From d28d3d20deddd5bdd09bdef91f97e1f9d7ad0d3d Mon Sep 17 00:00:00 2001
From: Matthew King <chohag@jtan.com>
Date: Sun, 26 Jun 2016 16:47:03 +0300
Subject: [PATCH 1/6] Use portable #! in python scripts (/usr/bin/env)

---
 contrib/devtools/security-check.py      | 2 +-
 contrib/devtools/symbol-check.py        | 2 +-
 contrib/devtools/test-security-check.py | 2 +-
 contrib/linearize/linearize-data.py     | 2 +-
 contrib/linearize/linearize-hashes.py   | 2 +-
 contrib/seeds/generate-seeds.py         | 4 ++--
 src/test/bitcoin-util-test.py           | 2 +-
 src/test/buildenv.py.in                 | 2 +-
 8 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/contrib/devtools/security-check.py b/contrib/devtools/security-check.py
index bee8f3cc1..8b63e5c18 100755
--- a/contrib/devtools/security-check.py
+++ b/contrib/devtools/security-check.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python2
+#!/usr/bin/env python2
 '''
 Perform basic ELF security checks on a series of executables.
 Exit status will be 0 if successful, and the program will be silent.
diff --git a/contrib/devtools/symbol-check.py b/contrib/devtools/symbol-check.py
index 900a80dcf..f2cf8b601 100755
--- a/contrib/devtools/symbol-check.py
+++ b/contrib/devtools/symbol-check.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python2
+#!/usr/bin/env python2
 # Copyright (c) 2014 Wladimir J. van der Laan
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
diff --git a/contrib/devtools/test-security-check.py b/contrib/devtools/test-security-check.py
index fed7626aa..324b7bcd8 100755
--- a/contrib/devtools/test-security-check.py
+++ b/contrib/devtools/test-security-check.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python2
+#!/usr/bin/env python2
 '''
 Test script for security-check.py
 '''
diff --git a/contrib/linearize/linearize-data.py b/contrib/linearize/linearize-data.py
index 0f6fde2a6..8badb4b31 100755
--- a/contrib/linearize/linearize-data.py
+++ b/contrib/linearize/linearize-data.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/env python
 #
 # linearize-data.py: Construct a linear, no-fork version of the chain.
 #
diff --git a/contrib/linearize/linearize-hashes.py b/contrib/linearize/linearize-hashes.py
index bed9cc307..7e9cf8898 100755
--- a/contrib/linearize/linearize-hashes.py
+++ b/contrib/linearize/linearize-hashes.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/env python
 #
 # linearize-hashes.py:  List blocks in a linear, no-fork version of the chain.
 #
diff --git a/contrib/seeds/generate-seeds.py b/contrib/seeds/generate-seeds.py
index 4e23bb111..c6a2ce636 100755
--- a/contrib/seeds/generate-seeds.py
+++ b/contrib/seeds/generate-seeds.py
@@ -1,5 +1,5 @@
-#!/usr/bin/python
-# Copyright (c) 2014 Wladmir J. van der Laan
+#!/usr/bin/env python
+# Copyright (c) 2014 Wladimir J. van der Laan
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 '''
diff --git a/src/test/bitcoin-util-test.py b/src/test/bitcoin-util-test.py
index 20afb16a9..6551eb6f2 100755
--- a/src/test/bitcoin-util-test.py
+++ b/src/test/bitcoin-util-test.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/env python
 # Copyright 2014 BitPay, Inc.
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
diff --git a/src/test/buildenv.py.in b/src/test/buildenv.py.in
index 1618bdeb7..153f34a3d 100644
--- a/src/test/buildenv.py.in
+++ b/src/test/buildenv.py.in
@@ -1,2 +1,2 @@
-#!/usr/bin/python
+#!/usr/bin/env python
 exeext="@EXEEXT@"

From 12d3277171c57667cff5a8dec162b385bb646f7c Mon Sep 17 00:00:00 2001
From: Matthew King <chohag@jtan.com>
Date: Tue, 28 Jun 2016 12:54:30 +0300
Subject: [PATCH 2/6] Favour python over python2 as per PR #7723

---
 contrib/devtools/security-check.py | 2 +-
 contrib/devtools/symbol-check.py   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/contrib/devtools/security-check.py b/contrib/devtools/security-check.py
index 8b63e5c18..427cbfb73 100755
--- a/contrib/devtools/security-check.py
+++ b/contrib/devtools/security-check.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python2
+#!/usr/bin/env python
 '''
 Perform basic ELF security checks on a series of executables.
 Exit status will be 0 if successful, and the program will be silent.
diff --git a/contrib/devtools/symbol-check.py b/contrib/devtools/symbol-check.py
index f2cf8b601..52b48ef74 100755
--- a/contrib/devtools/symbol-check.py
+++ b/contrib/devtools/symbol-check.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python2
+#!/usr/bin/env python
 # Copyright (c) 2014 Wladimir J. van der Laan
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.

