guix: Add codesignature attachment support for osx+win #21239
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
15 tasks
|
There is no reason for the actual signing to be done in guix, I think? Only the process of attaching the signature once it has been published. |
|
Right! Perhaps I should be more precise with my wording... |
|
Hmm, but if it's just attaching, there should be no need for network support. |
|
Oh! True! I'll test it out and make the changes! Thanks! |
|
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. ConflictsNo conflicts as of last run. |
achow101
reviewed
Feb 25, 2021
fanquake
added a commit
that referenced
this pull request
Mar 2, 2021
c33b199 guix: Bump glibc and linux-headers (Carl Dong) 65363a1 guix: Rebase on 95aca2991b (1.2.0-12.dffc918) (Carl Dong) Pull request description: On bumping the time-machine: ``` A few changes which are useful for us: 1. 'gnu: cross-gcc-arguments: Enable 128 bit long double for POWER9.' is now merged into master. 2. gnutls is bumped to 3.6.15 and the temporal test failure in status-request-revoked is fixed. Note that this does not fix the case where one has installed Guix v1.2.0 and is running a substitute-less bootstrap build, since the `guix time-machine` command itself has a dependency on gnutls v3.6.12 (the one with the broken test) and will thus try to build it before attempting to jump forwards in time. This does however, mean that those who build a version of Guix that also contains this fix will not go backwards in time to build the broken gnutls v3.6.12. ``` On bumping the rest: ``` Bump glibc and linux-headers to match those of our Gitian counterparts. We also require a glibc >= 2.28 for the test-symbol-check scripts to work properly. The default BASE-GCC-FOR-LIBC also has to be bumped since glibc 2.31 requires a gcc >= 6.2 ``` This is a prerequisite for #20980 ACKs for top commit: fanquake: ACK c33b199 - I think going ahead with this now and to sycn back up to gitian is fine. It will also unblock #20980. Potential code signing related issues can be sorted out in #21239 and later PRs. Tree-SHA512: 31f022aadb93ba44813b0da005b1f2e5d67d76e8cdcdb53368924d1ea6cb076a21218c26831a6b0dcdcfe33507f54934330489ba557371d740f5587b7d727b95
28349b8 to
8c6e821
Compare
This is now ready for review! |
|
Added commit to use SHA256 as digest for |
|
Pushed f85b366...ee0a67c
|
f85b366 to
ee0a67c
Compare
|
I've added a branch to the bitcoin-detached-sigs repo to contain code signatures created for testing out guix: https://github.com/bitcoin-core/bitcoin-detached-sigs/tree/guix-testing. There is also a tag (https://github.com/bitcoin-core/bitcoin-detached-sigs/releases/tag/pr21239-ee0a67c32a88-win) pointing to windows signatures for ee0a67c. |
|
Is |
Otherwise the resulting .a static libraries (e.g. libstdc++.a) will not be reproducible and end up making the Bitcoin binaries non-reproducible as well. See: https://reproducible-builds.org/docs/archives/#gnu-libtool
d2ccb92 to
ee88320
Compare
In environments where we don't control env vars, yes! For guix environments we do control the env, and we should have set it already. |
|
Lastest push: ee88320 An initial build of just |
|
Building ee88320. |
|
|
Matching! |
|
|
|
@hebasto Updated my sha256sums above. |
|
Build finished on my second machine, everything's matching. |
