curl-pkg.sh: run checksec on linux build results

vszakats · vszakats · commit a3bf4ddccb1d · 2023-09-22T14:28:32.000Z
If `checksec` tool if available. Also show per-function fortify details.
diff --git a/_build-runner.sh b/_build-runner.sh
@@ -34,6 +34,9 @@ if [ ! -f .cw-initialized ]; then
     Linux*)
       [[ "${CW_CONFIG:-}" = *'boringssl'* ]] && extra="${extra} golang nasm"
       [[ "${CW_CONFIG:-}" = *'musl'* ]] && extra="${extra} musl musl-dev musl-tools"
+      if [[ "${CW_CONFIG:-}" = *'linux'* ]]; then
+        extra="${extra} checksec"
+      fi
       # shellcheck disable=SC2086
       apt-get --quiet 2 --option Dpkg::Use-Pty=0 install \
         curl git gpg rsync python3-pefile make cmake \
diff --git a/_ci-linux-debian.sh b/_ci-linux-debian.sh
@@ -15,6 +15,7 @@ extra=''
 [[ "${CW_CONFIG:-}" = *'win'* ]] && extra="${extra} mingw-w64 osslsigncode wine64"
 
 if [[ "${CW_CONFIG:-}" = *'linux'* ]]; then
+  extra="${extra} checksec"
   if [[ "${CW_CONFIG:-}" = *'musl'* ]]; then
     extra="${extra} musl musl-dev musl-tools"
     # for openssl 'secure-memory' feature
diff --git a/curl-pkg.sh b/curl-pkg.sh
@@ -75,6 +75,10 @@
           otool -L "${f}"
         elif [ "${_OS}" = 'linux' ]; then
           "${_READELF}" --file-header --dynamic "${f}"
+          if command -v checksec >/dev/null 2>&1; then
+            checksec --format=json --file="${f}" | jq
+            checksec --format=xml --fortify-file="${f}"  # duplicate keys in json, cannot apply jq
+          fi
           # Show linked GLIBC versions
           # https://en.wikipedia.org/wiki/Glibc#Version_history
           if [ "${_CPU}" = 'a64' ]; then
