Revert back to using libsqlcipher0 for Debian & Ubuntu packages of Desktop (#367)

* Revert back to using libsqlcipher0 for Debian & Ubuntu packages of Element Desktop

Add option to static link for linux instead of forcing it

* Fix linux variants and add CI job

* Fix workflow syntax and add concurrency

* public all the things

.github/workflows/build.yaml

@@ -3,6 +3,9 @@ on:
   pull_request: { }
   push:
     branches: [ develop, master ]
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 jobs:
   windows:
     strategy:
@@ -67,7 +70,13 @@ jobs:
         run: "yarn build --publish never -w ${{ matrix.build-args }}"
 
   linux:
-    name: Linux
+    strategy:
+      matrix:
+        include:
+          - sqlcipher: system
+          - sqlcipher: static
+            static: 1
+    name: 'Linux (sqlcipher: ${{ matrix.sqlcipher }})'
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
@@ -84,6 +93,10 @@ jobs:
         with:
           toolchain: stable
 
+      - name: Install libsqlcipher-dev
+        if: matrix.sqlcipher == 'system'
+        run: sudo apt-get install -y libsqlcipher-dev
+
       - uses: actions/setup-node@v3
         with:
           cache: "yarn"
@@ -94,6 +107,8 @@ jobs:
 
       - name: Build Natives
         run: "yarn build:native"
+        env:
+          SQLCIPHER_STATIC: ${{ matrix.static }}
 
       - name: Build App
         run: "yarn build --publish never"

dockerbuild/Dockerfile

@@ -13,7 +13,9 @@ RUN apt-get -qq update && apt-get -qq dist-upgrade && \
   # libsecret-1-dev and libgnome-keyring-dev are required even for prebuild keytar
   apt-get -qq install --no-install-recommends qtbase5-dev bsdtar build-essential autoconf libssl-dev gcc-multilib g++-multilib lzip rpm python libcurl4 git git-lfs ssh unzip tcl \
   libsecret-1-dev libgnome-keyring-dev \
-  libopenjp2-tools && \
+  libopenjp2-tools \
+  # Used by seshat (when not SQLCIPHER_STATIC) \
+  libsqlcipher-dev && \
   # git-lfs
   git lfs install && \
   apt-get purge -y --auto-remove && rm -rf /var/lib/apt/lists/*

docs/native-node-modules.md

@@ -47,7 +47,7 @@ using yarn at the root of this project:
 
     yarn add matrix-seshat
 
-You will have to rebuild the native libraries against electron's version of
+You will have to rebuild the native libraries against electron's version
 of node rather than your system node, using the `electron-build-env` tool.
 This is also needed to when pulling in changes to Seshat using `yarn link`.
 
@@ -66,6 +66,17 @@ as usual using:
 
     yarn start
 
+### Statically linking libsqlcipher
+
+On Windows & macOS we always statically link libsqlcipher for it is not generally available.
+On Linux by default we will use a system package, on debian & ubuntu this is `libsqlcipher0`,
+but this is problematic for some other packages. 
+By including `SQLCIPHER_STATIC=1` in the build environment, the build scripts will statically link sqlcipher,
+note that this will want a `libcrypto1.1` shared library available in the system.
+
+More info can be found at https://github.com/matrix-org/seshat/issues/102
+and https://github.com/vector-im/element-web/issues/20926.
+
 ## Compiling for specific architectures
 
 ### macOS

element.io/nightly/control.template

@@ -4,9 +4,9 @@ Vendor: support@element.io
 Architecture: amd64
 Maintainer: support@element.io
 Depends: libgtk-3-0, libnotify4, libnss3, libxss1, libxtst6, xdg-utils, libatspi2.0-0, libuuid1, libsecret-1-0
-Recommends: libappindicator3-1
+Recommends: libappindicator3-1, libsqlcipher0
 Section: net
 Priority: extra
 Homepage: https://element.io/
-Description: 
+Description:
  riot.im A feature-rich client for Matrix.org (nightly unstable build).