Windows code signature at https://github.com/bitcoin-core/bitcoin-detached-sigs/releases/tag/pr21239-ee883201cf13-win |
|
Looks like I'm matching (even with codesigning) with @achow101 |
3786f771f253a0516fc74ab850024eabd59b3d31009f7ddb4a48852d03b20898 guix-build-ee883201cf13/output/aarch64-linux-gnu/bitcoin-ee883201cf13-aarch64-linux-gnu-debug.tar.gz
2acaf9e7221e33015562a04892e81a59116a6572d8ee67b73f5ef4e325407bfb guix-build-ee883201cf13/output/aarch64-linux-gnu/bitcoin-ee883201cf13-aarch64-linux-gnu.tar.gz
44ec0ecadad08ae140c2617665e9212eb75641ed571e9d1ebf183fd88ef095ee guix-build-ee883201cf13/output/aarch64-linux-gnu/inputs.SHA256SUMS
4862619901e7331babb0ad4a13336792c2c55a2eb2a2e9d1aa0d875c0cf0a997 guix-build-ee883201cf13/output/arm-linux-gnueabihf/bitcoin-ee883201cf13-arm-linux-gnueabihf-debug.tar.gz
23a191a67524fbef495761ddec0ba501287a356665b77a2401ed365ca487edd1 guix-build-ee883201cf13/output/arm-linux-gnueabihf/bitcoin-ee883201cf13-arm-linux-gnueabihf.tar.gz
44ec0ecadad08ae140c2617665e9212eb75641ed571e9d1ebf183fd88ef095ee guix-build-ee883201cf13/output/arm-linux-gnueabihf/inputs.SHA256SUMS
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 guix-build-ee883201cf13/output/dist-archive/SKIPATTEST.TAG
6b8030fdf50bb43c2d25e4b9cd0f4e6fcf03e118abb14ff694b85e296bb6deb3 guix-build-ee883201cf13/output/dist-archive/bitcoin-ee883201cf13.tar.gz
09cba7861cd7b6bf33df3a5c893e82f83f10860f2e5f2ca4aba0f47927777a46 guix-build-ee883201cf13/output/powerpc64-linux-gnu/bitcoin-ee883201cf13-powerpc64-linux-gnu-debug.tar.gz
d5c64638acc71496f4abddbc9e63df2f739fb496fbcca851e76944b4822fb0bd guix-build-ee883201cf13/output/powerpc64-linux-gnu/bitcoin-ee883201cf13-powerpc64-linux-gnu.tar.gz
44ec0ecadad08ae140c2617665e9212eb75641ed571e9d1ebf183fd88ef095ee guix-build-ee883201cf13/output/powerpc64-linux-gnu/inputs.SHA256SUMS
3d1075423befb7b00cedd8a7f8092a5b1339d779b26bb21fb605b27fed1224c3 guix-build-ee883201cf13/output/powerpc64le-linux-gnu/bitcoin-ee883201cf13-powerpc64le-linux-gnu-debug.tar.gz
c35029cbdce80f6acb5c1c4204fcccc62c5d3d337ebcdc9da9c5b3ff86e7ddab guix-build-ee883201cf13/output/powerpc64le-linux-gnu/bitcoin-ee883201cf13-powerpc64le-linux-gnu.tar.gz
44ec0ecadad08ae140c2617665e9212eb75641ed571e9d1ebf183fd88ef095ee guix-build-ee883201cf13/output/powerpc64le-linux-gnu/inputs.SHA256SUMS
797ac18e185e8c8282eb1020078058bb4c6be75cb035c0d90bcdcb183ff954ce guix-build-ee883201cf13/output/riscv64-linux-gnu/bitcoin-ee883201cf13-riscv64-linux-gnu-debug.tar.gz
a8864c72f759e603f60eb5e55424fe9d8f8960be0142d0b830414e724acc85b5 guix-build-ee883201cf13/output/riscv64-linux-gnu/bitcoin-ee883201cf13-riscv64-linux-gnu.tar.gz
44ec0ecadad08ae140c2617665e9212eb75641ed571e9d1ebf183fd88ef095ee guix-build-ee883201cf13/output/riscv64-linux-gnu/inputs.SHA256SUMS
d03e94da6f114bde14f842f1a976fddffb0feda634c8e7d8e83392fb93188016 guix-build-ee883201cf13/output/x86_64-apple-darwin18/bitcoin-ee883201cf13-osx-unsigned.dmg
e90c55da5cc1dbc1b6586ba7dcd72fa21e0d036dbb3b15df88850198cb3dc558 guix-build-ee883201cf13/output/x86_64-apple-darwin18/bitcoin-ee883201cf13-osx-unsigned.tar.gz
879c87ff956c76b1c239b12a954227e4a4b06e63242ab3137dbde7a5544da9df guix-build-ee883201cf13/output/x86_64-apple-darwin18/bitcoin-ee883201cf13-osx64.tar.gz
44ec0ecadad08ae140c2617665e9212eb75641ed571e9d1ebf183fd88ef095ee guix-build-ee883201cf13/output/x86_64-apple-darwin18/inputs.SHA256SUMS
