +++++ Second Post +++++ -->
<div id="anon1">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>How to verify software integrity</b></h2> </br> </br>
<p>Now Bob isn't going to compile everything, he doesn't have that patience. the next best thing is to download the pre-compiled binaries and to check the hash:</p>
<img src="8.png" class="imgRz">
<p>Here in this case, the appimage flameshot binary has been released along with the sha256 algorithm hash, so Bob downlads both:</p>
<pre><code class="nim">
[ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshottest]
→ wget https://github.com/flameshot-org/flameshot/releases/download/v12.1.0/Flameshot-12.1.0.x86_64.AppImage
--2024-06-28 14:31:09-- https://github.com/flameshot-org/flameshot/releases/download/v12.1.0/Flameshot-12.1.0.x86_64.AppImage
[ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshottest]
→ wget https://github.com/flameshot-org/flameshot/releases/download/v12.1.0/Flameshot-12.1.0.x86_64.AppImage.sha256sum
--2024-06-28 14:32:26-- https://github.com/flameshot-org/flameshot/releases/download/v12.1.0/Flameshot-12.1.0.x86_64.AppImage.sha256sum
</code></pre>
<p>Next, to check the integrity of the appimage file, we check the hash that we've downloaded:</p>
<pre><code class="nim">
[ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshottest]
→ cat Flameshot-12.1.0.x86_64.AppImage.sha256sum
c30634c84161f09e8dde74c76367b1ce848414bb1cc269c2a2715f6803220738 Flameshot-12.1.0.x86_64.AppImage
</code></pre>
<p>and compare it to the hash we get when using the sha256sum command on the flameshot appimage:</p>
<pre><code class="nim">
[ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshottest]
→ sha256sum Flameshot-12.1.0.x86_64.AppImage
c30634c84161f09e8dde74c76367b1ce848414bb1cc269c2a2715f6803220738 Flameshot-12.1.0.x86_64.AppImage
</code></pre>
<p>Here we see that the sha256 hash we get from the flameshot appimage binary is the same as the hash that was put online by the flameshot developers. This means that the binary didn't get tampered with from the original release, to having it inside Bob's debian VM. Hence, Bob can now use the flameshot appimage binary with peace of mind!</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<!-- +++++ Footer Section +++++ -->
<div id="anonb">
<div class="container">
<div class="row">
<div class="col-lg-4">
<h4>Nihilism</h4>
<p>
Until there is Nothing left.
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>My Links</h4>
<p>
<a target="_blank" rel="noopener noreferrer" href="http://blog.nowhere.moe/rss/feed.xml">RSS Feed</a><br/><a target="_blank" rel="noopener noreferrer" href="https://simplex.chat/contact#/?v=2-7&smp=smp%3A%2F%2FL5jrGV2L_Bb20Oj0aE4Gn-m5AHet9XdpYDotiqpcpGc%3D%40nowhere.moe%2FH4g7zPbitSLV5tDQ51Yz-R6RgOkMEeCc%23%2F%3Fv%3D1-3%26dh%3DMCowBQYDK2VuAyEAkts5T5AMxHGrZCCg12aeKxWcpXaxbB_XqjrXmcFYlDQ%253D&data=%7B%22type%22%3A%22group%22%2C%22groupLinkId%22%3A%22c3Y-iDaoDCFm6RhptSDOaw%3D%3D%22%7D">SimpleX Chat</a><br/>
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>About nihilist</h4>
<p style="word-wrap: break-word;"><u>Donate XMR:</u> 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8</p></br><p><u>Contact:</u> nihilist@contact.nowhere.moe (<a href="https://nowhere.moe/nihilist.pubkey">PGP</a>)</p>
</div><!-- /col-lg-4 -->
</div>
</div>
</div>
<!-- Bootstrap core JavaScript
================================================== -->
<!-- Placed at the end of the document so the pages load faster -->
</body>
</html>