Skip to content

[28.x] Backport #31407 #32563

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Jun 5, 2025
Merged

[28.x] Backport #31407 #32563

merged 11 commits into from
Jun 5, 2025

Conversation

fanquake
Copy link
Member

Backports #31407 + #32003.

@fanquake fanquake added this to the 28.2 milestone May 19, 2025
@DrahtBot
Copy link
Contributor

DrahtBot commented May 19, 2025
edited
Loading

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Code Coverage & Benchmarks

For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/32563.

Reviews

See the guideline for information on the review process.

Type Reviewers
ACK pinheadmz

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

@fanquake fanquake mentioned this pull request May 19, 2025
Merged
@pinheadmz
Copy link
Member

Concept ACK, starting guix build of this branch and will try to codesign with certificate

@pinheadmz
Copy link
Member

codesigning hung forever at one point. I SIGINT it and got a possibly helpful error:

--> ./detached-sig-create.sh <redacted>
WARNING: Part of the file was not parsed: 37803 bytes
Enter the passphrase for <redacted>:
Enter the passphrase for <redacted>:
WARNING: Part of the file was not parsed: 37803 bytes
Code signature created
WARNING: Part of the file was not parsed: 37803 bytes
WARNING: Part of the file was not parsed: 37803 bytes
Code signature applied
WARNING: Part of the file was not parsed: 37803 bytes
Code signature is valid
Notarization ID: 3d941711-8e4b-473c-b504-02f5348a0176
Uploading...
Polling notarization status
Polling notarization status
Polling notarization status
Polling notarization status
Polling notarization status
WARNING: Part of the file was not parsed: 37803 bytes
Stapling
Notarization stapled to bundle

^C

Traceback (most recent call last):
  File "/opt/homebrew/Cellar/python@3.11/3.11.11/Frameworks/Python.framework/Versions/3.11/lib/python3.11/zipfile.py", line 1815, in write
    shutil.copyfileobj(src, dest, 1024*8)
  File "/opt/homebrew/Cellar/python@3.11/3.11.11/Frameworks/Python.framework/Versions/3.11/lib/python3.11/shutil.py", line 200, in copyfileobj
    fdst_write(buf)
  File "/opt/homebrew/Cellar/python@3.11/3.11.11/Frameworks/Python.framework/Versions/3.11/lib/python3.11/zipfile.py", line 1178, in write
    data = self._compressor.compress(data)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
KeyboardInterrupt

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/homebrew/bin/signapple", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/Users/matthewzipkin/Desktop/work/signapple/signapple/__init__.py", line 192, in main
    args.func(args)
  File "/Users/matthewzipkin/Desktop/work/signapple/signapple/__init__.py", line 52, in do_notarize
    notarize(
  File "/Users/matthewzipkin/Desktop/work/signapple/signapple/notarize.py", line 345, in notarize
    _submit_for_notarization(
  File "/Users/matthewzipkin/Desktop/work/signapple/signapple/notarize.py", line 292, in _submit_for_notarization
    zipped = shutil.make_archive(
             ^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/python@3.11/3.11.11/Frameworks/Python.framework/Versions/3.11/lib/python3.11/shutil.py", line 1165, in make_archive
    filename = func(base_name, base_dir, **kwargs)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/python@3.11/3.11.11/Frameworks/Python.framework/Versions/3.11/lib/python3.11/shutil.py", line 1046, in _make_zipfile
    zf.write(path, arcname)
  File "/opt/homebrew/Cellar/python@3.11/3.11.11/Frameworks/Python.framework/Versions/3.11/lib/python3.11/zipfile.py", line 1814, in write
    with open(filename, "rb") as src, self.open(zinfo, 'w') as dest:
  File "/opt/homebrew/Cellar/python@3.11/3.11.11/Frameworks/Python.framework/Versions/3.11/lib/python3.11/zipfile.py", line 1201, in close
    raise RuntimeError("File size too large, try using force_zip64")
RuntimeError: File size too large, try using force_zip64

achow101 added 3 commits May 30, 2025 11:28
@achow101 @fanquake
guix: Rename unsigned.tar.gz to codesigning.tar.gz
00b401c 
The tarballs used for codesigning are more than merely unsigned, they
also contain scripts and other data for codesigning. Rename them to
codesigning.tar.gz to distinguish from tarballs containing actually just
the unsigned binaries.

Github-Pull: bitcoin#31407
Rebased-From: c214e52
@achow101 @fanquake
guix: Rename MacOS binaries to unsigned.tar.gz
9f0ee1c 
The MacOS binaries are unsigned and therefore also unusable on MacOS.
Indicate as such by naming the tarball "unsigned".

Github-Pull: bitcoin#31407
Rebased-From: d9d49cd
@achow101 @fanquake
guix: Rename Windows unsigned binaries to unsigned.zip
2c21db6 
As codesigned binaries will be published, the unsigned ones should be
clearly marked as such.

