Opened 4 years ago

Closed 3 years ago

#60385 closed defect (fixed)

openssh failed to build on leopard powerpc

Reported by: bryancn Owned by: evanmiller (Evan Miller)
Priority: Normal Milestone:
Component: ports Version: 2.6.2
Keywords: leopard powerpc haspatch Cc: udbraumann, evanmiller (Evan Miller)
Port: openssh

Description (last modified by kencu (Ken))

After some trial & error, got all the dependencies to install with:

sudo port install openssh configure.compiler=macports-gcc-6

but then:

:info:build make: *** [sshconnect2.o] Error 1
:info:build make: *** Waiting for unfinished jobs....
:info:build keychain.m:66:31: fatal error: Security/SecItem.h: No such file or directory
:info:build  #  import <Security/SecItem.h>
:info:build                                ^
:info:build compilation terminated.
:info:build make: *** [keychain.o] Error 1
:info:build make: Leaving directory `/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_net_openssh/openssh/work/openssh-8.1p1'
:info:build Command failed:  cd "/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_net_openssh/openssh/work/openssh-8.1p1" && /usr/bin/make -j4 -w all 
:info:build Exit code: 2
:error:build Failed to build openssh: command execution failed

Attachments (3)

main.log (510.1 KB) - added by bryancn 4 years ago.
Log
main_udbraumann.log (285.1 KB) - added by udbraumann 4 years ago.
$ sudo port -s upgrade openssh configure.compiler=macports-gcc-7
Portfile (12.2 KB) - added by khepler 4 years ago.
Portfile with osx_keychain variant (enabled by default on 10.6+)

Download all attachments as: .zip

Change History (17)

Changed 4 years ago by bryancn

Attachment: main.log added

Log

comment:1 Changed 4 years ago by kencu (Ken)

Description: modified (diff)
Keywords: openssh removed

comment:2 Changed 4 years ago by kencu (Ken)

yes, looks like that header didn't exist until MacOSX10.6.sdk:

/Developer/SDKs/MacOSX10.6.sdk/System/Library/Frameworks/Security.framework/Versions/A/Headers/SecItem.h
/Developer/SDKs/MacOSX10.7.sdk/System/Library/Frameworks/Security.framework/Versions/A/Headers/SecItem.h
/Developer/SDKs/MacOSX10.8.sdk/System/Library/Frameworks/Security.framework/Versions/A/Headers/SecItem.h
/Developer/SDKs/MacOSX10.9.sdk/System/Library/Frameworks/Security.framework/Versions/A/Headers/SecItem.h
/Developer/SDKs/MacOSX10.10.sdk/System/Library/Frameworks/Security.framework/Versions/A/Headers/SecItem.h
/Developer/SDKs/MacOSX10.11.sdk/System/Library/Frameworks/Security.framework/Versions/A/Headers/SecItem.h
/Developer/SDKs/MacOSX10.13.sdk/System/Library/Frameworks/Security.framework/Versions/A/Headers/SecItem.h

So in this situation, you need to do some sleuthing... when did openssh change to need that header? Is there an acceptable older version available that didn't need that header that can do what you need? Is there an option in openssh that lets you avoid that header somehow (probably there is -- that is a Mac-OS specific header and there is sure to be another pathway for linux systems that might work for Leopard? Can you hack around that header in some way, replacing what it is looking for with something similar that can do the same job?

The easy way out is to just say "10.6 and greater only" and disable it from building on 10.5 and less, but that is cheating :>

Version 0, edited 4 years ago by kencu (Ken) (next)

comment:3 Changed 4 years ago by kencu (Ken)

openssh got some heavy surgery last fall, and the changes make building on powerpc just now impossible.

It is probably fixable though -- a starting point would be to undo the default change to use Apple's KeyChain and then go from there. It looks like a project at this point in time, though.

comment:4 Changed 4 years ago by udbraumann

Interestingly, when I try to upgrade openssh from 7.6p1_5 to 8.1p1_9 on 10.5.8 PPC 32bit, building also stops around sshconnect2.c, but apparently a bit earlier inside keychain.h issuing a syntax error:

...
:info:build /opt/local/bin/gcc-mp-7 -pipe -Os -arch ppc -pipe -Wno-error=format-truncation -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE   -I. -I. -I/opt/local/include -I/opt/local/include -I/opt/local/include -DBROKEN_STRNVIS=1 -D__APPLE_API_STRICT_CONFORMANCE -I/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_ports_net_openssh/openssh/work/include -I/opt/local/include/editline -I/opt/local/include -I/opt/local/include -D__APPLE_KEYCHAIN__ -D__APPLE_MEMBERSHIP__ -D__APPLE_TMPDIR__ -D__APPLE_LAUNCHD__ -DSSHDIR=\"/opt/local/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/opt/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/opt/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/opt/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/opt/local/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/opt/local/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/opt/local/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c sshconnect2.c -o sshconnect2.o
:info:build In file included from sshconnect2.c:77:0:
:info:build keychain.h:36:41: error: expected ')' before '^' token
:info:build  int  load_identities_from_keychain(int (^add_identity)(const char *identity));
:info:build                                          ^
:info:build make: *** [sshconnect2.o] Error 1
:info:build make: Leaving directory `/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_ports_net_openssh/openssh/work/openssh-8.1p1'
...

