Skip to content

guix: Notarize MacOS app bundle and codesign all MacOS and Windows binaries #31407

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Mar 5, 2025
Merged

guix: Notarize MacOS app bundle and codesign all MacOS and Windows binaries #31407

merged 10 commits into from
Mar 5, 2025

Conversation

achow101
Copy link
Member

@achow101 achow101 commented Dec 2, 2024
edited
Loading

I have updated signapple to notarize MacOS app bundles without adding any additional dependencies. Further, it can also sign and apply detached signatures to standalone binaries.

As such, we can use signapple to perform the notarization and stapling steps so that MacOS will run the app bundle after it is installed. detached-sig-create.sh is updated to have a notarization step and to download the ticket which will be included in the detached signatures. The workflow is largely unchanged for the MacOS codesigners except for the additional requirement of having an App Store Connect API key and Team UUID, instructions for which can be found at https://github.com/achow101/signapple/blob/master/docs/notarization.md. For guix builders, the workflow is unchanged.

Additionally, the standalone binaries packaged in the MacOS .tar.gz and Windows .zip will now be codesigned. detached-sig-create.sh was updated to handle these, so the workflow for both MacOS and Windows codesigners remains unchanged. For guix builders, the workflow is also unchanged.

Because those binaries will how have codesigned and unsigned versions, the build command is modified to output -unsigned.{tar.gz,zip} archives containing the binaries. Since this happens to conflict with the tarball used for codesigning, the codesigning tarball was renamed to -codesigning.tar.gz. Both MacOS and Windows codesigners will need to adjust their workflows to account for the new name.

Fixes #15774 and #29749

@DrahtBot
Copy link
Contributor

DrahtBot commented Dec 2, 2024
edited
Loading

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Code Coverage & Benchmarks

For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/31407.

Reviews

See the guideline for information on the review process.

Type Reviewers
ACK Sjors, pinheadmz, davidgumberg
Concept ACK hebasto
Stale ACK willcl-ark

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

@achow101 achow101 added this to the 29.0 milestone Dec 2, 2024
@DrahtBot
Copy link
Contributor

DrahtBot commented Dec 2, 2024

🚧 At least one of the CI tasks failed.
Debug: https://github.com/bitcoin/bitcoin/runs/33817027293

Hints

Try to run the tests locally, according to the documentation. However, a CI failure may still
happen due to a number of reasons, for example:

  • Possibly due to a silent merge conflict (the changes in this pull request being
    incompatible with the current code in the target branch). If so, make sure to rebase on the latest
    commit of the target branch.

  • A sanitizer issue, which can only be found by compiling with the sanitizer and running the
    affected test.

  • An intermittent issue.

Leave a comment here, if you need help tracking down a confusing failure.

@achow101 achow101 mentioned this pull request Dec 2, 2024
Closed
@DrahtBot DrahtBot removed the CI failed label Dec 2, 2024
@achow101
Copy link
Member Author

achow101 commented Dec 2, 2024

It's unclear to me whether the standalone binaries need to be notarized too. This is currently not implemented, but should not be that much more complicated to do.

@edilmedeiros
Copy link
Contributor

It's unclear to me whether the standalone binaries need to be notarized too. This is currently not implemented, but should not be that much more complicated to do.

Are they being codesigned already?

I was getting the v28 binaries from bitcoincore.org instantly killed in Sonoma 14.6.1 when trying to run them in the terminal today. Took me a while to understand what was happening because the processes are killed without a security message or anything like the "nice" gatekeeper popup. Codesigning each on my own solved the issue.

❯ tar xvfz bitcoin-28.0-arm64-apple-darwin.tar.gz
x bitcoin-28.0/
x bitcoin-28.0/bin/
x bitcoin-28.0/bin/bitcoin-cli
x bitcoin-28.0/bin/bitcoin-qt
x bitcoin-28.0/bin/bitcoin-tx
x bitcoin-28.0/bin/bitcoin-util
x bitcoin-28.0/bin/bitcoin-wallet
x bitcoin-28.0/bin/bitcoind
x bitcoin-28.0/bin/test_bitcoin
x bitcoin-28.0/bitcoin.conf
x bitcoin-28.0/share/
x bitcoin-28.0/share/man/
x bitcoin-28.0/share/man/man1/
x bitcoin-28.0/share/man/man1/bitcoin-cli.1
x bitcoin-28.0/share/man/man1/bitcoin-qt.1
x bitcoin-28.0/share/man/man1/bitcoin-tx.1
x bitcoin-28.0/share/man/man1/bitcoin-util.1
x bitcoin-28.0/share/man/man1/bitcoin-wallet.1
x bitcoin-28.0/share/man/man1/bitcoind.1
x bitcoin-28.0/share/rpcauth/
x bitcoin-28.0/share/rpcauth/README.md
x bitcoin-28.0/share/rpcauth/rpcauth.py

❯ bitcoin-28.0/bin/bitcoind --version
[1]    36572 killed     bitcoin-28.0/bin/bitcoind --version

❯ codesign --sign - bitcoin-28.0/bin/bitcoind

❯ bitcoin-28.0/bin/bitcoind --version
Bitcoin Core version v28.0.0
Copyright (C) 2009-2024 The Bitcoin Core developers

Please contribute if you find Bitcoin Core useful. Visit
<https://bitcoincore.org/> for further information about the software.
The source code is available from <https://github.com/bitcoin/bitcoin>.

This is experimental software.
Distributed under the MIT software license, see the accompanying file COPYING
or <https://opensource.org/licenses/MIT>

@achow101
Copy link
Member Author

achow101 commented Dec 3, 2024

Are they being codesigned already?

This PR codesigns them.

@Sjors
Copy link
Member

Sjors commented Dec 3, 2024

It's unclear to me whether the standalone binaries need to be notarized too.

Do you mean the binaries in unsigned.{zip,tar.gz} archives? I think it's fine not to.

Sjors
Sjors reviewed Dec 3, 2024
View reviewed changes
Copy link
Member

@Sjors Sjors left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In order to properly test this, you would have to provide the detached signatures and staple for this PR.

