Add -Wl,--build-id=sha1 to the default LDFLAGS

This is already the default for ld.bfd, so this is effectively a no-op for most packages. However, lld defaults different build-id algorithm that the RPM build process does not support, so it needs this flag. This flag can be overriden by setting the %_build_id_flags macro, which packages could do if they wanted to use a more secure build-id algorithm.
2021-11-13 00:44:22 +00:00 · 2021-11-13 00:44:22 +00:00 · 95f28bd10b
commit 95f28bd10b
parent faf5c36887
3 changed files with 16 additions and 2 deletions
--- a/buildflags.md
+++ b/buildflags.md
@ -195,6 +195,13 @@ For example, this can be required if shared objects are used for their
 side effects in ELF constructors, or for making them available to
 dynamically loaded plugins.

+### Specifying the build-id algorithm
+
+If you want to specify a different build-id algorithm for your builds, you
+can use the %_build_id_flags macro:
+
+    %_build_id_flags -Wl,--build-id=sha1
+
 ### Strict symbol checks in the link editor (ld)

 Optionally, the link editor will refuse to link shared objects which
--- a/6
+++ b/6
@ -72,7 +72,7 @@
 # When clang is used as a linker driver, it does not auto-detect the LTO
 # bytecode and neither does bfd, so we need to explicitly pass the -flto
 # flag when linking.
-%build_ldflags -Wl,-z,relro %{_ld_as_needed_flags} %{_ld_symbols_flags} %{_hardened_ldflags} %{_annotation_ldflags} %[ "%{toolchain}" == "clang" ? "%{?_lto_cflags}" : "" ]
+%build_ldflags -Wl,-z,relro %{_ld_as_needed_flags} %{_ld_symbols_flags} %{_hardened_ldflags} %{_annotation_ldflags} %[ "%{toolchain}" == "clang" ? "%{?_lto_cflags}" : "" ] %{_build_id_flags}

 # Expands to shell code to set the compiler/linker environment
 # variables CFLAGS, CXXFLAGS, FFLAGS, FCFLAGS, LDFLAGS if they have
@ -325,6 +325,10 @@ print(result)
 %_clang_lto_cflags	-flto
 %_lto_cflags		%{expand:%%{_%{toolchain}_lto_cflags}}

+# Some linkers default to a build-id algoritim that is not supported by rpmbuild,
+# so we need to specify the right algorithm to use.
+%_build_id_flags	-Wl,--build-id=sha1
+
 %_general_options       -O2 %{?_lto_cflags} -fexceptions -g -grecord-gcc-switches -pipe
 %_warning_options       -Wall -Werror=format-security
 %_preprocessor_defines  -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
--- a/redhat-rpm-config.spec
+++ b/redhat-rpm-config.spec
@ -6,7 +6,7 @@

 Summary: Red Hat specific rpm configuration files
 Name: redhat-rpm-config
-Version: 206
+Version: 207
 Release: 1%{?dist}
 # No version specified.
 License: GPL+
@ -190,6 +190,9 @@ install -p -m 644 -t %{buildroot}%{_rpmluadir}/fedora/srpm forge.lua
 %doc buildflags.md

 %changelog
+* Tue Dec 14 2021 Tom Stellard <tstellar@redhat.com> - 207-1
+- Add -Wl,--build-id=sha1 to the default LDFLAGS
+
 * Tue Dec 07 2021 Miro Hrončok <mhroncok@redhat.com> - 206-1
 - brp-mangle-shebangs: also mangle shebangs of JavaScript executables
 - Fixes: rhbz#1998924