rust-secure-code / cargo-auditable

Make production Rust binaries auditable
Apache License 2.0
646 stars 28 forks source link

cargo publish fails with an error #139

Open dupgit opened 7 months ago

dupgit commented 7 months ago

Problem description

Hi,

I have two small projects [1] [2] using bash-builtins crate and can not publish them to crates.io as cargo publish command used along with the alias alias cargo="cargo auditable" does throw the following error:

->  cargo publish
    Updating crates.io index
   Packaging createdir-bash-builtin v0.1.0 (/home/dup/Dossiers_Perso/projets/rust-projects/createdir-bash-builtin)
   Verifying createdir-bash-builtin v0.1.0 (/home/dup/Dossiers_Perso/projets/rust-projects/createdir-bash-builtin)
    Updating crates.io index
   Compiling proc-macro2 v1.0.79
…
    Finished dev [unoptimized + debuginfo] target(s) in 4.97s
error: failed to verify package tarball

Caused by:
  Source directory was modified by build.rs during cargo publish. Build scripts should not modify anything outside of OUT_DIR.
  Added: /home/dup/Dossiers_Perso/projets/rust-projects/createdir-bash-builtin/target/package/createdir-bash-builtin-0.1.0/Cargo.lock

  To proceed despite this, pass the `--no-verify` flag.

Thanks to Ed Page remarks in cargo issue 13642 I managed to figure out that running without auditable (\cargo publish) just gets the job done.

[1] cpubind-bash-builtin [2] createdir

I do not know how to go further to provide more trace or logs or anything that could help. Please let me know how I can help more here (and also if my explanations need more precision)

Versions

-> cargo version -v
cargo 1.77.0 (3fe68eabf 2024-02-29)
release: 1.77.0
commit-hash: 3fe68eabf93cbf3772bbcad09a9206c783e2de3f
commit-date: 2024-02-29
host: x86_64-unknown-linux-gnu
libgit2: 1.7.2 (sys:0.18.2 vendored)
libcurl: 8.5.0-DEV (sys:0.4.70+curl-8.5.0 vendored ssl:OpenSSL/1.1.1w)
ssl: OpenSSL 1.1.1w  11 Sep 2023
os: Debian 12 (bookworm) [64-bit]
->  cat ~/.cargo/.crates2.json | jq .installs | grep auditable
  "cargo-auditable 0.6.2 (registry+https://github.com/rust-lang/crates.io-index)": {
      "cargo-auditable"
dupgit commented 7 months ago

Thanks to @Ayosec the author of bash-builtins that took some time to investigate this bug it seems that cargo auditable is unable to publish crates with crate-type = cdylib. With cargo auditable installed and alias cargo="cargo auditable" set one can use the simple reproducer below which consist to create an empty cdylib crate and try to publish it without really doing so (with --dry-run) :

$ cargo new --lib cdylib
     Created library `cdylib` package

$ cd cdylib
$ echo -e '\n[lib]\ncrate-type = [ "cdylib" ]\n' >>Cargo.toml
$ cargo build
   Compiling cdylib v0.1.0 (/home/dup/Dossiers_Perso/projets/rust-projects/rust-tests/cdylib)
    Finished dev [unoptimized + debuginfo] target(s) in 0.17s

$ git add .
$ git  commit -a -m "Testing cargo auditable publish"
[master (commit racine) 65d64b1] Testing cargo auditable publish
 4 files changed, 34 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 Cargo.lock
 create mode 100644 Cargo.toml
 create mode 100644 src/lib.rs

$ cargo publish --dry-run
    Updating crates.io index
warning: manifest has no description, license, license-file, documentation, homepage or repository.
See https://doc.rust-lang.org/cargo/reference/manifest.html#package-metadata for more info.
   Packaging cdylib v0.1.0 (/home/dup/Dossiers_Perso/projets/rust-projects/rust-tests/cdylib)
   Verifying cdylib v0.1.0 (/home/dup/Dossiers_Perso/projets/rust-projects/rust-tests/cdylib)
   Compiling cdylib v0.1.0 (/home/dup/Dossiers_Perso/projets/rust-projects/rust-tests/cdylib/target/package/cdylib-0.1.0)
    Finished dev [unoptimized + debuginfo] target(s) in 0.30s
error: failed to verify package tarball

Caused by:
  Source directory was modified by build.rs during cargo publish. Build scripts should not modify anything outside of OUT_DIR.
  Added: /home/dup/Dossiers_Perso/projets/rust-projects/rust-tests/cdylib/target/package/cdylib-0.1.0/Cargo.lock

  To proceed despite this, pass the `--no-verify` flag.

$echo $?
101

Rust has been updated to latest :

cargo version -v
cargo 1.77.1 (e52e36006 2024-03-26)
release: 1.77.1
commit-hash: e52e360061cacbbeac79f7f1215a7a90b6f08442
commit-date: 2024-03-26
host: x86_64-unknown-linux-gnu
libgit2: 1.7.2 (sys:0.18.2 vendored)
libcurl: 8.5.0-DEV (sys:0.4.70+curl-8.5.0 vendored ssl:OpenSSL/1.1.1w)
ssl: OpenSSL 1.1.1w  11 Sep 2023
os: Debian 12 (bookworm) [64-bit]

cargo auditable hasn't changed and is still 0.6.2.