Linux: add Arch package build support (#1740)

2026-05-21 12:01:31 +00:00 · 2026-05-20 02:38:38 +02:00
parent 86082f3bf5
commit 964ecde6a1
7 changed files with 345 additions and 8 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -18,7 +18,14 @@ src/Main/veracrypt
 *.ossse3
 *.oshani
 *.oaesni
+*.oavx2
 *.oarmv8crypto
+src/Setup/Linux/packaging/
+src/Setup/Linux/usr/
+src/Setup/Linux/veracrypt.AppDir/usr/
+src/Setup/Linux/veracrypt.AppDir/veracrypt.png
+src/Setup/Linux/veracrypt_*.tar.gz
+src/Setup/Linux/veracrypt-*-setup-*

 # VC macOS build artifacts
 src/Main/VeraCrypt
@@ -34,6 +41,13 @@ src/Setup/MacOSX/*.pkg
 src/wxrelease
 src/wxdebug

+# Arch Linux package build artifacts
+src/Build/Packaging/arch/pkg/
+src/Build/Packaging/arch/src/
+src/Build/Packaging/arch/PKGBUILD.release
+src/Build/Packaging/arch/*.pkg.tar*
+src/Build/Packaging/arch/*.log
+
 src/.vs

 src/Boot/Windows/obj
@@ -110,4 +124,4 @@ src/Setup/Release
 src/Setup/PortableRelease

 src/SetupDLL/Debug
-src/SetupDLL/Release
+src/SetupDLL/Release
--- a/README.md
+++ b/README.md
@@ -128,6 +128,15 @@ built using the 'NOGUI' parameter:

 `$ make NOGUI=1 WXSTATIC=1`

+## Arch Linux package build:
+
+Arch Linux users can build and install a package from the current checkout with
+makepkg:
+
+`$ cd src/Build/Packaging/arch`
+
+`$ makepkg -si`
+
 On MacOSX, building a console-only executable is not supported.