Reviewers then need to download it from some website. If you obtain the file via SSH from your own guix machine, macOS tries to be smart about it (at least my Intel mac used to do that).

HOSTS="x86_64-w64-mingw32 x86_64-apple-darwin arm64-apple-darwin" ./contrib/guix/guix-build 
...
find guix-build-$(git rev-parse --short=12 HEAD)/output/ -type f -print0 | env LC_ALL=C sort -z | xargs -r0 sha256sum

Guix hashes for macOS and Windows, before code-sign:

arm_64
e1d50cc856902e31e966f0e0d50ac732a6d8c7c080e9f9d50ab229d7503bd601  guix-build-ba67aa681e9b/output/arm64-apple-darwin/SHA256SUMS.part
462617a5476e946e10be8624d73b531041c8abf4628a35038d65b80534de768a  guix-build-ba67aa681e9b/output/arm64-apple-darwin/bitcoin-ba67aa681e9b-arm64-apple-darwin-codesigning.tar.gz
2583965a7ecbcf48946bcb7676cf6b39a04cee44b34c6292d81cbb825f0d35df  guix-build-ba67aa681e9b/output/arm64-apple-darwin/bitcoin-ba67aa681e9b-arm64-apple-darwin-unsigned.tar.gz
96f25391136c5e3f77b6dfb4e027aa1f43ccc91edf0237b9ec0c7b01a64b32f3  guix-build-ba67aa681e9b/output/arm64-apple-darwin/bitcoin-ba67aa681e9b-arm64-apple-darwin-unsigned.zip
74d95312c8a33c65a1ea55c1d8392c58d77f78251af551926d4e913f12b45cac  guix-build-ba67aa681e9b/output/dist-archive/bitcoin-ba67aa681e9b.tar.gz
1f457247d24466bc7f8faeb7f8faec80cadfed66ef68354c77a36ceba1127799  guix-build-ba67aa681e9b/output/x86_64-apple-darwin/SHA256SUMS.part
eafb67c89ed27e1dd216e2d300829c5bb22fbe6999839189441e3d64080b65f5  guix-build-ba67aa681e9b/output/x86_64-apple-darwin/bitcoin-ba67aa681e9b-x86_64-apple-darwin-codesigning.tar.gz
0d9f7d7ef1f71b4c3072a0af44b374caf0a4646f4ba143f5440bbcf52c8fe614  guix-build-ba67aa681e9b/output/x86_64-apple-darwin/bitcoin-ba67aa681e9b-x86_64-apple-darwin-unsigned.tar.gz
a0337d08f8145ed4c8548086752b8c32766db1a0483573b44f95134cba9f3913  guix-build-ba67aa681e9b/output/x86_64-apple-darwin/bitcoin-ba67aa681e9b-x86_64-apple-darwin-unsigned.zip
635b1e00cd6792faae60085f4d0ec71bb010756caa40f7241b05e1e3ef6aa18a  guix-build-ba67aa681e9b/output/x86_64-w64-mingw32/SHA256SUMS.part
96326f5755ee14d74b74addc740e8e89c49ee65e4f56746a018e3aba39025642  guix-build-ba67aa681e9b/output/x86_64-w64-mingw32/bitcoin-ba67aa681e9b-win64-codesigning.tar.gz
0d1f7d39c4fcee02d763d85c7f14fe28233f4fe357192e54a227cb54843a8a0b  guix-build-ba67aa681e9b/output/x86_64-w64-mingw32/bitcoin-ba67aa681e9b-win64-debug.zip
b3531bbeccd65d52cb73be3edc38f3aa4b1abe6373ad4e153e4c036a78f29b18  guix-build-ba67aa681e9b/output/x86_64-w64-mingw32/bitcoin-ba67aa681e9b-win64-setup-unsigned.exe
e0a39aad96ac6fa7bf0957119bfca2a527e66f9991a71e84cc5c90864a9c833d  guix-build-ba67aa681e9b/output/x86_64-w64-mingw32/bitcoin-ba67aa681e9b-win64-unsigned.zip

contrib/guix/guix-codesign
;;
*darwin*)
echo "$(outdir_for_host "$1")/${DISTNAME}-${1}-unsigned.tar.gz"
echo "$(outdir_for_host "$1")/${DISTNAME}-${1}-codesigning.tar.gz"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

912377a: maybe call it -maintainers to reduce confusion with -unsigned?

A more generic term might also be handy in the future if e.g. we want to include an OTS timestamp that commits to the (pre codesigning, pgp signed?) guix hashes (with all architectures).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The codesigners are not necessarily maintainers. I don't think it's useful to make this broad when it has been extremely specific for codesigning for more than a decade.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes that seems something to consider when and if we cross that bridge. Currently an .ots is already generated for the final SHA256SUMS at release time, not sure to move that to another phase in the process.

@achow101 achow101 mentioned this pull request Jan 24, 2025
Closed
1 task
@achow101
Copy link
Member Author

@fanquake @pinheadmz Can one of you please do a build and make detached sigs for this PR for testing?

sipa
sipa reviewed Jan 30, 2025
View reviewed changes
contrib/guix/libexec/build.sh
@@ -382,6 +365,23 @@ mkdir -p "$DISTSRC"
|| ( rm -f "${OUTDIR}/${DISTNAME}-win64-codesigning.tar.gz" && exit 1 )
)
;;
*darwin*)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In commit "build: Include all MacOS binaries for codesigning"

What is the effect of moving this code down? Will it pick up more artifacts that have been produced in between?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this makes it include the directory containing the binaries in the codesigning tarball.

pinheadmz
pinheadmz reviewed Feb 3, 2025
View reviewed changes
Copy link
Member

@pinheadmz pinheadmz left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm hitting an error with guix-codesign. I am just focusing on HOSTS=arm64-apple-darwin, guix build of: ba67aa6

SHASUMS.part:

462617a5476e946e10be8624d73b531041c8abf4628a35038d65b80534de768a  arm64-apple-darwin/bitcoin-ba67aa681e9b-arm64-apple-darwin-codesigning.tar.gz
2583965a7ecbcf48946bcb7676cf6b39a04cee44b34c6292d81cbb825f0d35df  arm64-apple-darwin/bitcoin-ba67aa681e9b-arm64-apple-darwin-unsigned.tar.gz
96f25391136c5e3f77b6dfb4e027aa1f43ccc91edf0237b9ec0c7b01a64b32f3  arm64-apple-darwin/bitcoin-ba67aa681e9b-arm64-apple-darwin-unsigned.zip
74d95312c8a33c65a1ea55c1d8392c58d77f78251af551926d4e913f12b45cac  dist-archive/bitcoin-ba67aa681e9b.tar.gz

Detached code signatures (maybe):
signature-osx-executable.tar.gz

However, attaching them is an issue:

zip@zip:~/bitcoin$ DETACHED_SIGS_REPO=../bitcoin-detached-sigs HOSTS=arm64-apple-darwin ./contrib/guix/guix-codesign
Checking that we can connect to the guix-daemon...