element.io/release/control.template

@@ -4,11 +4,11 @@ Vendor: support@element.io
 Architecture: amd64
 Maintainer: support@element.io
 Depends: libgtk-3-0, libnotify4, libnss3, libxss1, libxtst6, xdg-utils, libatspi2.0-0, libuuid1, libsecret-1-0
-Recommends: libappindicator3-1
+Recommends: libappindicator3-1, libsqlcipher0
 Replaces: riot-desktop (<< 1.7.0), riot-web (<< 1.7.0)
 Breaks: riot-desktop (<< 1.7.0), riot-web (<< 1.7.0)
 Section: net
 Priority: extra
 Homepage: https://element.io/
-Description: 
+Description:
   A feature-rich client for Matrix.org

hak/matrix-seshat/build.ts

@@ -26,7 +26,7 @@ export default async function(hakEnv: HakEnv, moduleInfo: DependencyInfo): Promi
     if (hakEnv.isWin()) {
         await buildOpenSslWin(hakEnv, moduleInfo);
         await buildSqlCipherWin(hakEnv, moduleInfo);
-    } else {
+    } else if (hakEnv.wantsStaticSqlCipherUnix()) {
         await buildSqlCipherUnix(hakEnv, moduleInfo);
     }
     await buildMatrixSeshat(hakEnv, moduleInfo);
@@ -186,8 +186,12 @@ async function buildSqlCipherUnix(hakEnv: HakEnv, moduleInfo: DependencyInfo) {
         args.push('--with-crypto-lib=commoncrypto');
     }
 
-    if (hakEnv.isLinux()) {
-        args.push('--with-pic=yes');
+    if (hakEnv.wantsStaticSqlCipherUnix()) {
+        args.push('--enable-tcl=no');
+
+        if (hakEnv.isLinux()) {
+            args.push('--with-pic=yes');
+        }
     }
 
     if (!hakEnv.isHost()) {
@@ -210,7 +214,7 @@ async function buildSqlCipherUnix(hakEnv: HakEnv, moduleInfo: DependencyInfo) {
         args.push(`CFLAGS=${cflags.join(' ')}`);
     }
 
-    const ldflags = [];
+    const ldflags: string[] = [];
 
     if (hakEnv.isMac()) {
         ldflags.push('-framework Security');
@@ -270,13 +274,15 @@ async function buildMatrixSeshat(hakEnv: HakEnv, moduleInfo: DependencyInfo) {
     // it for now: we should confirm how much of this it still actually needs.
     const env = hakEnv.makeGypEnv();
 
-    Object.assign(env, {
-        SQLCIPHER_STATIC: 1,
-        SQLCIPHER_LIB_DIR: path.join(moduleInfo.depPrefix, 'lib'),
-        SQLCIPHER_INCLUDE_DIR: path.join(moduleInfo.depPrefix, 'include'),
-    });
+    if (!hakEnv.isLinux() || hakEnv.wantsStaticSqlCipherUnix()) {
+        Object.assign(env, {
+            SQLCIPHER_STATIC: 1,
+            SQLCIPHER_LIB_DIR: path.join(moduleInfo.depPrefix, 'lib'),
+            SQLCIPHER_INCLUDE_DIR: path.join(moduleInfo.depPrefix, 'include'),
+        });
+    }
 
-    if (hakEnv.isLinux()) {
+    if (hakEnv.isLinux() && hakEnv.wantsStaticSqlCipherUnix()) {
         // Ensure Element uses the statically-linked seshat build, and prevent other applications
         // from attempting to use this one. Detailed explanation:
         //

hak/matrix-seshat/check.ts

@@ -21,20 +21,22 @@ import HakEnv from '../../scripts/hak/hakEnv';
 import { DependencyInfo } from '../../scripts/hak/dep';
 
 export default async function(hakEnv: HakEnv, moduleInfo: DependencyInfo): Promise<void> {
-    // of course tcl doesn't have a --version
-    await new Promise<void>((resolve, reject) => {
-        const proc = childProcess.spawn('tclsh', [], {
-            stdio: ['pipe', 'ignore', 'ignore'],
+    if (hakEnv.wantsStaticSqlCipher()) {
+        // of course tcl doesn't have a --version
+        await new Promise<void>((resolve, reject) => {
+            const proc = childProcess.spawn('tclsh', [], {
+                stdio: ['pipe', 'ignore', 'ignore'],
+            });
+            proc.on('exit', (code) => {
+                if (code !== 0) {
+                    reject("Can't find tclsh - have you installed TCL?");
+                } else {
+                    resolve();
+                }
+            });
+            proc.stdin.end();
         });
-        proc.on('exit', (code) => {
-            if (code !== 0) {
-                reject("Can't find tclsh - have you installed TCL?");
-            } else {
-                resolve();
-            }
-        });
-        proc.stdin.end();
-    });
+    }
 
     const tools = [
         ['rustc', '--version'],

hak/matrix-seshat/fetchDeps.ts

@@ -25,7 +25,9 @@ import HakEnv from '../../scripts/hak/hakEnv';
 import { DependencyInfo } from '../../scripts/hak/dep';
 
 export default async function(hakEnv: HakEnv, moduleInfo: DependencyInfo): Promise<void> {
-    await getSqlCipher(hakEnv, moduleInfo);
+    if (hakEnv.wantsStaticSqlCipher()) {
+        await getSqlCipher(hakEnv, moduleInfo);
+    }
 
     if (hakEnv.isWin()) {
         await getOpenSsl(hakEnv, moduleInfo);
@@ -36,7 +38,7 @@ async function getSqlCipher(hakEnv: HakEnv, moduleInfo: DependencyInfo): Promise
     const version = moduleInfo.cfg.dependencies.sqlcipher;
     const sqlCipherDir = path.join(moduleInfo.moduleTargetDotHakDir, `sqlcipher-${version}`);
 