 ## Mac OS X specifics:
--- a/src/Build/Packaging/arch/Makefile
+++ b/src/Build/Packaging/arch/Makefile
@@ -0,0 +1,24 @@
+VERSION_FILE := ../../../Common/Tcdefs.h
+PKGBUILD_RELEASE := PKGBUILD.release
+PKGBUILD_RELEASE_TEMPLATE := PKGBUILD.release.in
+
+.PHONY: pkgbuild-release
+pkgbuild-release: $(PKGBUILD_RELEASE)
+
+$(PKGBUILD_RELEASE): $(PKGBUILD_RELEASE_TEMPLATE) $(VERSION_FILE)
+	@version="$$(awk -F '"' '/^[[:space:]]*#define[[:space:]]+VERSION_STRING[[:space:]]*"/ { print $$2; exit }' "$(VERSION_FILE)")"; \
+	if [ -z "$$version" ]; then \
+		echo "Unable to read VERSION_STRING from $(VERSION_FILE)" >&2; \
+		exit 1; \
+	fi; \
+	{ \
+		printf '%s\n' '# Maintainer: VeraCrypt upstream'; \
+		printf '%s\n' '# DO NOT EDIT: generated from PKGBUILD.release.in by `make pkgbuild-release`.'; \
+		sed -e '1,2d' -e "s/@VERSION@/$$version/g" "$(PKGBUILD_RELEASE_TEMPLATE)"; \
+	} > "$(PKGBUILD_RELEASE)"
+
+.PHONY: clean
+clean:
+	@if [ -d pkg ]; then rm -rf -- pkg; fi
+	@if [ -d src ]; then rm -rf -- src; fi
+	rm -f -- $(PKGBUILD_RELEASE) *.pkg.tar* *.log
--- a/src/Build/Packaging/arch/PKGBUILD
+++ b/src/Build/Packaging/arch/PKGBUILD
@@ -0,0 +1,71 @@
+# Maintainer: VeraCrypt upstream
+
+pkgname=veracrypt
+# This in-tree PKGBUILD is sourced by makepkg from the checkout. It is not
+# suitable for AUR submission or static PKGBUILD parsers.
+_pkgbuild_dir="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
+_veracrypt_root="$(cd "${_pkgbuild_dir}/../../../.." && pwd)"
+pkgver="$(awk -F '"' '/^[[:space:]]*#define[[:space:]]+VERSION_STRING[[:space:]]*"/ { print $2; exit }' "${_veracrypt_root}/src/Common/Tcdefs.h")"
+pkgrel=1
+pkgdesc='Disk encryption with strong security based on TrueCrypt'
+url='https://www.veracrypt.jp/'
+arch=(x86_64 aarch64 armv7h)
+license=('LicenseRef-TrueCrypt AND Apache-2.0')
+depends=(
+  device-mapper
+  fuse2
+  gcc-libs
+  glibc
+  libsm
+  wxwidgets-common
+  wxwidgets-gtk3
+)
+optdepends=(
+  'pcsclite: EMV and smart card keyfile support'
+  'sudo: mounting encrypted volumes as nonroot users'
+)
+makedepends=(
+  pcsclite
+)
+makedepends_x86_64=(
+  yasm
+)
+source=()
+sha512sums=()
+
+build() {
+  cd "${_veracrypt_root}/src"
+  make PKG_CONFIG_PATH=/usr/lib/pkgconfig \
+    WX_CONFIG=/usr/bin/wx-config \
+    TC_EXTRA_LFLAGS="${LDFLAGS}" \
+    TC_EXTRA_CXXFLAGS="${CXXFLAGS} ${CPPFLAGS}" \
+    TC_EXTRA_CFLAGS="${CFLAGS} ${CPPFLAGS}" \
+    NOTEST=1 \
+    clean
+
+  make PKG_CONFIG_PATH=/usr/lib/pkgconfig \
+    WX_CONFIG=/usr/bin/wx-config \
+    TC_EXTRA_LFLAGS="${LDFLAGS}" \
+    TC_EXTRA_CXXFLAGS="${CXXFLAGS} ${CPPFLAGS}" \
+    TC_EXTRA_CFLAGS="${CFLAGS} ${CPPFLAGS}" \
+    NOTEST=1 \
+    NOSTRIP=1
+}
+
+check() {
+  cd "${_veracrypt_root}/src"
+  ./Main/veracrypt --text --test >/dev/null
+}
+
+package() {
+  cd "${_veracrypt_root}/src"
+  make DESTDIR="${pkgdir}" \
+    INSTALL_UNINSTALLER=0 \
+    INSTALL_APPIMAGE_FILES=0 \
+    INSTALL_MOUNT_HELPER_DIR=bin \
+    INSTALL_LICENSE_DIR="share/licenses/${pkgname}" \
+    NOSTRIP=1 \
+    install
+}
+
+# vim: ts=2 sw=2 et:
--- a/src/Build/Packaging/arch/PKGBUILD.release.in
+++ b/src/Build/Packaging/arch/PKGBUILD.release.in
@@ -0,0 +1,82 @@
+# Template for generated PKGBUILD.release.
+# Edit this file and run `make pkgbuild-release`.
+
+pkgname=veracrypt
+pkgver=@VERSION@
+pkgrel=1
+pkgdesc='Disk encryption with strong security based on TrueCrypt'
+url='https://www.veracrypt.jp/'
+arch=(x86_64 aarch64 armv7h)
+license=('LicenseRef-TrueCrypt AND Apache-2.0')
+depends=(
+  device-mapper
+  fuse2
+  gcc-libs
+  glibc
+  libsm
+  wxwidgets-common
+  wxwidgets-gtk3
+)
+optdepends=(
+  'pcsclite: EMV and smart card keyfile support'
+  'sudo: mounting encrypted volumes as nonroot users'
+)
+makedepends=(
+  pcsclite
+)
+makedepends_x86_64=(
+  yasm
+)
+_source_archive="VeraCrypt_${pkgver}_Source.tar.bz2"
+source=(
+  "https://launchpad.net/veracrypt/trunk/${pkgver}/+download/${_source_archive}"
+  "https://launchpad.net/veracrypt/trunk/${pkgver}/+download/${_source_archive}.sig"
+)
+validpgpkeys=(
+  5069A233D55A0EEB174A5FC3821ACD02680D16DE
+)
+# Replace only the source archive SKIP with the published SHA-512 before publishing.
