Linux: add Arch package build support (#1740)

2026-06-15 09:06:08 -05:00 · 2026-05-20 02:38:38 +02:00
parent 86082f3bf5
commit 964ecde6a1
7 changed files with 345 additions and 8 deletions
@@ -0,0 +1,24 @@
+VERSION_FILE := ../../../Common/Tcdefs.h
+PKGBUILD_RELEASE := PKGBUILD.release
+PKGBUILD_RELEASE_TEMPLATE := PKGBUILD.release.in
+
+.PHONY: pkgbuild-release
+pkgbuild-release: $(PKGBUILD_RELEASE)
+
+$(PKGBUILD_RELEASE): $(PKGBUILD_RELEASE_TEMPLATE) $(VERSION_FILE)
+	@version="$$(awk -F '"' '/^[[:space:]]*#define[[:space:]]+VERSION_STRING[[:space:]]*"/ { print $$2; exit }' "$(VERSION_FILE)")"; \
+	if [ -z "$$version" ]; then \
+		echo "Unable to read VERSION_STRING from $(VERSION_FILE)" >&2; \
+		exit 1; \
+	fi; \
+	{ \
+		printf '%s\n' '# Maintainer: VeraCrypt upstream'; \
+		printf '%s\n' '# DO NOT EDIT: generated from PKGBUILD.release.in by `make pkgbuild-release`.'; \
+		sed -e '1,2d' -e "s/@VERSION@/$$version/g" "$(PKGBUILD_RELEASE_TEMPLATE)"; \
+	} > "$(PKGBUILD_RELEASE)"
+
+.PHONY: clean
+clean:
+	@if [ -d pkg ]; then rm -rf -- pkg; fi
+	@if [ -d src ]; then rm -rf -- src; fi
+	rm -f -- $(PKGBUILD_RELEASE) *.pkg.tar* *.log
@@ -0,0 +1,71 @@
+# Maintainer: VeraCrypt upstream
+
+pkgname=veracrypt
+# This in-tree PKGBUILD is sourced by makepkg from the checkout. It is not
+# suitable for AUR submission or static PKGBUILD parsers.
+_pkgbuild_dir="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
+_veracrypt_root="$(cd "${_pkgbuild_dir}/../../../.." && pwd)"
+pkgver="$(awk -F '"' '/^[[:space:]]*#define[[:space:]]+VERSION_STRING[[:space:]]*"/ { print $2; exit }' "${_veracrypt_root}/src/Common/Tcdefs.h")"
+pkgrel=1
+pkgdesc='Disk encryption with strong security based on TrueCrypt'
+url='https://www.veracrypt.jp/'
+arch=(x86_64 aarch64 armv7h)
+license=('LicenseRef-TrueCrypt AND Apache-2.0')
+depends=(
+  device-mapper
+  fuse2
+  gcc-libs
+  glibc
+  libsm
+  wxwidgets-common
+  wxwidgets-gtk3
+)
+optdepends=(
+  'pcsclite: EMV and smart card keyfile support'
+  'sudo: mounting encrypted volumes as nonroot users'
+)
+makedepends=(
+  pcsclite
+)
+makedepends_x86_64=(
+  yasm
+)
+source=()
+sha512sums=()
+
+build() {
+  cd "${_veracrypt_root}/src"
+  make PKG_CONFIG_PATH=/usr/lib/pkgconfig \
+    WX_CONFIG=/usr/bin/wx-config \
+    TC_EXTRA_LFLAGS="${LDFLAGS}" \
+    TC_EXTRA_CXXFLAGS="${CXXFLAGS} ${CPPFLAGS}" \
+    TC_EXTRA_CFLAGS="${CFLAGS} ${CPPFLAGS}" \
+    NOTEST=1 \
+    clean
+
+  make PKG_CONFIG_PATH=/usr/lib/pkgconfig \
+    WX_CONFIG=/usr/bin/wx-config \
+    TC_EXTRA_LFLAGS="${LDFLAGS}" \
+    TC_EXTRA_CXXFLAGS="${CXXFLAGS} ${CPPFLAGS}" \
+    TC_EXTRA_CFLAGS="${CFLAGS} ${CPPFLAGS}" \
+    NOTEST=1 \
+    NOSTRIP=1
+}
+
+check() {
+  cd "${_veracrypt_root}/src"
+  ./Main/veracrypt --text --test >/dev/null
+}
+
+package() {
+  cd "${_veracrypt_root}/src"
+  make DESTDIR="${pkgdir}" \
+    INSTALL_UNINSTALLER=0 \
+    INSTALL_APPIMAGE_FILES=0 \
+    INSTALL_MOUNT_HELPER_DIR=bin \
+    INSTALL_LICENSE_DIR="share/licenses/${pkgname}" \
+    NOSTRIP=1 \
+    install
+}
+
+# vim: ts=2 sw=2 et:
@@ -0,0 +1,82 @@
+# Template for generated PKGBUILD.release.
+# Edit this file and run `make pkgbuild-release`.