-    let haveSqlcipher;
+    let haveSqlcipher: boolean;
     try {
         await fsProm.stat(sqlCipherDir);
         haveSqlcipher = true;
@@ -47,7 +49,7 @@ async function getSqlCipher(hakEnv: HakEnv, moduleInfo: DependencyInfo): Promise
     if (haveSqlcipher) return;
 
     const sqlCipherTarball = path.join(moduleInfo.moduleDotHakDir, `sqlcipher-${version}.tar.gz`);
-    let haveSqlcipherTar;
+    let haveSqlcipherTar: boolean;
     try {
         await fsProm.stat(sqlCipherTarball);
         haveSqlcipherTar = true;
@@ -97,7 +99,7 @@ async function getOpenSsl(hakEnv: HakEnv, moduleInfo: DependencyInfo): Promise<v
     const version = moduleInfo.cfg.dependencies.openssl;
     const openSslDir = path.join(moduleInfo.moduleTargetDotHakDir, `openssl-${version}`);
 
-    let haveOpenSsl;
+    let haveOpenSsl: boolean;
     try {
         await fsProm.stat(openSslDir);
         haveOpenSsl = true;
@@ -108,7 +110,7 @@ async function getOpenSsl(hakEnv: HakEnv, moduleInfo: DependencyInfo): Promise<v
     if (haveOpenSsl) return;
 
     const openSslTarball = path.join(moduleInfo.moduleDotHakDir, `openssl-${version}.tar.gz`);
-    let haveOpenSslTar;
+    let haveOpenSslTar: boolean;
     try {
         await fsProm.stat(openSslTarball);
         haveOpenSslTar = true;

scripts/hak/hakEnv.ts

@@ -54,12 +54,12 @@ export default class HakEnv {
         this.dotHakDir = path.join(this.projectRoot, '.hak');
     }
 
-    async init() {
+    public async init() {
         this.runtime = await getRuntime(this.projectRoot);
         this.runtimeVersion = await getRuntimeVersion(this.projectRoot);
     }
 
-    getRuntimeAbi(): string {
+    public getRuntimeAbi(): string {
         return nodePreGypVersioning.get_runtime_abi(
             this.runtime,
             this.runtimeVersion,
@@ -67,35 +67,35 @@ export default class HakEnv {
     }
 
     // {node_abi}-{platform}-{arch}
-    getNodeTriple(): string {
+    public getNodeTriple(): string {
         return this.getRuntimeAbi() + '-' + this.target.platform + '-' + this.target.arch;
     }
 
-    getTargetId(): TargetId {
+    public getTargetId(): TargetId {
         return this.target.id;
     }
 
-    isWin(): boolean {
+    public isWin(): boolean {
         return this.target.platform === 'win32';
     }
 
-    isMac(): boolean {
+    public isMac(): boolean {
         return this.target.platform === 'darwin';
     }
 
-    isLinux(): boolean {
+    public isLinux(): boolean {
         return this.target.platform === 'linux';
     }
 
-    getTargetArch(): Arch {
+    public getTargetArch(): Arch {
         return this.target.arch;
     }
 
-    isHost(): boolean {
+    public isHost(): boolean {
         return isHostId(this.target.id);
     }
 
-    makeGypEnv(): Record<string, string> {
+    public makeGypEnv(): Record<string, string> {
         return Object.assign({}, process.env, {
             npm_config_arch: this.target.arch,
             npm_config_target_arch: this.target.arch,
@@ -107,7 +107,15 @@ export default class HakEnv {
         });
     }
 
-    getNodeModuleBin(name: string): string {
+    public getNodeModuleBin(name: string): string {
         return path.join(this.projectRoot, 'node_modules', '.bin', name);
     }
+
+    public wantsStaticSqlCipherUnix(): boolean {
+        return this.isMac() || process.env.SQLCIPHER_STATIC == '1';
+    }
+
+    public wantsStaticSqlCipher(): boolean {
+        return this.isWin() || this.wantsStaticSqlCipherUnix();
+    }
 }