Hint: If this hangs, you may want to try turning your guix-daemon off and on
      again.

INFO: Codesigning ba67aa681e9b for platform triple arm64-apple-darwin:
      ...using reference timestamp: 1733177891
      ...from worktree directory: '/home/zip/bitcoin'
          ...bind-mounted in container to: '/bitcoin'
      ...in build directory: '/home/zip/bitcoin/guix-build-ba67aa681e9b/distsrc-ba67aa681e9b-arm64-apple-darwin-codesigned'
          ...bind-mounted in container to: '/distsrc-base/distsrc-ba67aa681e9b-arm64-apple-darwin-codesigned'
      ...outputting in: '/home/zip/bitcoin/guix-build-ba67aa681e9b/output/arm64-apple-darwin-codesigned'
          ...bind-mounted in container to: '/outdir-base/arm64-apple-darwin-codesigned'
      ...using detached signatures in: '../bitcoin-detached-sigs'
          ...bind-mounted in container to: '/detached-sigs'
guix shell: error: symlink: No such file or directory: "/home/zip/bitcoin/guix-build-ba67aa681e9b/var/profiles/arm64-apple-darwin-codesigned"

Do I need to have bitcoin-detached-sigs checked out on a branch name that matches the build version?

@pinheadmz
Copy link
Member

I got one step further by creating the directory its looking for in the last error:

$ mkdir -p /home/zip/bitcoin/guix-build-ba67aa681e9b/var/profiles/

this broke somewhere new...

$ DETACHED_SIGS_REPO=../bitcoin-detached-sigs HOSTS=arm64-apple-darwin FORCE_DIRTY_WORKTREE=1 ./contrib/guix/guix-codesign
Checking that we can connect to the guix-daemon...

Hint: If this hangs, you may want to try turning your guix-daemon off and on
      again.

INFO: Codesigning ba67aa681e9b for platform triple arm64-apple-darwin:
      ...using reference timestamp: 1733177891
      ...from worktree directory: '/home/zip/bitcoin'
          ...bind-mounted in container to: '/bitcoin'
      ...in build directory: '/home/zip/bitcoin/guix-build-ba67aa681e9b/distsrc-ba67aa681e9b-arm64-apple-darwin-codesigned'
          ...bind-mounted in container to: '/distsrc-base/distsrc-ba67aa681e9b-arm64-apple-darwin-codesigned'
      ...outputting in: '/home/zip/bitcoin/guix-build-ba67aa681e9b/output/arm64-apple-darwin-codesigned'
          ...bind-mounted in container to: '/outdir-base/arm64-apple-darwin-codesigned'
      ...using detached signatures in: '../bitcoin-detached-sigs'
          ...bind-mounted in container to: '/detached-sigs'
Required environment variables as seen inside the container:
    CODESIGNING_TARBALL: /outdir-base/arm64-apple-darwin/bitcoin-ba67aa681e9b-arm64-apple-darwin-codesigning.tar.gz
    DETACHED_SIGS_REPO: /detached-sigs
    DIST_ARCHIVE_BASE: /outdir-base/dist-archive
    DISTNAME: bitcoin-ba67aa681e9b
    HOST: arm64-apple-darwin
    SOURCE_DATE_EPOCH: 1733177891
    DISTSRC: /distsrc-base/distsrc-ba67aa681e9b-arm64-apple-darwin-codesigned
    OUTDIR: /outdir-base/arm64-apple-darwin-codesigned
Traceback (most recent call last):
  File "/gnu/store/b5d90lfah4dplqxb5bi7srxf5w8iv13s-python-signapple-0.2.0-1.a9bf003/bin/.signapple-real", line 5, in <module>
    sys.exit (mod.main ())
  File "/gnu/store/b5d90lfah4dplqxb5bi7srxf5w8iv13s-python-signapple-0.2.0-1.a9bf003/lib/python3.10/site-packages/signapple/__init__.py", line 191, in main
    args.func(args)
  File "/gnu/store/b5d90lfah4dplqxb5bi7srxf5w8iv13s-python-signapple-0.2.0-1.a9bf003/lib/python3.10/site-packages/signapple/__init__.py", line 38, in apply
    ret = apply_sig(args.filename, args.sig)
  File "/gnu/store/b5d90lfah4dplqxb5bi7srxf5w8iv13s-python-signapple-0.2.0-1.a9bf003/lib/python3.10/site-packages/signapple/sign.py", line 1176, in apply_sig
    shutil.copyfile(sig_file_path, file_out_path)
  File "/gnu/store/z193j1jnz80h56fbv6nic6mh34b4bb1j-python-3.10.7/lib/python3.10/shutil.py", line 254, in copyfile
    with open(src, 'rb') as fsrc:
FileNotFoundError: [Errno 2] No such file or directory: 'codesignatures/osx/arm64-apple-darwin/dist/Bitcoin-Qt.app/'

@achow101
Copy link
Member Author

Pushed a fix for the wrong architecture detection.

