|
23 | 23 | # - fips.darwin.sha256 | fips.linux.sha256 (fallback by OS) |
24 | 24 | # - fips.sha256 (global fallback, typically Linux) |
25 | 25 | # Same naming for non-fips.* files. |
26 | | - expectedHashFile = base: let |
27 | | - sys = pkgs.stdenv.hostPlatform.system; |
28 | | - dir = toString ./expected-hashes; |
29 | | - candidates = lib.filter (s: s != null) [ |
30 | | - "${dir}/${base}.${sys}.sha256" |
31 | | - (if pkgs.stdenv.isDarwin then "${dir}/${base}.darwin.sha256" else null) |
32 | | - (if pkgs.stdenv.isLinux then "${dir}/${base}.linux.sha256" else null) |
33 | | - ]; |
34 | | - firstExisting = lib.findFirst (p: builtins.pathExists (builtins.toPath p)) null candidates; |
35 | | - finalPath = if firstExisting != null then firstExisting else "${dir}/${base}.sha256"; |
36 | | - in builtins.readFile (builtins.toPath finalPath); |
| 26 | + expectedHashFile = |
| 27 | + base: |
| 28 | + let |
| 29 | + sys = pkgs.stdenv.hostPlatform.system; |
| 30 | + dir = toString ./expected-hashes; |
| 31 | + candidates = lib.filter (s: s != null) [ |
| 32 | + "${dir}/${base}.${sys}.sha256" |
| 33 | + (if pkgs.stdenv.isDarwin then "${dir}/${base}.darwin.sha256" else null) |
| 34 | + (if pkgs.stdenv.isLinux then "${dir}/${base}.linux.sha256" else null) |
| 35 | + ]; |
| 36 | + firstExisting = lib.findFirst (p: builtins.pathExists (builtins.toPath p)) null candidates; |
| 37 | + finalPath = if firstExisting != null then firstExisting else "${dir}/${base}.sha256"; |
| 38 | + in |
| 39 | + builtins.readFile (builtins.toPath finalPath); |
37 | 40 |
|
38 | 41 | expectedHashFipsRaw = expectedHashFile "fips"; |
39 | 42 | expectedHashNonFipsRaw = expectedHashFile "non-fips"; |
40 | | - sanitizeHash = s: let noWS = lib.replaceStrings ["\n" "\r" " " "\t"] ["" "" "" ""] s; in lib.strings.removeSuffix "\n" noWS; |
| 43 | + sanitizeHash = |
| 44 | + s: |
| 45 | + let |
| 46 | + noWS = lib.replaceStrings [ "\n" "\r" " " "\t" ] [ "" "" "" "" ] s; |
| 47 | + in |
| 48 | + lib.strings.removeSuffix "\n" noWS; |
41 | 49 | expectedHashFips = sanitizeHash expectedHashFipsRaw; |
42 | 50 | expectedHashNonFips = sanitizeHash expectedHashNonFipsRaw; |
43 | 51 | expectedHash = if isFips then expectedHashFips else expectedHashNonFips; |
@@ -162,14 +170,15 @@ rustPlatform.buildRustPackage rec { |
162 | 170 | # - Single codegen unit for stable ordering |
163 | 171 | # - Disable linker build-id which otherwise embeds a random-ish identifier |
164 | 172 | # - Keep our dynamic linker override handled in buildPhase (per-arch) |
165 | | - RUSTFLAGS = lib.optionalString pkgs.stdenv.isLinux |
166 | | - (lib.concatStringsSep " " [ |
| 173 | + RUSTFLAGS = lib.optionalString pkgs.stdenv.isLinux ( |
| 174 | + lib.concatStringsSep " " [ |
167 | 175 | "-Cdebuginfo=0" |
168 | 176 | "-Ccodegen-units=1" |
169 | 177 | "-Cincremental=false" |
170 | 178 | # "-Clto=off" |
171 | 179 | "-C link-arg=-Wl,--build-id=none" |
172 | | - ]); |
| 180 | + ] |
| 181 | + ); |
173 | 182 |
|
174 | 183 | # Prevent Nix from injecting RPATHs to /nix/store into the resulting binary. |
175 | 184 | # This ensures the packaged binary will not try to load glibc from the store |
|
0 commit comments