[BUILD] buildlibcurl.sh clones unpinned curl HEAD, fails with OpenSSL 1.1.x from GDK

[xrviv]

The tools/buildlibcurl.sh script clones curl from HEAD without pinning a specific version or
commit. Recent curl versions require OpenSSL 3.0.0+, but the crashpad stage uses OpenSSL from GDK's
external_deps/ which provides OpenSSL 1.1.1w.

This causes the Docker build to fail during the crashpad stage.

Error

/build/curl-src/lib/vtls/openssl.c:102:6: error: #error "OpenSSL 3.0.0 or later required"          
 102 | #    error "OpenSSL 3.0.0 or later required"                                               
     |      ^~~~~                                                                                 
/build/curl-src/lib/vtls/openssl.c:5336:55: error: 'OPENSSL_VERSION_STRING' undeclared             

Steps to Reproduce

git clone https://github.com/Blockstream/green_qt.git                                              
cd green_qt                                                                                        
git checkout release_3.0.0                                                                         
docker build -f ci/linux-x86_64/Dockerfile -t green_qt_local:v3.0.0 .                              

Build fails at the crashpad stage when running tools/buildlibcurl.sh.

Root Cause

tools/buildlibcurl.sh line 6:
git clone https://github.com/curl/curl.git curl-src

No version/tag/commit is specified. The crashpad stage inherits OpenSSL 1.1.1w from GDK's
external_deps, but current curl HEAD requires OpenSSL 3.0+.

Suggested Fix

Pin curl to curl-8_9_1 (verified to not require OpenSSL 3.0):

#!/bin/bash                                                                                       
set -eo pipefail                                                                                  
                                                                                                  
+CURL_VERSION=curl-8_9_1                                                                           
+                                                                                                  
mkdir -p build && cd build                                                                        
                                                                                                  
-git clone https://github.com/curl/curl.git curl-src                                               
+if [ ! -d curl-src ]; then                                                                        
+    git clone https://github.com/curl/curl.git curl-src                                           
+fi                                                                                                
                                                                                                  
-(cd curl-src && git rev-parse HEAD)                                                               
+cd curl-src                                                                                       
+git checkout $CURL_VERSION                                                                        
+git rev-parse HEAD                                                                                
+cd ..                                                                                             
                                                                                                  
cmake -S curl-src -B curl-bld \                                                                   
  -DCMAKE_BUILD_TYPE=Release \                                                                    
  -DBUILD_CURL_EXE=OFF \                                                                          
  -DBUILD_SHARED_LIBS=OFF \                                                                       
  -DCURL_STATICLIB=ON \                                                                           
  -DCURL_DISABLE_LDAP=ON \                                                                        
  -DCURL_USE_LIBPSL=OFF \                                                                         
  -DOPENSSL_USE_STATIC_LIBS=ON                                                                    
                                                                                                  
cmake --build curl-bld                                                                            
cmake --install curl-bld --strip --prefix $PREFIX                                                 

Verification

curl-8_9_1 has no OpenSSL 3.0 requirement:

curl -s https://raw.githubusercontent.com/curl/curl/curl-8_9_1/lib/vtls/openssl.c | grep
"error.*OpenSSL 3"

(no output)

master has it:

curl -s https://raw.githubusercontent.com/curl/curl/master/lib/vtls/openssl.c | grep
"error.*OpenSSL 3"

error "OpenSSL 3.0.0 or later required"

Impact

• Build breakage: External contributors cannot build from source
• Reproducibility: Builds from different dates produce different binaries (different curl versions)

Environment

• Host OS: Ubuntu 22.04
• Docker: 24.x
• Tag: release_3.0.0
• GDK: 0.76.0 (commit 01f43cc645409cc937eb697b5aaa8587bc6f432a)
• OpenSSL from GDK: 1.1.1w
• Date observed: 2026-01-20

[qblk]

Thank you for the detailed report. Will pin 8.17.0 which is the version used to build latest releases.