+# The .sig checksum should remain SKIP because makepkg verifies it as a PGP signature.
+sha512sums=(
+  'SKIP'
+  'SKIP'
+)
+
+prepare() {
+  local source_version
+
+  source_version="$(awk -F '"' '/^[[:space:]]*#define[[:space:]]+VERSION_STRING[[:space:]]*"/ { print $2; exit }' "${srcdir}/src/Common/Tcdefs.h")"
+  if [[ "${source_version}" != "${pkgver}" ]]; then
+    printf 'PKGBUILD pkgver (%s) does not match source VERSION_STRING (%s)\n' "${pkgver}" "${source_version}" >&2
+    return 1
+  fi
+}
+
+build() {
+  cd "${srcdir}/src"
+  make PKG_CONFIG_PATH=/usr/lib/pkgconfig \
+    WX_CONFIG=/usr/bin/wx-config \
+    TC_EXTRA_LFLAGS="${LDFLAGS}" \
+    TC_EXTRA_CXXFLAGS="${CXXFLAGS} ${CPPFLAGS}" \
+    TC_EXTRA_CFLAGS="${CFLAGS} ${CPPFLAGS}" \
+    NOTEST=1 \
+    NOSTRIP=1
+}
+
+check() {
+  cd "${srcdir}/src"
+  ./Main/veracrypt --text --test >/dev/null
+}
+
+package() {
+  cd "${srcdir}/src"
+  make DESTDIR="${pkgdir}" \
+    INSTALL_UNINSTALLER=0 \
+    INSTALL_APPIMAGE_FILES=0 \
+    INSTALL_MOUNT_HELPER_DIR=bin \
+    INSTALL_LICENSE_DIR="share/licenses/${pkgname}" \
+    NOSTRIP=1 \
+    install
+}
+
+# vim: ts=2 sw=2 et:
--- a/src/Build/Packaging/arch/README.md
+++ b/src/Build/Packaging/arch/README.md
@@ -0,0 +1,60 @@
+# Arch Linux packaging
+
+This directory contains two Arch Linux build paths:
+
+- `PKGBUILD` packages the current VeraCrypt checkout without downloading
+  sources. Use this for in-tree builds before a release source archive is
+  published.
+- `PKGBUILD.release` packages the official release source archive. Use this as
+  the basis for clean chroot builds and downstream Arch packaging after the
+  release archive is published. It is generated from `PKGBUILD.release.in` and
+  is intentionally not committed.
+
+To build and install a package from the current checkout:
+
+```sh
+cd src/Build/Packaging/arch
+makepkg -si
+```
+
+The package build uses VeraCrypt's normal GNU Make build, stages files through
+`make install DESTDIR=...`, omits the generic self-uninstaller and
+AppImage-specific staging files, installs the HTML documentation for offline
+Help, installs the mount helper under `/usr/bin` for Arch's merged `/usr` layout,
+and places the license under `/usr/share/licenses/veracrypt`. This is deliberate:
+`mount(8)` looks for `/sbin/mount.<type>` helpers, and Arch's `/sbin` symlink to
+`/usr/bin` makes `/usr/bin/mount.veracrypt` resolve through that compatibility
+path while keeping package-owned binaries in `/usr/bin`.
+
+The in-tree `PKGBUILD` intentionally uses the checked-out source tree, so it is
+not the file to submit to the AUR or other package repositories and is not
+suitable for static PKGBUILD parsers or clean chroot builds that only copy
+declared `source=()` inputs. Run static packaging tools against the generated
+`PKGBUILD.release` instead. It runs `make clean` before each build and writes
+normal VeraCrypt build artifacts into the checkout. The `clean` target in this
+directory removes only Arch packaging artifacts and the generated
+`PKGBUILD.release`; it does not clean the upstream VeraCrypt build tree or
+`Setup/Linux/usr`.
+
+The PKGBUILDs run VeraCrypt's self-test from `check()`. Use `makepkg --nocheck`
+only for cross or emulated builds where the target binary cannot run.
+
+For a release build, wait until the official source archive exists, then run:
+
+```sh
+make pkgbuild-release
+```
+
+Replace only the first temporary `SKIP` checksum in `PKGBUILD.release` with the
+published SHA-512 checksum for the source archive. Leave the `.sig` checksum as
+`SKIP`; makepkg uses it for PGP verification. Coordinate changes with the
+official Arch package maintainer when targeting Arch's official repositories. If
+copying `PKGBUILD.release` to an AUR-style packaging repository, regenerate
+`.SRCINFO`:
+
+```sh
+makepkg --printsrcinfo > .SRCINFO
+```
+
+Use `PKGBUILD.release` for reproducible-build checks; byte-identical packages
+should be built from the same release archive rather than a live checkout.
--- a/src/Main/Main.make
+++ b/src/Main/Main.make
@@ -106,7 +106,7 @@ FUSE_LIBS = $(shell $(PKG_CONFIG) $(VC_FUSE_PACKAGE) --libs)