From c7e64754dc7cf1b3441ae31d2c48d7802f460d42 Mon Sep 17 00:00:00 2001
From: Jack Grigg <jack@z.cash>
Date: Tue, 5 Jun 2018 22:32:13 +1200
Subject: [PATCH 3/6] Add MacOS support to no-dot-so test

---
 qa/zcash/full_test_suite.py | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/qa/zcash/full_test_suite.py b/qa/zcash/full_test_suite.py
index a2cb768c7..362876f61 100755
--- a/qa/zcash/full_test_suite.py
+++ b/qa/zcash/full_test_suite.py
@@ -4,6 +4,7 @@
 #
 
 import argparse
+from glob import glob
 import os
 import re
 import subprocess
@@ -79,11 +80,14 @@ def check_security_hardening():
     return ret
 
 def ensure_no_dot_so_in_depends():
-    arch_dir = os.path.join(
-        REPOROOT,
-        'depends',
-        'x86_64-unknown-linux-gnu',
-    )
+    depends_dir = os.path.join(REPOROOT, 'depends')
+    arch_dir = os.path.join(depends_dir, 'x86_64-unknown-linux-gnu')
+    if not os.path.isdir(arch_dir):
+        # Not Linux, try MacOS
+        arch_dirs = glob(os.path.join(depends_dir, 'x86_64-apple-darwin*'))
+        if arch_dirs:
+            # Just try the first one; there will only be on in CI
+            arch_dir = arch_dirs[0]
 
     exit_code = 0
 
@@ -97,7 +101,7 @@ def ensure_no_dot_so_in_depends():
                 exit_code = 1
     else:
         exit_code = 2
-        print "arch-specific build dir not present: {}".format(arch_dir)
+        print "arch-specific build dir not present"
         print "Did you build the ./depends tree?"
         print "Are you on a currently unsupported architecture?"
 

From 5e38c24c1d628c59e4908f602fe1c37aa2441e28 Mon Sep 17 00:00:00 2001
From: Jack Grigg <jack@z.cash>
Date: Wed, 6 Jun 2018 00:02:16 +1200
Subject: [PATCH 4/6] Add Mach-O 64-bit detection to security-check.py

Fixes sec-hard test on MacOS CI worker. At some point we can extend this with
actual security hardening checks.
---
 contrib/devtools/security-check.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/contrib/devtools/security-check.py b/contrib/devtools/security-check.py
index 427cbfb73..43c825bde 100755
--- a/contrib/devtools/security-check.py
+++ b/contrib/devtools/security-check.py
@@ -6,6 +6,7 @@ Otherwise the exit status will be 1 and it will log which executables failed whi
 Needs `readelf` (for ELF) and `objdump` (for PE).
 '''
 from __future__ import division,print_function,unicode_literals
+import struct
 import subprocess
 import sys
 import os
@@ -171,6 +172,8 @@ CHECKS = {
     ('DYNAMIC_BASE', check_PE_DYNAMIC_BASE),
     ('HIGH_ENTROPY_VA', check_PE_HIGH_ENTROPY_VA),
     ('NX', check_PE_NX)
+],
+'MachO64': [
 ]
 }
 
@@ -181,6 +184,8 @@ def identify_executable(executable):
         return 'PE'
     elif magic.startswith(b'\x7fELF'):
         return 'ELF'
+    elif struct.unpack('I', magic)[0] == 0xFEEDFACF:
+        return 'MachO64'
     return None
 
 if __name__ == '__main__':

From 2802e321c18dc2c7da02c29fad6c576c51024118 Mon Sep 17 00:00:00 2001
From: Jack Grigg <jack@z.cash>
Date: Wed, 6 Jun 2018 00:55:54 +1200
Subject: [PATCH 5/6] Fix cached_witnesses_empty_chain test failure on MacOS

Assertion error format is different, so match only on the assertion.
---
 src/wallet/gtest/test_wallet.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/wallet/gtest/test_wallet.cpp b/src/wallet/gtest/test_wallet.cpp
index b2987cc17..9e2fdb8fb 100644
--- a/src/wallet/gtest/test_wallet.cpp
+++ b/src/wallet/gtest/test_wallet.cpp
@@ -581,7 +581,7 @@ TEST(wallet_tests, cached_witnesses_empty_chain) {
 
     // Until #1302 is implemented, this should triggger an assertion
     EXPECT_DEATH(wallet.DecrementNoteWitnesses(&index),
-                 "Assertion `nWitnessCacheSize > 0' failed.");
+                 ".*nWitnessCacheSize > 0.*");
 }
 
 TEST(wallet_tests, cached_witnesses_chain_tip) {

From 341a22ad90b85605d2567f554fb9f5ff29d5be3f Mon Sep 17 00:00:00 2001
From: Jack Grigg <jack@z.cash>
Date: Thu, 7 Jun 2018 18:49:01 +1200
Subject: [PATCH 6/6] Skip ELF-only sec-hard checks on non-ELF binaries

---
 qa/zcash/full_test_suite.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/qa/zcash/full_test_suite.py b/qa/zcash/full_test_suite.py
index 362876f61..0e8605cc3 100755
--- a/qa/zcash/full_test_suite.py
+++ b/qa/zcash/full_test_suite.py
@@ -63,6 +63,13 @@ def check_security_hardening():
     # PIE, RELRO, Canary, and NX are tested by make check-security.
     ret &= subprocess.call(['make', '-C', repofile('src'), 'check-security']) == 0
 
+    # The remaining checks are only for ELF binaries
+    # Assume that if zcashd is an ELF binary, they all are
+    with open(repofile('src/zcashd'), 'rb') as f:
+        magic = f.read(4)
+        if not magic.startswith(b'\x7fELF'):
+            return ret
+
     ret &= test_rpath_runpath('src/zcashd')
     ret &= test_rpath_runpath('src/zcash-cli')
     ret &= test_rpath_runpath('src/zcash-gtest')