d3a4126369a62865ca9c6f1adc312847bb9e11a119be85bfb85997c305e0491e guix-build-ee883201cf13/output/x86_64-linux-gnu/bitcoin-ee883201cf13-x86_64-linux-gnu-debug.tar.gz
a9172340c92bfc4798e0b95b5ca17b45ece5ccefb27666d4bc863bb6f0f6cd80 guix-build-ee883201cf13/output/x86_64-linux-gnu/bitcoin-ee883201cf13-x86_64-linux-gnu.tar.gz
44ec0ecadad08ae140c2617665e9212eb75641ed571e9d1ebf183fd88ef095ee guix-build-ee883201cf13/output/x86_64-linux-gnu/inputs.SHA256SUMS
6e03eaadaf6438eb5c257b91b7d86830a03262fe4ab5e55f5a2e51dddb550cf1 guix-build-ee883201cf13/output/x86_64-w64-mingw32/bitcoin-ee883201cf13-win-unsigned.tar.gz
399a0b8c793d6e750facc989e90175a7660b8d693faa5287a32b97301288b865 guix-build-ee883201cf13/output/x86_64-w64-mingw32/bitcoin-ee883201cf13-win64-debug.zip
ffe029396a808e6167646d3b84363f9bf27161d08beec638bb59df8863a88d7c guix-build-ee883201cf13/output/x86_64-w64-mingw32/bitcoin-ee883201cf13-win64-setup-unsigned.exe
4533f31d4add0594a01aad6c28a8d1afa1da61f90fe11188ebe85f13e15c3cce guix-build-ee883201cf13/output/x86_64-w64-mingw32/bitcoin-ee883201cf13-win64.zip
44ec0ecadad08ae140c2617665e9212eb75641ed571e9d1ebf183fd88ef095ee guix-build-ee883201cf13/output/x86_64-w64-mingw32/inputs.SHA256SUMS |
|
Windows codesigned: bitcoin-core/guix.sigs#12 |
|
On Windows 10 Pro 20H2 (build 19042.928):
|
|
The signature is valid, just done with the certificate that is now both expired and revoked, so you get those errors. |
|
Uploaded signatures: bitcoin-core/guix.sigs#13 I'm matching with @achow101 and @dongcarl ( |
achow101
reviewed
May 21, 2021
| (define osslsigncode | ||
| (package | ||
| (name "osslsigncode") | ||
| (version "2.0") |
There was a problem hiding this comment.
In bac2690 "guix: Package codesigning tools"
There is a osslsigncode 2.1 available, do we want to use that version? I don't think it really matters, but something to consider.
There was a problem hiding this comment.
Not sure, should be easy enough to bump in the future when there's a feature/bugfix that's relevant to us.
|
Tested ACK ee88320 |
sidhujag
pushed a commit
to syscoin/syscoin
that referenced
this pull request
May 25, 2021
gwillen
pushed a commit
to ElementsProject/elements
that referenced
this pull request
Jun 1, 2022
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is the last PR before we reach feature-parity with the Gitian process!
Note: I tried using the
Makefileinside the distsrc to make the dmg instead of manually listing out the commands, butmakeseems to want to re-make a lot of other files which broke the dmg.The workflow looks something like this:
env [ FOO=bar... ] ./contrib/guix/guix-build(add additional env vars as necessary)guix-build-<short-id>/output/x86_64-apple-darwin18/bitcoin-<short-id>-osx-unsigned.tar.gzandguix-build-<short-id>/output/x86_64-w64-mingw32/bitcoin-<short-id>-win-unsigned.tar.gzto signing computer./detached-sig-create.shinside the tarballsignature-{osx,win}.tar.gzto https://github.com/bitcoin-core/bitcoin-detached-sigs (as a new tag)bitcoin-core/bitcoin-detached-sigswith the detached signaturesenv [ FOO=bar... ] DETACHED_SIGS_REPO=<path/to/bitcoin-detached-sigs> ./contrib/guix/guix-codesign(modify env vars as necessary)guix.sigsis cloned and updatedenv GUIX_SIGS_REPO=<path/to/guix.sigs> SIGNER=0x96AB007F1A7ED999=dongcarl ./contrib/guix/guix-attest(modify env vars as necessary)guix.sigsguix.sigs:env GUIX_SIGS_REPO=<path/to/guix.sigs> ./contrib/guix/guix-verify