@Sjors
Copy link
Member

Sjors commented Feb 11, 2025

Guix hashes for macOS and Windows, before code-sign:

bd11279800610b70a1feed4451d9fa3a137ed75f26c794363c5ef82d820c592e  guix-build-46e44a35b858/output/arm64-apple-darwin/SHA256SUMS.part
3a911d1a009222c042a84864dccd58462ce3167ea5f407830bf98d370fa356e4  guix-build-46e44a35b858/output/arm64-apple-darwin/bitcoin-46e44a35b858-arm64-apple-darwin-codesigning.tar.gz
2b1c4d096f27ae2a650ce3fe954304c53bb51b7ddac5dd533cabcc862a75f684  guix-build-46e44a35b858/output/arm64-apple-darwin/bitcoin-46e44a35b858-arm64-apple-darwin-unsigned.tar.gz
18c4fe6b004b0b9685671d1a60b146ce00bafe47591ff337ad3af08d8ea55e42  guix-build-46e44a35b858/output/arm64-apple-darwin/bitcoin-46e44a35b858-arm64-apple-darwin-unsigned.zip
e920044a3cf85974b337a5a7e13c35cf8633d5083cb9ab8ba46c3b0f24019a1c  guix-build-46e44a35b858/output/dist-archive/bitcoin-46e44a35b858.tar.gz
71e501ec189b3d561f6f07d52b6ec3ab28eba81600a8ebbde9437a13ce8818dc  guix-build-46e44a35b858/output/x86_64-apple-darwin/SHA256SUMS.part
ccbb4b94720896282ecc6f1a7a4ad8a2de05262b71abbe32bd48ac83bd41f666  guix-build-46e44a35b858/output/x86_64-apple-darwin/bitcoin-46e44a35b858-x86_64-apple-darwin-codesigning.tar.gz
c2125e67f68fc5c1c5d1bb835e7ef886a2025a59a5476173bc511646c48ef7cb  guix-build-46e44a35b858/output/x86_64-apple-darwin/bitcoin-46e44a35b858-x86_64-apple-darwin-unsigned.tar.gz
45cc411f916e6ba617875d30494c8baa6e7974c82b0652449f3422009ff7ca28  guix-build-46e44a35b858/output/x86_64-apple-darwin/bitcoin-46e44a35b858-x86_64-apple-darwin-unsigned.zip
77e0993c4a93076583f9a90bfac8afb92770363dc624745659339c6a0335497f  guix-build-46e44a35b858/output/x86_64-w64-mingw32/SHA256SUMS.part
388d2eb388392b5d234ed72fd93ac393e55c2b3c76a5c2796d1c54921c469b7f  guix-build-46e44a35b858/output/x86_64-w64-mingw32/bitcoin-46e44a35b858-win64-codesigning.tar.gz
21829ed3fd887adf9e4ae337189c984f2b4f91e76d8bf57f644c9d6f600968c4  guix-build-46e44a35b858/output/x86_64-w64-mingw32/bitcoin-46e44a35b858-win64-debug.zip
184eef2b7fc6eb72f0578b510b817775615474b81b359de4ab0769c009faf75b  guix-build-46e44a35b858/output/x86_64-w64-mingw32/bitcoin-46e44a35b858-win64-setup-unsigned.exe
08841a37cd886a94553acc723a0e3343dd8e00e7b3dd00169ac8eb1a84b03b46  guix-build-46e44a35b858/output/x86_64-w64-mingw32/bitcoin-46e44a35b858-win64-unsigned.zip

hebasto
hebasto reviewed Feb 11, 2025
View reviewed changes
hebasto
hebasto reviewed Feb 11, 2025
View reviewed changes
hebasto
hebasto reviewed Feb 11, 2025
View reviewed changes
Copy link
Member

@hebasto hebasto left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Concept ACK 46e44a3.

I have reviewed the code and it looks OK. However, I am not entirely confident in 8400ada due to my lack of familiarity with the signapple tool.

Additionally, I did not review the changes to the signapple tool itself.

pinheadmz
pinheadmz approved these changes Feb 11, 2025
View reviewed changes
Copy link
Member

@pinheadmz pinheadmz left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK 46e44a3

Tested on arm64/macos, but did not review code or test other platforms. This updated process closes the referenced issues and successfully creates signed binaries for bitcoind, bitcoin-cli and all other utilities including Bitcoin-Qt.

Detached sigs (tar xf and commit locally in bitcoin-detached-sigs to test):

signature-osx-arm64.tar.gz

Attestations:

all.SHA256SUMS


504b22387c634bcf78846830b8f53359e54d526b2f0e976631a0bbd293f0353c  bitcoin-46e44a35b858-arm64-apple-darwin.tar.gz
787fd1bd670ce5b903d174ee715a532365c8cc426278020877ef1616c8befa57  bitcoin-46e44a35b858-arm64-apple-darwin.zip
3a911d1a009222c042a84864dccd58462ce3167ea5f407830bf98d370fa356e4  bitcoin-46e44a35b858-arm64-apple-darwin-codesigning.tar.gz
2b1c4d096f27ae2a650ce3fe954304c53bb51b7ddac5dd533cabcc862a75f684  bitcoin-46e44a35b858-arm64-apple-darwin-unsigned.tar.gz
18c4fe6b004b0b9685671d1a60b146ce00bafe47591ff337ad3af08d8ea55e42  bitcoin-46e44a35b858-arm64-apple-darwin-unsigned.zip
7f92d478c82e193da4578c19e37fa7bebed7b23eb9745ace8679f1503a2d25ed  bitcoin-46e44a35b858-codesignatures-001c1794ae89.tar.gz
e920044a3cf85974b337a5a7e13c35cf8633d5083cb9ab8ba46c3b0f24019a1c  bitcoin-46e44a35b858.tar.gz

noncodesigned.SHA256SUMS

3a911d1a009222c042a84864dccd58462ce3167ea5f407830bf98d370fa356e4  bitcoin-46e44a35b858-arm64-apple-darwin-codesigning.tar.gz
2b1c4d096f27ae2a650ce3fe954304c53bb51b7ddac5dd533cabcc862a75f684  bitcoin-46e44a35b858-arm64-apple-darwin-unsigned.tar.gz
18c4fe6b004b0b9685671d1a60b146ce00bafe47591ff337ad3af08d8ea55e42  bitcoin-46e44a35b858-arm64-apple-darwin-unsigned.zip
e920044a3cf85974b337a5a7e13c35cf8633d5083cb9ab8ba46c3b0f24019a1c  bitcoin-46e44a35b858.tar.gz
Show Signature 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