Github-Pull: bitcoin#31407
Rebased-From: 4e5c9ce
@fanquake fanquake force-pushed the backport_codesigning branch from 371a63e to 0ce4a9d Compare May 30, 2025 10:28
@pinheadmz
Copy link
Member

Should I try to build and sign again? Recent just looks like a repository change.

@fanquake
Copy link
Member Author

Yea, just a rebase on the Guix repo change. If you don't mind building again, that'd be great. Can debug.

@pinheadmz
Copy link
Member

same issue, RuntimeError: File size too large, try using force_zip64

pinheadmz
pinheadmz reviewed Jun 1, 2025
View reviewed changes
achow101 and others added 8 commits June 2, 2025 10:13
@achow101 @fanquake
build: Include all MacOS binaries for codesigning
ac2b608 
Github-Pull: bitcoin#31407
Rebased-From: dd4ec84
@achow101 @fanquake
build: Include all Windows binaries for codesigning
2b279a2 
Github-Pull: bitcoin#31407
Rebased-From: e8b3c44
@achow101 @fanquake
guix: Update signapple
0bd5cb7 
Github-Pull: bitcoin#31407
Rebased-From: 710d5b5
@achow101 @fanquake
contrib: Sign and notarize all MacOS binaries
c60055c 
Signapple has been updated to sign individual binaries, and notarize app
bundles and binaries. When codesigning, all individual binaries will be
codesigned, and both the app bundle and individual binaries will be
notarized.

Github-Pull: bitcoin#31407
Rebased-From: 31d3254
@achow101 @fanquake
guix: Apply codesignatures to all MacOS binaries
812cade 
Github-Pull: bitcoin#31407
Rebased-From: aafbd23
@achow101 @fanquake
guix: Apply all codesignatures to Windows binaries
744b1c8 
Github-Pull: bitcoin#31407
Rebased-From: e181bda
@fanquake
doc: remove note about macOS self-signing
52f0963 
Followup to bitcoin#31407.

Github-Pull: bitcoin#32003
Rebased-From: c873ab6
@fanquake
doc: update release-notes.md
b1f694f
@fanquake fanquake force-pushed the backport_codesigning branch from 0ce4a9d to b1f694f Compare June 2, 2025 09:20
@fanquake fanquake marked this pull request as ready for review June 2, 2025 09:21
@pinheadmz
Copy link
Member

I think all macos signing is working now.

Detached sigs for this commit: https://github.com/pinheadmz/bitcoin-detached-sigs/tree/fanquake-backport_codesigning-b1f694fce2

Tested signed binaries on macos/arm64:

--> ./bitcoind --version
Bitcoin Core version v28.2.0rc1
Copyright (C) 2009-2025 The Bitcoin Core developers
Screenshot 2025-06-02 at 10 13 38 AM

codesigned guix builds SHASUMS:

30af3e1bbfa4a3f891c2e62887aa8ef5be3cf1bf7d0029f2b1b2ba30886791c6  arm64-apple-darwin-codesigned/bitcoin-b1f694fce276-arm64-apple-darwin.tar.gz
0120313d6bc0e7a93a9df1507a2c5838183cd1d8ec7f0ac5e82e2ad5260770f8  arm64-apple-darwin-codesigned/bitcoin-b1f694fce276-arm64-apple-darwin.zip
3c3612cb3419940be1b19adad354169c913d2cb8fd3431addce6bbeab0e35892  arm64-apple-darwin/bitcoin-b1f694fce276-arm64-apple-darwin-codesigning.tar.gz
39125b89de8903cf111df70abe5f2d9874fcc98f3dd234f4c202e9d59057ca48  dist-archive/bitcoin-b1f694fce276-codesignatures-bd42dd2a53b0.tar.gz
39125b89de8903cf111df70abe5f2d9874fcc98f3dd234f4c202e9d59057ca48  dist-archive/bitcoin-b1f694fce276-codesignatures-bd42dd2a53b0.tar.gz
6ec5b4badd4c4f64c09762626a4b4c727b5c90a8d74699a3af5a21cbbda4bba9  x86_64-apple-darwin-codesigned/bitcoin-b1f694fce276-x86_64-apple-darwin.tar.gz
fbdfc915ef1a77eaab181667f09481081a3fd7131d53279044999744fdfd0d87  x86_64-apple-darwin-codesigned/bitcoin-b1f694fce276-x86_64-apple-darwin.zip
a0e546b23fdef1466ae3c5d856967a34067665d8daa75a4621b1ec0b8f8185ab  x86_64-apple-darwin/bitcoin-b1f694fce276-x86_64-apple-darwin-codesigning.tar.gz

pinheadmz
pinheadmz approved these changes Jun 2, 2025
View reviewed changes
Copy link
Member

