Merge pull request #109 from crazy-max/verify-static-env

xx-verify: XX_VERIFY_STATIC env
tonistiigi · Jul 13, 2023 · d31017a · d31017a
2 parents dea0136 + 52103d0
commit d31017a
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -146,6 +146,11 @@ RUN xx-clang --static -o /out/myapp app.c && \
     xx-verify --static /out/myapp
 ```
 
+> **Note**
+> 
+> `XX_VERIFY_STATIC=1` environment variable can be defined to make `xx-verify`
+> always verify that the compiler produced a static binary.
+
 ## C/C++
 
 The recommended method for C-based build is to use `clang` via `xx-clang` wrapper. Clang is natively a cross-compiler, but in order to use it, you also need a linker, compiler-rt or libgcc, and a C library(musl or glibc). All these are available as packages in Alpine and Debian based distros. Clang and linker are binaries and should be installed for your build architecture, while libgcc and C library should be installed for your target architecture.

diff --git a/src/test-verify.bats b/src/test-verify.bats
@@ -53,6 +53,25 @@ load 'assert'
   unset TARGETPLATFORM
 }
 
+@test "static-env" {
+  export XX_VERIFY_STATIC=1
+
+  export XX_VERIFY_FILE_CMD_OUTPUT=": ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-musl-aarch64.so.1, stripped"
+  export TARGETPLATFORM=linux/arm64
+  run xx-verify /idontexist
+  assert_failure
+  assert_output --partial "not statically linked"
+
+  export XX_VERIFY_FILE_CMD_OUTPUT=": ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, with debug_info, not stripped"
+  export TARGETPLATFORM=linux/amd64
+  run xx-verify /idontexist
+  assert_success
+
+  unset XX_VERIFY_FILE_CMD_OUTPUT
+  unset XX_VERIFY_STATIC
+  unset TARGETPLATFORM
+}
+
 @test "darwin" {
   export XX_VERIFY_FILE_CMD_OUTPUT=": Mach-O 64-bit executable x86_64"
   export TARGETPLATFORM=darwin/amd64

diff --git a/src/xx-verify b/src/xx-verify
@@ -38,7 +38,7 @@ EOT
   exit 1
 }
 
-static=""
+static="$XX_VERIFY_STATIC"
 files=""
 
 for i in "$@"; do
@@ -245,7 +245,7 @@ for f in "$@"; do
     fi
   fi
 
-  if [ -n "$static" ] && { [ "$TARGETOS" = "linux" ] || [ "$TARGETOS" = "freebsd" ]; }; then
+  if [ "$static" = "1" ] && { [ "$TARGETOS" = "linux" ] || [ "$TARGETOS" = "freebsd" ]; }; then
     if echo "$out" | grep -E "statically linked|static-pie" >/dev/null; then
       exit 0
     fi