Build 66: disable clearnet update-check; drop sidecar build steps
Security (audit H-2): the legacy update check is OFF by default. It hit code.gri.mw (GRIM's gitea) directly over CLEARNET via the old HttpClient — leaking "this user runs Goblin" metadata on every wallet-list view, which defeats the nothing-clearnet mixnet model, and it pointed at the wrong project's releases anyway. Opt-in only until reworked to run over the mixnet against Goblin's own releases. Build: with the Nym SDK linked in-process there's no sidecar binary to embed or bundle. linux/build_release.sh drops the GOBLIN_NYM_UNIX_BIN embed (AppImage is one self-contained binary); scripts/android.sh stops bundling nym-socks5-client into jniLibs (the cdylib links nym-sdk directly); scripts/nym-android.sh deleted.
This commit is contained in:
+4
-17
@@ -5,12 +5,8 @@
|
||||
# Usage: linux/build_release.sh [platform]
|
||||
# platform: 'x86_64' (default) or 'arm'
|
||||
#
|
||||
# The nym-socks5-client sidecar is EMBEDDED into the goblin binary (build.rs +
|
||||
# src/nym/sidecar.rs, via GOBLIN_NYM_UNIX_BIN), so the AppImage ships as one
|
||||
# self-contained file with no loose sidecar beside AppRun — matching the
|
||||
# single-file Windows build. Point GOBLIN_NYM_UNIX_BIN at a glibc-2.17 sidecar
|
||||
# (the portable one staged under the project root at nym-dist/) so the embedded
|
||||
# copy is as portable as the host binary.
|
||||
# Goblin links the Nym SDK IN-PROCESS (src/nym/), so the AppImage is one
|
||||
# self-contained binary with no sidecar to embed or ship beside it.
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
@@ -25,15 +21,6 @@ esac
|
||||
BASEDIR=$(cd "$(dirname "$0")" && pwd)
|
||||
cd "${BASEDIR}/.."
|
||||
|
||||
# Portable, glibc-2.17 sidecar to embed (override with GOBLIN_NYM_UNIX_BIN).
|
||||
: "${GOBLIN_NYM_UNIX_BIN:=$(cd .. && pwd)/nym-dist/nym-socks5-client}"
|
||||
if [[ ! -x "${GOBLIN_NYM_UNIX_BIN}" ]]; then
|
||||
echo "error: sidecar to embed not found/executable: ${GOBLIN_NYM_UNIX_BIN}" >&2
|
||||
echo " set GOBLIN_NYM_UNIX_BIN to a built nym-socks5-client" >&2
|
||||
exit 1
|
||||
fi
|
||||
export GOBLIN_NYM_UNIX_BIN
|
||||
|
||||
rustup target add "${arch}"
|
||||
command -v cargo-zigbuild >/dev/null || cargo install cargo-zigbuild
|
||||
|
||||
@@ -44,8 +31,8 @@ export CFLAGS_x86_64_unknown_linux_gnu="-DCROARING_COMPILER_SUPPORTS_AVX512=0"
|
||||
export CXXFLAGS_x86_64_unknown_linux_gnu="-DCROARING_COMPILER_SUPPORTS_AVX512=0"
|
||||
cargo zigbuild --release --target "${arch}.2.17"
|
||||
|
||||
# Assemble the AppDir: AppRun IS the goblin binary (sidecar baked in), plus the
|
||||
# icon + desktop entry. No loose sidecar file.
|
||||
# Assemble the AppDir: AppRun IS the goblin binary (Nym SDK linked in), plus the
|
||||
# icon + desktop entry. Nothing else.
|
||||
appdir="linux/Goblin.AppDir"
|
||||
cp "target/${arch}/release/goblin" "${appdir}/AppRun"
|
||||
chmod +x "${appdir}/AppRun"