 #------ Executable ------

-export TC_VERSION := $(shell grep VERSION_STRING ../Common/Tcdefs.h | head -n 1 | cut -d'"' -f 2)
+export TC_VERSION := $(shell awk -F '"' '/^[[:space:]]*#define[[:space:]]+VERSION_STRING[[:space:]]*"/ { print $$2; exit }' ../Common/Tcdefs.h)

 #------ Linux package naming ------
 ifeq "$(PLATFORM)" "Linux"
@@ -316,27 +316,99 @@ GZIP_NO_TIMESTAMP       := $(strip $(shell printf x | gzip -n -c >/dev/null 2>&1
 MAKESELF_PACKAGING_DATE := $(strip $(shell makeself --help 2>&1 | grep -q -- '--packaging-date' && echo yes))
 MAKESELF_TAR_EXTRA      := $(strip $(shell makeself --help 2>&1 | grep -q -- '--tar-extra' && echo yes))

+INSTALL_UNINSTALLER ?= 1
+INSTALL_LICENSE ?= 1
+INSTALL_LICENSE_DIR ?= share/doc/$(APPNAME)
+INSTALL_DOCS ?= 1
+INSTALL_LANGUAGES ?= 1
+INSTALL_MOUNT_HELPER ?= 1
+INSTALL_MOUNT_HELPER_DIR ?= sbin
+INSTALL_DESKTOP ?= 1
+INSTALL_MIME ?= 1
+INSTALL_ICONS ?= 1
+INSTALL_APPIMAGE_FILES ?= 1
+
+# These override values are appended below usr and used in shell recipes.
+# Keep command-line/environment overrides literal and path-like.
+INSTALL_PATH_FORBIDDEN_HASH := \#
+INSTALL_PATH_FORBIDDEN_CHARS := ' " ` $$ ( ) [ ] { } ; & | < > * ? ! ~ = : , @ % ^ \ $(INSTALL_PATH_FORBIDDEN_HASH)
+
+define check_install_path
+ifneq ($$(filter command line environment override,$$(origin $(1))),)
+ifneq ($$(findstring $$$$,$$(value $(1))),)
+$$(error $(1) must not contain make or shell variable expansions)
+endif
+endif
+ifneq ($$(words $$($(1))),1)
+$$(error $(1) must be a single relative path below usr without whitespace)
+endif
+ifneq ($$(filter /% ../% %/.. ..,$$($(1)))$$(findstring /../,$$($(1))),)
+$$(error $(1) must be a relative path below usr without '..' components)
+endif
+ifneq ($$(strip $$(foreach c,$$(INSTALL_PATH_FORBIDDEN_CHARS),$$(findstring $$(c),$$($(1))))),)
+$$(error $(1) contains unsupported characters; use only letters, digits, '/', '.', '_', '-' and '+')
+endif
+ifneq ($$(shell LC_ALL=C; case '$$($(1))' in (*[!A-Za-z0-9._+/-]*) printf invalid;; esac),)
+$$(error $(1) contains unsupported characters; use only letters, digits, '/', '.', '_', '-' and '+')
+endif
+endef
+
+$(eval $(call check_install_path,INSTALL_LICENSE_DIR))
+$(eval $(call check_install_path,INSTALL_MOUNT_HELPER_DIR))
+
+ifndef TC_NO_GUI
+# The AppDir copy is only complete when its desktop integration payload is
+# staged into usr first. Native packages can disable both sides together.
+ifneq "$(INSTALL_APPIMAGE_FILES)" "0"
+ifeq "$(INSTALL_DESKTOP)" "0"
+$(error INSTALL_APPIMAGE_FILES requires INSTALL_DESKTOP=1; set INSTALL_APPIMAGE_FILES=0 when omitting desktop files)
+endif
+ifeq "$(INSTALL_MIME)" "0"
+$(error INSTALL_APPIMAGE_FILES requires INSTALL_MIME=1; set INSTALL_APPIMAGE_FILES=0 when omitting MIME files)
+endif
+ifeq "$(INSTALL_ICONS)" "0"
+$(error INSTALL_APPIMAGE_FILES requires INSTALL_ICONS=1; set INSTALL_APPIMAGE_FILES=0 when omitting icons)
+endif
+endif
+endif
+
 prepare: $(APPNAME)
 	rm -fr $(BASE_DIR)/Setup/Linux/usr
 	mkdir -p $(BASE_DIR)/Setup/Linux/usr/bin
-	mkdir -p $(BASE_DIR)/Setup/Linux/usr/share/doc/$(APPNAME)/HTML
 	cp $(BASE_DIR)/Main/$(APPNAME) $(BASE_DIR)/Setup/Linux/usr/bin/$(APPNAME)
+ifneq "$(INSTALL_UNINSTALLER)" "0"
 	cp $(BASE_DIR)/Setup/Linux/$(APPNAME)-uninstall.sh $(BASE_DIR)/Setup/Linux/usr/bin/$(APPNAME)-uninstall.sh
 	chmod +x $(BASE_DIR)/Setup/Linux/usr/bin/$(APPNAME)-uninstall.sh
-	cp $(BASE_DIR)/License.txt $(BASE_DIR)/Setup/Linux/usr/share/doc/$(APPNAME)/License.txt
+endif
+ifneq "$(INSTALL_LICENSE)" "0"
+	mkdir -p "$(BASE_DIR)/Setup/Linux/usr/$(INSTALL_LICENSE_DIR)"
+	cp "$(BASE_DIR)/License.txt" "$(BASE_DIR)/Setup/Linux/usr/$(INSTALL_LICENSE_DIR)/License.txt"
+endif
+ifneq "$(INSTALL_DOCS)" "0"
+	mkdir -p $(BASE_DIR)/Setup/Linux/usr/share/doc/$(APPNAME)/HTML
 	cp -R $(BASE_DIR)/../doc/html/* "$(BASE_DIR)/Setup/Linux/usr/share/doc/$(APPNAME)/HTML"
+endif
+ifneq "$(INSTALL_LANGUAGES)" "0"
 	mkdir -p $(BASE_DIR)/Setup/Linux/usr/share/veracrypt/languages
 	cp -r $(BASE_DIR)/../Translations/* $(BASE_DIR)/Setup/Linux/usr/share/veracrypt/languages/
+endif