ACK 46e44a35b85830a60cf622e039db19ccf1989008
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE5hdzzW4BBA4vG9eM5+KYS2KJyToFAmervD4ACgkQ5+KYS2KJ
yTqW+w//XZDjfkldmMEbEOs8fpwv38eHly9Uha8hVscixHgG6L1QkTfMimomONzD
m0N3cOT13sEXJkuyp1ztnZoklQ2FfDcceKiN8Kb455esPtYsNrR5SyMDx3O+HYTF
2WxSO7ktfjU7G+ZaXgHB/+xGUrXQIWNkP4b1Z+QuHtu3Sc+3TnZS2mtjvpXc1go+
m8Rnz/hqYn1F1ePn25AMsixfdt99QUw2Z/oti3HDfiG136lHpZt0MbixCk1gDnXs
NDSloElhUgTLyosBfdU+5KLbjsB1DKz+N2dsQ8rHTpuXcau7HPm5IAdPheSIhS5Z
OC1z/h9/EhgOYSlAbyURovTYa0Cpz/faGNhWWIw6v+t6UBFX1Sn4fPt7X3S8k0d+
oya7oDFTyo2NZVyM8l9+dssZaJByUOdJKYloF00g26fRA+ELaX3PxXIB/cFWNiss
UgPc5C/pfvjq/Cr7Zwb0XdHP8U0lTbu8Aqk93xxfcKx5MVdjTnlI2JF8nbn0/eYQ
C1GjVdHCwLR/nM6aHatEFy04WFUUeK3r7pUPRY39B/fPS31N29q5UpbvvAqihZLQ
nVqHCCxCNrL2Ph+PwjqQsvXchz97gizQu6OKbX3DcRWstg6EwRQ3K2CG/k7MAvtw
NnEtOMWHeXO8qW3MQkZj4IDCjTKU/OKab+jf+F0reSkZ1Oc1E54=
=NUrf
-----END PGP SIGNATURE-----

pinheadmz's public key is on keybase

@DrahtBot DrahtBot requested a review from hebasto February 11, 2025 21:11
@pinheadmz
Copy link
Member

Bonus verbose code sign verification of bitcoind:

codesign -dv --verbose=4 /Users/matthewzipkin/Desktop/work/bitcoin/guix-build-46e44a35b858/output/arm64-apple-darwin/arm64-apple-darwin-codesigned/bitcoin-46e44a35b858/bin/bitcoind 
Executable=/Users/matthewzipkin/Desktop/work/bitcoin/guix-build-46e44a35b858/output/arm64-apple-darwin/arm64-apple-darwin-codesigned/bitcoin-46e44a35b858/bin/bitcoind
Identifier=bitcoind
Format=Mach-O thin (arm64)
CodeDirectory v=20500 size=23284 flags=0x10000(runtime) hashes=722+2 location=embedded
VersionPlatform=1
VersionMin=851968
VersionSDK=917504
Hash type=sha256 size=32
CandidateCDHash sha256=530f57819a0cd018bee3712eed759e5abe6f3122
CandidateCDHashFull sha256=530f57819a0cd018bee3712eed759e5abe6f31228ef865bd7ee6dc81c47f248b
Hash choices=sha256
CMSDigest=530f57819a0cd018bee3712eed759e5abe6f31228ef865bd7ee6dc81c47f248b
CMSDigestType=2
Page size=16384
CDHash=530f57819a0cd018bee3712eed759e5abe6f3122
Signature size=9008
Authority=Developer ID Application: Bitcoin Core Code Signing Association (YZC7WH3MRU)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Feb 11, 2025 at 3:59:43 PM
Info.plist=not bound
TeamIdentifier=YZC7WH3MRU
Runtime Version=14.0.0
Sealed Resources=none
Internal requirements count=1 size=104

@achow101
Copy link
Member Author

Windows code signature:
signature-win.tar.gz

It looks like I have a mismatch.