|
||||
|
||||
+2
-15
@@ -49,21 +49,8 @@ function build_lib() {
|
||||
sed -i -e 's/"cdylib","rlib"]/"rlib"]/g' Cargo.toml
|
||||
rm -f Cargo.toml-e
|
||||
|
||||
# Bundle the Nym SOCKS5 sidecar beside libgrim.so. Named lib*.so so Android
|
||||
# ships it in the APK's jniLibs and extracts it to the native-library dir —
|
||||
# the only exec-allowed location for a child process (manifest needs
|
||||
# extractNativeLibs=true). Built from the Nym workspace; see scripts/nym-android.sh.
|
||||
[[ $1 == "v7" ]] && nym_target=armv7-linux-androideabi
|
||||
[[ $1 == "v8" ]] && nym_target=aarch64-linux-android
|
||||
[[ $1 == "x86" ]] && nym_target=x86_64-linux-android
|
||||
nym_bin="${NYM_DIR:-../nym/target}/${nym_target}/release/nym-socks5-client"
|
||||
if [ -f "${nym_bin}" ]; then
|
||||
cp "${nym_bin}" "android/app/src/main/jniLibs/${arch}/libnym_socks5_client.so"
|
||||
echo "bundled Nym sidecar: jniLibs/${arch}/libnym_socks5_client.so"
|
||||
else
|
||||
echo "WARN: Nym sidecar missing at ${nym_bin} — APK will have NO mixnet sidecar"
|
||||
success=0
|
||||
fi
|
||||
# The Nym mixnet is linked INTO libgrim.so (nym-sdk is a regular dependency),
|
||||
# so there is no separate sidecar binary to cross-build or bundle into jniLibs.
|
||||
}
|
||||
|
||||
### Build application
|
||||
|
||||
@@ -1,31 +0,0 @@
|
||||
#!/bin/bash
|
||||
# Cross-compile the bundled Nym SOCKS5 sidecar (nym-socks5-client) for Android.
|
||||
# scripts/android.sh copies the result into the APK's jniLibs as
|
||||
# libnym_socks5_client.so so Goblin can launch the mixnet client on-device.
|
||||
#
|
||||
# Usage: NYM_SRC=../nym scripts/nym-android.sh [v7|v8|x86|all]
|
||||
# NYM_SRC path to the Nym workspace checkout (default: ../nym)
|
||||
# Requires: ANDROID_NDK_HOME, rustup android targets, cargo-ndk.
|
||||
#
|
||||
# Note: the sidecar is patched to use preconfigured webpki roots on Android
|
||||
# (common/http-api-client/src/registry.rs) — the default rustls platform
|
||||
# verifier needs the app's JNI context, which a standalone process lacks.
|
||||
set -e
|
||||
|
||||
NYM_SRC="${NYM_SRC:-../nym}"
|
||||
WHICH="${1:-all}"
|
||||
|
||||
build() {
|
||||
local abi="$1"
|
||||
echo ">> building nym-socks5-client for ${abi}"
|
||||
( cd "${NYM_SRC}" && cargo ndk -t "${abi}" build --release -p nym-socks5-client )
|
||||
}
|
||||
|
||||
case "${WHICH}" in
|
||||
v7) build armeabi-v7a ;;
|
||||
v8) build arm64-v8a ;;
|
||||
x86) build x86_64 ;;
|
||||
all) build arm64-v8a; build x86_64; build armeabi-v7a ;;
|
||||
*) echo "usage: $0 [v7|v8|x86|all]"; exit 1 ;;
|
||||
esac
|
||||
echo "done — sidecars in ${NYM_SRC}/target/<triple>/release/nym-socks5-client"
|
||||
@@ -198,7 +198,12 @@ impl Default for AppConfig {
|
||||
use_socks_proxy: None,
|
||||
http_proxy_url: None,
|
||||
socks_proxy_url: None,
|
||||
check_updates: Some(true),
|
||||
// Off by default: the legacy update check hits code.gri.mw (GRIM's
|
||||
// gitea) directly over CLEARNET via the old HttpClient — it leaks
|
||||
// "this user runs Goblin" metadata (defeating the nothing-clearnet
|
||||
// mixnet model) and points at the wrong project's releases. Opt-in
|
||||
// only until reworked to run over the mixnet against Goblin releases.
|
||||
check_updates: Some(false),
|
||||
app_update: None,
|
||||
}
|
||||
}
|
||||
@@ -537,7 +542,7 @@ impl AppConfig {
|
||||
/// Check updates on startup.
|
||||
pub fn check_updates() -> bool {
|
||||
let r_config = Settings::app_config_to_read();
|
||||
r_config.check_updates.unwrap_or(true)
|
||||
r_config.check_updates.unwrap_or(false)
|
||||
}
|
||||
|
||||
/// Disable or enable updates checking.
|
||||
|
||||
Reference in New Issue
Block a user