-	mkdir -p $(BASE_DIR)/Setup/Linux/usr/sbin
-	cp $(BASE_DIR)/Setup/Linux/mount.$(APPNAME) $(BASE_DIR)/Setup/Linux/usr/sbin/mount.$(APPNAME)
-	chmod +x $(BASE_DIR)/Setup/Linux/usr/sbin/mount.$(APPNAME)
+ifneq "$(INSTALL_MOUNT_HELPER)" "0"
+	mkdir -p "$(BASE_DIR)/Setup/Linux/usr/$(INSTALL_MOUNT_HELPER_DIR)"
+	cp "$(BASE_DIR)/Setup/Linux/mount.$(APPNAME)" "$(BASE_DIR)/Setup/Linux/usr/$(INSTALL_MOUNT_HELPER_DIR)/mount.$(APPNAME)"
+	chmod +x "$(BASE_DIR)/Setup/Linux/usr/$(INSTALL_MOUNT_HELPER_DIR)/mount.$(APPNAME)"
+endif
 ifndef TC_NO_GUI
+ifneq "$(INSTALL_DESKTOP)" "0"
 	mkdir -p $(BASE_DIR)/Setup/Linux/usr/share/applications
-	mkdir -p $(BASE_DIR)/Setup/Linux/usr/share/mime/packages
 	cp $(BASE_DIR)/Setup/Linux/$(APPNAME).desktop $(BASE_DIR)/Setup/Linux/usr/share/applications/$(APPNAME).desktop
+endif
+ifneq "$(INSTALL_MIME)" "0"
+	mkdir -p $(BASE_DIR)/Setup/Linux/usr/share/mime/packages
 	cp $(BASE_DIR)/Setup/Linux/$(APPNAME).xml $(BASE_DIR)/Setup/Linux/usr/share/mime/packages/$(APPNAME).xml
+endif

+ifneq "$(INSTALL_ICONS)" "0"
 	mkdir -p $(BASE_DIR)/Setup/Linux/usr/share/pixmaps
 	mkdir -p $(BASE_DIR)/Setup/Linux/usr/share/icons/hicolor/scalable/apps
 	mkdir -p $(BASE_DIR)/Setup/Linux/usr/share/icons/hicolor/symbolic/apps
@@ -348,10 +420,15 @@ ifndef TC_NO_GUI
 		mkdir -p $(BASE_DIR)/Setup/Linux/usr/share/icons/hicolor/$${res}x$${res}/apps ;\
 		cp $(BASE_DIR)/Resources/Icons/VeraCrypt-$${res}x$${res}.png $(BASE_DIR)/Setup/Linux/usr/share/icons/hicolor/$${res}x$${res}/apps/$(APPNAME).png ;\
 	done
+endif

+ifneq "$(INSTALL_APPIMAGE_FILES)" "0"
 	rm -fr $(BASE_DIR)/Setup/Linux/veracrypt.AppDir/usr
 	cp -r $(BASE_DIR)/Setup/Linux/usr $(BASE_DIR)/Setup/Linux/veracrypt.AppDir/.
+ifneq "$(INSTALL_ICONS)" "0"
 	ln -sf usr/share/icons/hicolor/1024x1024/apps/$(APPNAME).png $(BASE_DIR)/Setup/Linux/veracrypt.AppDir/$(APPNAME).png
+endif
+endif
 endif
 	# Normalise modification times of every staged file. cp preserves the
 	# checkout-time mtimes of the source tree, which would otherwise leak