$ find guix-build-46e44a35b858/output/ -type f -print0 | env LC_ALL=C sort -z | xargs -r0 sha256sum
c92e7d0b4d0d1f929bfe8d61e15a953738725d530fc64eb936634571c17936b7  guix-build-46e44a35b858/output/aarch64-linux-gnu/SHA256SUMS.part
ad3992a66f9de8039cabbc9f222f7369f8002fc5350a01b03a3194d574100770  guix-build-46e44a35b858/output/aarch64-linux-gnu/bitcoin-46e44a35b858-aarch64-linux-gnu-debug.tar.gz
e009fd02c2cc0db9031570ef32b36fa9e16194759ccbca35f3a8f8dacd0d30b2  guix-build-46e44a35b858/output/aarch64-linux-gnu/bitcoin-46e44a35b858-aarch64-linux-gnu.tar.gz
a5ad882af28fe5fbdd8cc5d2267ef93ec34bd374e6cde92b798312014d11d47e  guix-build-46e44a35b858/output/arm-linux-gnueabihf/SHA256SUMS.part
b736932c664a8799930e9ed308f318d5911aee2ef8e708ea0467cd89b859d898  guix-build-46e44a35b858/output/arm-linux-gnueabihf/bitcoin-46e44a35b858-arm-linux-gnueabihf-debug.tar.gz
c03b4391dedbdbf3a32a1ec7b75193cbbc01dd2ef85e562fbc8eba26039158a3  guix-build-46e44a35b858/output/arm-linux-gnueabihf/bitcoin-46e44a35b858-arm-linux-gnueabihf.tar.gz
04fbb5179da959e496596c1304a8a14ab4ed198b25dcf4abc62ec7dbaa1ba6a0  guix-build-46e44a35b858/output/arm64-apple-darwin-codesigned/SHA256SUMS.part
250ba8b070da5fbdba7010c5a8ef135b422dd6ca5c408b000b1184b5b5bcfa17  guix-build-46e44a35b858/output/arm64-apple-darwin-codesigned/bitcoin-46e44a35b858-arm64-apple-darwin.tar.gz
787fd1bd670ce5b903d174ee715a532365c8cc426278020877ef1616c8befa57  guix-build-46e44a35b858/output/arm64-apple-darwin-codesigned/bitcoin-46e44a35b858-arm64-apple-darwin.zip
bd11279800610b70a1feed4451d9fa3a137ed75f26c794363c5ef82d820c592e  guix-build-46e44a35b858/output/arm64-apple-darwin/SHA256SUMS.part
3a911d1a009222c042a84864dccd58462ce3167ea5f407830bf98d370fa356e4  guix-build-46e44a35b858/output/arm64-apple-darwin/bitcoin-46e44a35b858-arm64-apple-darwin-codesigning.tar.gz
2b1c4d096f27ae2a650ce3fe954304c53bb51b7ddac5dd533cabcc862a75f684  guix-build-46e44a35b858/output/arm64-apple-darwin/bitcoin-46e44a35b858-arm64-apple-darwin-unsigned.tar.gz
18c4fe6b004b0b9685671d1a60b146ce00bafe47591ff337ad3af08d8ea55e42  guix-build-46e44a35b858/output/arm64-apple-darwin/bitcoin-46e44a35b858-arm64-apple-darwin-unsigned.zip
2927af1efc846fff95b18e0411d6e40f26777e1a86a63023dfd56e6b984aedac  guix-build-46e44a35b858/output/dist-archive/bitcoin-46e44a35b858-codesignatures-5d627c88c523.tar.gz
e920044a3cf85974b337a5a7e13c35cf8633d5083cb9ab8ba46c3b0f24019a1c  guix-build-46e44a35b858/output/dist-archive/bitcoin-46e44a35b858.tar.gz
89a4bae02f17b261887dbbc6196d590e0900a83a7d5e3fb4ec747457bd031bb3  guix-build-46e44a35b858/output/powerpc64-linux-gnu/SHA256SUMS.part
158bba9ccf1c7400a8ce6d32a81df606a05ff1ae6bc63f84a66f7e1eafac8bfd  guix-build-46e44a35b858/output/powerpc64-linux-gnu/bitcoin-46e44a35b858-powerpc64-linux-gnu-debug.tar.gz
1660a1dadc56b2e8c1c77f5534ffd4e1b3a020d6cb7764461e0e58af1846406c  guix-build-46e44a35b858/output/powerpc64-linux-gnu/bitcoin-46e44a35b858-powerpc64-linux-gnu.tar.gz
3bc7d8eee5240d2301df4eed1d55605e01f9cb72acbbaa217fed9c0a581ef0c8  guix-build-46e44a35b858/output/riscv64-linux-gnu/SHA256SUMS.part
7011c630f296440c0f964f341bf0e5037ed46955eb2e6dc5d07502c758e41766  guix-build-46e44a35b858/output/riscv64-linux-gnu/bitcoin-46e44a35b858-riscv64-linux-gnu-debug.tar.gz
9523d9f7bba2c7392cfe2c559d62d8be10a0011f6c8bc0633248ed8152dc1635  guix-build-46e44a35b858/output/riscv64-linux-gnu/bitcoin-46e44a35b858-riscv64-linux-gnu.tar.gz
71e501ec189b3d561f6f07d52b6ec3ab28eba81600a8ebbde9437a13ce8818dc  guix-build-46e44a35b858/output/x86_64-apple-darwin/SHA256SUMS.part
ccbb4b94720896282ecc6f1a7a4ad8a2de05262b71abbe32bd48ac83bd41f666  guix-build-46e44a35b858/output/x86_64-apple-darwin/bitcoin-46e44a35b858-x86_64-apple-darwin-codesigning.tar.gz
c2125e67f68fc5c1c5d1bb835e7ef886a2025a59a5476173bc511646c48ef7cb  guix-build-46e44a35b858/output/x86_64-apple-darwin/bitcoin-46e44a35b858-x86_64-apple-darwin-unsigned.tar.gz
45cc411f916e6ba617875d30494c8baa6e7974c82b0652449f3422009ff7ca28  guix-build-46e44a35b858/output/x86_64-apple-darwin/bitcoin-46e44a35b858-x86_64-apple-darwin-unsigned.zip
8396003dddb143fe8e08634bd3fffe6088a6edf82def1f0361d0090e9430bbfd  guix-build-46e44a35b858/output/x86_64-linux-gnu/SHA256SUMS.part
d2fad841094103b4cc3cf2976a743e662956054dba591abd3bbe8be11847d0a8  guix-build-46e44a35b858/output/x86_64-linux-gnu/bitcoin-46e44a35b858-x86_64-linux-gnu-debug.tar.gz
514ea670e6facefc08d6972b768a4cbdb298b4cf3d9dbaa488ff6a5dce1290df  guix-build-46e44a35b858/output/x86_64-linux-gnu/bitcoin-46e44a35b858-x86_64-linux-gnu.tar.gz
61f7b6847c48bad5a750f591f3a786b5a41a5812240e6f6f79e8643650ae5211  guix-build-46e44a35b858/output/x86_64-w64-mingw32-codesigned/SHA256SUMS.part
d3476edbe604a417d1428110ec63c08ace43c0e1b245b4bcbae86ac17ffb2df2  guix-build-46e44a35b858/output/x86_64-w64-mingw32-codesigned/bitcoin-46e44a35b858-win64-setup.exe
9c951956534b39b98ffe32183462c41984eeb872c96dbc9ee4ed1d01ce5effdb  guix-build-46e44a35b858/output/x86_64-w64-mingw32-codesigned/bitcoin-46e44a35b858-win64.zip
77e0993c4a93076583f9a90bfac8afb92770363dc624745659339c6a0335497f  guix-build-46e44a35b858/output/x86_64-w64-mingw32/SHA256SUMS.part
388d2eb388392b5d234ed72fd93ac393e55c2b3c76a5c2796d1c54921c469b7f  guix-build-46e44a35b858/output/x86_64-w64-mingw32/bitcoin-46e44a35b858-win64-codesigning.tar.gz
21829ed3fd887adf9e4ae337189c984f2b4f91e76d8bf57f644c9d6f600968c4  guix-build-46e44a35b858/output/x86_64-w64-mingw32/bitcoin-46e44a35b858-win64-debug.zip
184eef2b7fc6eb72f0578b510b817775615474b81b359de4ab0769c009faf75b  guix-build-46e44a35b858/output/x86_64-w64-mingw32/bitcoin-46e44a35b858-win64-setup-unsigned.exe
08841a37cd886a94553acc723a0e3343dd8e00e7b3dd00169ac8eb1a84b03b46  guix-build-46e44a35b858/output/x86_64-w64-mingw32/bitcoin-46e44a35b858-win64-unsigned.zip

Could someone else do a codesigned build so we can compare?