+
+pkgname=veracrypt
+pkgver=@VERSION@
+pkgrel=1
+pkgdesc='Disk encryption with strong security based on TrueCrypt'
+url='https://www.veracrypt.jp/'
+arch=(x86_64 aarch64 armv7h)
+license=('LicenseRef-TrueCrypt AND Apache-2.0')
+depends=(
+  device-mapper
+  fuse2
+  gcc-libs
+  glibc
+  libsm
+  wxwidgets-common
+  wxwidgets-gtk3
+)
+optdepends=(
+  'pcsclite: EMV and smart card keyfile support'
+  'sudo: mounting encrypted volumes as nonroot users'
+)
+makedepends=(
+  pcsclite
+)
+makedepends_x86_64=(
+  yasm
+)
+_source_archive="VeraCrypt_${pkgver}_Source.tar.bz2"
+source=(
+  "https://launchpad.net/veracrypt/trunk/${pkgver}/+download/${_source_archive}"
+  "https://launchpad.net/veracrypt/trunk/${pkgver}/+download/${_source_archive}.sig"
+)
+validpgpkeys=(
+  5069A233D55A0EEB174A5FC3821ACD02680D16DE
+)
+# Replace only the source archive SKIP with the published SHA-512 before publishing.
+# The .sig checksum should remain SKIP because makepkg verifies it as a PGP signature.
+sha512sums=(
+  'SKIP'
+  'SKIP'
+)
+
+prepare() {
+  local source_version
+
+  source_version="$(awk -F '"' '/^[[:space:]]*#define[[:space:]]+VERSION_STRING[[:space:]]*"/ { print $2; exit }' "${srcdir}/src/Common/Tcdefs.h")"
+  if [[ "${source_version}" != "${pkgver}" ]]; then
+    printf 'PKGBUILD pkgver (%s) does not match source VERSION_STRING (%s)\n' "${pkgver}" "${source_version}" >&2
+    return 1
+  fi
+}
+
+build() {
+  cd "${srcdir}/src"
+  make PKG_CONFIG_PATH=/usr/lib/pkgconfig \
+    WX_CONFIG=/usr/bin/wx-config \
+    TC_EXTRA_LFLAGS="${LDFLAGS}" \
+    TC_EXTRA_CXXFLAGS="${CXXFLAGS} ${CPPFLAGS}" \
+    TC_EXTRA_CFLAGS="${CFLAGS} ${CPPFLAGS}" \
+    NOTEST=1 \
+    NOSTRIP=1
+}
+
+check() {
+  cd "${srcdir}/src"
+  ./Main/veracrypt --text --test >/dev/null
+}
+
+package() {
+  cd "${srcdir}/src"
+  make DESTDIR="${pkgdir}" \
+    INSTALL_UNINSTALLER=0 \
+    INSTALL_APPIMAGE_FILES=0 \
+    INSTALL_MOUNT_HELPER_DIR=bin \
+    INSTALL_LICENSE_DIR="share/licenses/${pkgname}" \
+    NOSTRIP=1 \
+    install
+}
+
+# vim: ts=2 sw=2 et:
@@ -0,0 +1,60 @@
+# Arch Linux packaging
+
+This directory contains two Arch Linux build paths:
+
+- `PKGBUILD` packages the current VeraCrypt checkout without downloading
+  sources. Use this for in-tree builds before a release source archive is
+  published.
+- `PKGBUILD.release` packages the official release source archive. Use this as
+  the basis for clean chroot builds and downstream Arch packaging after the
+  release archive is published. It is generated from `PKGBUILD.release.in` and
+  is intentionally not committed.
+
+To build and install a package from the current checkout:
+
+```sh
+cd src/Build/Packaging/arch
+makepkg -si
+```
+
+The package build uses VeraCrypt's normal GNU Make build, stages files through
+`make install DESTDIR=...`, omits the generic self-uninstaller and
+AppImage-specific staging files, installs the HTML documentation for offline
+Help, installs the mount helper under `/usr/bin` for Arch's merged `/usr` layout,
+and places the license under `/usr/share/licenses/veracrypt`. This is deliberate:
+`mount(8)` looks for `/sbin/mount.<type>` helpers, and Arch's `/sbin` symlink to
+`/usr/bin` makes `/usr/bin/mount.veracrypt` resolve through that compatibility
+path while keeping package-owned binaries in `/usr/bin`.
+
+The in-tree `PKGBUILD` intentionally uses the checked-out source tree, so it is
+not the file to submit to the AUR or other package repositories and is not
+suitable for static PKGBUILD parsers or clean chroot builds that only copy
+declared `source=()` inputs. Run static packaging tools against the generated
+`PKGBUILD.release` instead. It runs `make clean` before each build and writes
+normal VeraCrypt build artifacts into the checkout. The `clean` target in this
+directory removes only Arch packaging artifacts and the generated
+`PKGBUILD.release`; it does not clean the upstream VeraCrypt build tree or
+`Setup/Linux/usr`.
+
+The PKGBUILDs run VeraCrypt's self-test from `check()`. Use `makepkg --nocheck`
+only for cross or emulated builds where the target binary cannot run.
+
+For a release build, wait until the official source archive exists, then run:
+
+```sh
+make pkgbuild-release
+```
+
+Replace only the first temporary `SKIP` checksum in `PKGBUILD.release` with the
+published SHA-512 checksum for the source archive. Leave the `.sig` checksum as
+`SKIP`; makepkg uses it for PGP verification. Coordinate changes with the
+official Arch package maintainer when targeting Arch's official repositories. If
+copying `PKGBUILD.release` to an AUR-style packaging repository, regenerate
+`.SRCINFO`:
+
+```sh
+makepkg --printsrcinfo > .SRCINFO
+```
+
+Use `PKGBUILD.release` for reproducible-build checks; byte-identical packages
+should be built from the same release archive rather than a live checkout.