Admittedly, I used gcc7 instead of gcc6.

comment:5 Changed 4 years ago by udbraumann

Cc: udbraumann added

Changed 4 years ago by udbraumann

Attachment: main_udbraumann.log added

$ sudo port -s upgrade openssh configure.compiler=macports-gcc-7

comment:6 Changed 4 years ago by kencu (Ken)

that particular error, with "^" is because Leopard doesn't come with "blocks".

It can be fixed in many cases using the port libblocksruntime. I can't recall if I did this on PPC with gcc yet...I do it on 10.4 and 10.5 Intel sustems using clang, and on clang you use the "-fblocks" flag.

I think the keychain approach is a quagmire... I hope you know how to hold back a port if you're using ppc leopard, and you may get some inspiration from my LeopardPorts overlay.

comment:7 Changed 4 years ago by udbraumann

Well, actually my ssh as of openssh @7.6p1_5 is broken:

$ ssh
dyld: Library not loaded: /opt/local/lib/libcrypto.1.0.0.dylib
  Referenced from: /opt/local/bin/ssh
  Reason: image not found
Trace/BPT trap

What can I do? I have a very recent libcrypto installed (which port does is belong to?):

$ ls -al /opt/local/lib/libcrypto*
-rwxr-xr-x  1 root  admin  4353280 Apr 29 09:56 /opt/local/lib/libcrypto.1.1.dylib
-rw-r--r--  1 root  admin  6493440 Apr 29 09:56 /opt/local/lib/libcrypto.a
lrwxr-xr-x  1 root  admin       19 Apr 29 09:56 /opt/local/lib/libcrypto.dylib -> libcrypto.1.1.dylib

And no, I actually forgot how to hold back a port, would be glad for some advice.

comment:8 Changed 4 years ago by khepler

As a quick test I disabled the Keychain patch for Leopard:

--- /opt/local/var/macports/sources/rsync.macports.org/release/tarballs/ports/net/openssh/Portfile      2020-04-27 12:03:19.000000000 -0700
+++ Portfile    2020-05-02 13:08:53.000000000 -0700
@@ -50,7 +50,6 @@
                         pam.patch \
                         patch-sandbox-darwin.c-apple-sandbox-named-external.diff \
                         patch-sshd.c-apple-sandbox-named-external.diff \
-                        0002-Apple-keychain-integration-other-changes.patch \
                         macports-config.patch \
                         patch-openbsd_compat-memmem-bug.diff

@@ -105,6 +104,9 @@
     use_parallel_build  yes

     platform macosx {
+        if {${os.major} > 9} {
+            patchfiles-append 0002-Apple-keychain-integration-other-changes.patch
+
         if {${os.major} <= 11} {
             # clang is required to build the new Apple Keychain integration due
             # to it using the Object Subscripting feature, c.f. #59397.
@@ -119,6 +121,7 @@
             compiler.blacklist-append   *gcc* cc {clang < 421}
         }
     }
+    }

     destroot.target     install-nokeys

After removing the patch, openssh-8.1p1_9 compiles with the default compiler and runs fine.

I would like to see the osx_keychain variant return, since in my experience Keychain integration has been broken on Leopard for about ten years. The variant at least allows Leopard users to build OpenSSH. Attaching a suggested Portfile.

Changed 4 years ago by khepler

Attachment: Portfile added

Portfile with osx_keychain variant (enabled by default on 10.6+)

comment:9 Changed 4 years ago by kencu (Ken)

that's good news, thanks for checking that out. I'll see if we can come up with something -- probably using the keychain where it works and disabling it where it doesn't would be the accepted approach.

comment:10 in reply to:  8 Changed 4 years ago by udbraumann

Replying to khepler:

...

I would like to see the osx_keychain variant return, since in my experience Keychain integration has been broken on Leopard for about ten years. The variant at least allows Leopard users to build OpenSSH. Attaching a suggested Portfile.

Thank you, using your Portfile openssh @8.1p1_9 indeed could be built on my 10.5.8 PPC!

comment:11 Changed 4 years ago by ryandesign (Ryan Carsten Schmidt)

Keywords: haspatch added
Summary: openssh filed to build on leopard powerpcopenssh failed to build on leopard powerpc

comment:12 Changed 3 years ago by evanmiller (Evan Miller)

Cc: evanmiller added

comment:14 Changed 3 years ago by evanmiller (Evan Miller)

Owner: set to evanmiller
Resolution: fixed
Status: newclosed

In f6c274e2348fb4f59508f9eed2bbf4c5fcfde583/macports-ports (master):

openssh: Fix build on 10.4/10.5

Disable Keychain integration (and GCC blacklist) on older systems.

Closes: #60385
Closes: #60879

Note: See TracTickets for help on using tickets.