@pinheadmz @fanquake Could one of you also make a x86_64 MacOS codesignature?

@achow101
guix: Rename unsigned.tar.gz to codesigning.tar.gz
c214e52 
The tarballs used for codesigning are more than merely unsigned, they
also contain scripts and other data for codesigning. Rename them to
codesigning.tar.gz to distinguish from tarballs containing actually just
the unsigned binaries.
@achow101
guix: Rename MacOS binaries to unsigned.tar.gz
d9d49cd 
The MacOS binaries are unsigned and therefore also unusable on MacOS.
Indicate as such by naming the tarball "unsigned".
fanquake added a commit to fanquake/bitcoin that referenced this pull request May 19, 2025
@fanquake
doc: remove note about macOS self-signing
fcbccf3 
Followup to bitcoin#31407.

Github-Pull: bitcoin#32003
Rebased-From: c873ab6
@fanquake fanquake mentioned this pull request May 19, 2025
Merged
@fanquake
Copy link
Member

I've opened something (not-yet-fully-tested) here #32563 for 28.x.

fanquake pushed a commit to fanquake/bitcoin that referenced this pull request May 30, 2025
@achow101 @fanquake
guix: Rename unsigned.tar.gz to codesigning.tar.gz
00b401c 
The tarballs used for codesigning are more than merely unsigned, they
also contain scripts and other data for codesigning. Rename them to
codesigning.tar.gz to distinguish from tarballs containing actually just
the unsigned binaries.

Github-Pull: bitcoin#31407
Rebased-From: c214e52
fanquake pushed a commit to fanquake/bitcoin that referenced this pull request May 30, 2025
@achow101 @fanquake
guix: Rename MacOS binaries to unsigned.tar.gz
9f0ee1c 
The MacOS binaries are unsigned and therefore also unusable on MacOS.
Indicate as such by naming the tarball "unsigned".

Github-Pull: bitcoin#31407
Rebased-From: d9d49cd
fanquake pushed a commit to fanquake/bitcoin that referenced this pull request May 30, 2025
@achow101 @fanquake
guix: Rename Windows unsigned binaries to unsigned.zip
2c21db6 
As codesigned binaries will be published, the unsigned ones should be
clearly marked as such.

Github-Pull: bitcoin#31407
Rebased-From: 4e5c9ce
fanquake pushed a commit to fanquake/bitcoin that referenced this pull request May 30, 2025
@achow101 @fanquake
build: Include all MacOS binaries for codesigning
beeb6a0 
Github-Pull: bitcoin#31407
Rebased-From: dd4ec84
fanquake pushed a commit to fanquake/bitcoin that referenced this pull request May 30, 2025
@achow101 @fanquake
build: Include all Windows binaries for codesigning
53d5f9a 
Github-Pull: bitcoin#31407
Rebased-From: e8b3c44
fanquake pushed a commit to fanquake/bitcoin that referenced this pull request May 30, 2025
@achow101 @fanquake
guix: Update signapple
90b7c3d 
Github-Pull: bitcoin#31407
Rebased-From: 710d5b5
fanquake pushed a commit to fanquake/bitcoin that referenced this pull request May 30, 2025
@achow101 @fanquake
contrib: Sign and notarize all MacOS binaries
2724094 
Signapple has been updated to sign individual binaries, and notarize app
bundles and binaries. When codesigning, all individual binaries will be
codesigned, and both the app bundle and individual binaries will be
notarized.

Github-Pull: bitcoin#31407
Rebased-From: 31d3254
fanquake pushed a commit to fanquake/bitcoin that referenced this pull request May 30, 2025
@achow101 @fanquake
guix: Apply codesignatures to all MacOS binaries
e339770 
Github-Pull: bitcoin#31407
Rebased-From: aafbd23
fanquake pushed a commit to fanquake/bitcoin that referenced this pull request May 30, 2025
@achow101 @fanquake
guix: Apply all codesignatures to Windows binaries
90a1ea6 
Github-Pull: bitcoin#31407
Rebased-From: e181bda
fanquake added a commit to fanquake/bitcoin that referenced this pull request May 30, 2025
@fanquake
doc: remove note about macOS self-signing
07a6cd7 
Followup to bitcoin#31407.

Github-Pull: bitcoin#32003
Rebased-From: c873ab6
fanquake pushed a commit to fanquake/bitcoin that referenced this pull request Jun 2, 2025
@achow101 @fanquake
build: Include all MacOS binaries for codesigning
ac2b608 
Github-Pull: bitcoin#31407
Rebased-From: dd4ec84
fanquake pushed a commit to fanquake/bitcoin that referenced this pull request Jun 2, 2025
@achow101 @fanquake
build: Include all Windows binaries for codesigning
2b279a2 
Github-Pull: bitcoin#31407
Rebased-From: e8b3c44
fanquake pushed a commit to fanquake/bitcoin that referenced this pull request Jun 2, 2025
@achow101 @fanquake
guix: Update signapple
0bd5cb7 
Github-Pull: bitcoin#31407
Rebased-From: 710d5b5
fanquake pushed a commit to fanquake/bitcoin that referenced this pull request Jun 2, 2025
@achow101 @fanquake
contrib: Sign and notarize all MacOS binaries
c60055c 
Signapple has been updated to sign individual binaries, and notarize app
bundles and binaries. When codesigning, all individual binaries will be
codesigned, and both the app bundle and individual binaries will be
notarized.