@pinheadmz pinheadmz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK b1f694f

Show Signature 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

ACK b1f694fce276d68a5b983c187a4efbb231d83f79
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE5hdzzW4BBA4vG9eM5+KYS2KJyToFAmg9wI8ACgkQ5+KYS2KJ
yTqh2g//VaBp+xI3eip80BQVqdSq0zaeMnvE+n92xXkb2FQANL7PR+qvxjYVU0KA
+dQ5yqJZH4QZQA4WnZhsM9ZQAzWQ+BKCeoQGyzw13YUU3vX7qBxqJxFeXgOb5b3a
EeDW6EKhPTdtekHTaHhyqlBklL6RXQpepMVbp3CAZsUBpzlRz/8r0q7oZTqzHS8Z
UADA3Q1XWsodcOtL22hy1BFB6cvAoIgHgR9kF2810XZ3oHh5EoFfk0sunfLFmXWP
kled3F+efmbRbeMMkaREU7QQB0jhYad9fKbntGaGPwDYAe25ieeWDHrg8juOpmBh
7Kin98AcR//Fz//v84cUAG4nvK8UCPgVrL79U+WWRUxFCxesTTSboo6RRvDE7XbD
l29p8uA1dqrPi2M+iuk6yCOQ6Ls9thWQET8Vht3LG8E2K9tkMWFzu3WYiZvyLxtz
O8s8ozEfD2IShnXwbBaHWT6+JHRSb/UlhthQeiwkvcbP1Zd78Vqv6RTo5D9Xd+xK
Dba5Up33YuNQ+K+Kl5XcdvttygAXFd2tV59+L1tfHxp/4tGbKe+M9XoGcyh7cZPX
eUQziKWIakFKSd/RF4JUsUudJ4EoDEl8fDnlYncLfF6BpIzz29aAe5hq5KpPdJo2
kJVSJA/3w1LhdtF+uTzHVKthOxz9Ypp/YW+iN/sGTwSka77h90I=
=2/K1
-----END PGP SIGNATURE-----

pinheadmz's public key is on openpgp.org

@fanquake fanquake requested a review from achow101 June 2, 2025 17:34
@fanquake fanquake merged commit 7f1da76 into bitcoin:28.x Jun 5, 2025
15 of 16 checks passed
@fanquake fanquake deleted the backport_codesigning branch June 5, 2025 13:38
@fanquake fanquake mentioned this pull request Jun 5, 2025
Merged
glozow added a commit that referenced this pull request Jun 9, 2025
@glozow
Merge #32684: [28.x] 28.2rc2
cb13264 
fb62393 doc: update manual pages for 28.2rc2 (fanquake)
c2b2942 build: bump version to 28.2rc2 (fanquake)
b64faa5 doc: update release notes for rc2 (fanquake)
a6cbd33 depends: use "mkdir -p" when installing xproto (fanquake)

Pull request description:

  Backports #32568.
  Bumps to `rc2`.
  #32563 & #32639 haved landed since `rc1`.

ACKs for top commit:
  glozow:
    ACK fb62393
  willcl-ark:
    ACK fb62393

Tree-SHA512: 4fc210c2baa6876e9efb62150f295c22d9ef8104812c26c64daf20fc82a002dedf96e5593a49df1b84aa60793a7220c90c5ed06d7dfd1eee972ac9963c188a51
@achow101
Copy link
Member

Looks like 3656b82 wasn't cherry-picked? I think that's necessary for 744b1c8 to work.

@fanquake fanquake mentioned this pull request Jun 12, 2025
Merged
@fanquake
Copy link
Member Author

Thanks, addressed in #32735.

fanquake added a commit that referenced this pull request Jun 17, 2025
@fanquake
Merge #32735: [28.x] More backports
e5a9e24 
2437d93 doc: update 28.x release notes (fanquake)
a6aca67 build: patch cmake min version on freetype (josibake)
9082498 contrib: Sign all Windows binaries too (Ava Chow)

Pull request description:

  This backports
  * 3656b82 - Which was missed in #32563, see #32563 (comment).
  * #32693

ACKs for top commit:
  willcl-ark:
    ACK 2437d93

Tree-SHA512: 3fcc04f22355372fd34581c068c3a02c2b19543f4a2a9058953b6f60debb36a597d74405decbe8451291431aa5bab2060f4545b9f6c1e3b0a8cc3e8aca17fdc5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@achow101 achow101 Awaiting requested review from achow101

1 more reviewer

@pinheadmz pinheadmz pinheadmz approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
Backport CI failed
Projects
None yet
Milestone
28.2
Development

Successfully merging this pull request may close these issues.
4 participants
@fanquake @DrahtBot @pinheadmz @achow101