Github-Pull: bitcoin#31407
Rebased-From: 31d3254
fanquake pushed a commit to fanquake/bitcoin that referenced this pull request Jun 2, 2025
@achow101 @fanquake
guix: Apply codesignatures to all MacOS binaries
812cade 
Github-Pull: bitcoin#31407
Rebased-From: aafbd23
fanquake pushed a commit to fanquake/bitcoin that referenced this pull request Jun 2, 2025
@achow101 @fanquake
guix: Apply all codesignatures to Windows binaries
744b1c8 
Github-Pull: bitcoin#31407
Rebased-From: e181bda
fanquake added a commit to fanquake/bitcoin that referenced this pull request Jun 2, 2025
@fanquake
doc: remove note about macOS self-signing
52f0963 
Followup to bitcoin#31407.

Github-Pull: bitcoin#32003
Rebased-From: c873ab6
fanquake added a commit that referenced this pull request Jun 5, 2025
@fanquake
Merge #32563: [28.x] Backport #31407
7f1da76 
b1f694f doc: update release-notes.md (fanquake)
52f0963 doc: remove note about macOS self-signing (fanquake)
744b1c8 guix: Apply all codesignatures to Windows binaries (Ava Chow)
812cade guix: Apply codesignatures to all MacOS binaries (Ava Chow)
c60055c contrib: Sign and notarize all MacOS binaries (Ava Chow)
0bd5cb7 guix: Update signapple (Ava Chow)
2b279a2 build: Include all Windows binaries for codesigning (Ava Chow)
ac2b608 build: Include all MacOS binaries for codesigning (Ava Chow)
2c21db6 guix: Rename Windows unsigned binaries to unsigned.zip (Ava Chow)
9f0ee1c guix: Rename MacOS binaries to unsigned.tar.gz (Ava Chow)
00b401c guix: Rename unsigned.tar.gz to codesigning.tar.gz (Ava Chow)

Pull request description:

  Backports #31407 + #32003.

ACKs for top commit:
  pinheadmz:
    ACK b1f694f

Tree-SHA512: f0ca9427eb367039b4eb0c8740e66c72520413ed43f66a0ffa60d44c36426f8a31f45a1b974b5e6a591b8bf9d9e125140934d9e0ce3a8f5aaaf01c12d7fd62bd
fanquake pushed a commit to fanquake/bitcoin that referenced this pull request Jun 12, 2025
@achow101 @fanquake
contrib: Sign all Windows binaries too
0fa8b92 
Github-Pull: bitcoin#31407
Rebased-From: 3656b82
fanquake pushed a commit to fanquake/bitcoin that referenced this pull request Jun 13, 2025
@achow101 @fanquake
contrib: Sign all Windows binaries too
9082498 
Github-Pull: bitcoin#31407
Rebased-From: 3656b82
Sjors added a commit to Sjors/bitcoin that referenced this pull request Jul 8, 2025
@Sjors
test: replace v28.0 with notarized v28.2
2d8372d 
Since bitcoin#31407 guix builds are signed and notarized. This was backported to v28, so bump the version.
Sjors added a commit to Sjors/bitcoin that referenced this pull request Jul 8, 2025
@Sjors
test: replace v28.0 with notarized v28.2
64c40d9 
Since bitcoin#31407 guix builds are signed and notarized. This was backported to v28, so bump the version.
@Sjors Sjors mentioned this pull request Jul 8, 2025
Merged
Sjors added a commit to Sjors/bitcoin that referenced this pull request Jul 8, 2025
@Sjors
test: replace v28.0 with notarized v28.2
c6dc2c2 
Since bitcoin#31407 guix builds are signed and notarized. This was backported to v28, so bump the version.
fanquake added a commit that referenced this pull request Jul 15, 2025
@fanquake
Merge #32922: test: use notarized v28.2 binaries and fix macOS detection
184159e 
4bb4c86 test: document HOST for get_previous_releases.py (Sjors Provoost)
609203d test: stop signing previous releases >= v28.2 (Sjors Provoost)
c6dc2c2 test: replace v28.0 with notarized v28.2 (Sjors Provoost)
5bd73d9 test: fix macOS detection (Sjors Provoost)

Pull request description:

  Since #31407 macOS guix builds are signed and notarized. This was included in v29 and backported to 28.x.

  This PR bumps the v28.0 previous release binary to v28.2 and adjusts the test that uses it. Additionally it no longer manually code signs binaries >= v28.2.

  While testing on an M4 mac and redownloading all the binaries, I noticed that `platform == "arm64-apple-darwin"` doesn't actually work. This initially used `args.platform` in #26694, but that was changed to just `platform` in #32219.

  So the first commit switches this to use `args.host`. I manually tested on Intel macOS 13.7.6 that code-signing still isn't needed there (when downloading using a script).

  Also documented that you can set `HOST`.

ACKs for top commit:
  m3dwards:
    ACK 4bb4c86
  maflcko:
    review ACK 4bb4c86 🚏

Tree-SHA512: b4803d39a21cb622fd2388a0528b76d2b502956e2505385d3da201143b0afcf6f9d71c8c28937f27b70d2588fb6da677da058bdcd67b90fb53617acc3a727818
@alpinevm alpinevm mentioned this pull request Jul 24, 2025
Merged
saikiran57 pushed a commit to saikiran57/bitcoin that referenced this pull request Jul 28, 2025
@Sjors @saikiran57
test: replace v28.0 with notarized v28.2
74150dd 
Since bitcoin#31407 guix builds are signed and notarized. This was backported to v28, so bump the version.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@laanwj laanwj laanwj left review comments

@sipa sipa sipa left review comments

@fanquake fanquake fanquake left review comments

@hebasto hebasto Awaiting requested review from hebasto

@darosior darosior Awaiting requested review from darosior

@stickies-v stickies-v Awaiting requested review from stickies-v

@davidgumberg davidgumberg Awaiting requested review from davidgumberg

@willcl-ark willcl-ark Awaiting requested review from willcl-ark

+2 more reviewers

@Sjors Sjors Sjors left review comments

@pinheadmz pinheadmz pinheadmz approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees

@fanquake fanquake

Labels
Build system
Projects
None yet
Milestone
29.0
Development

Successfully merging this pull request may close these issues.

release: ship codesigned MacOS arm64 binaries macOS App Notarization & Stapling