build, qt: Fix make deploy on M1-based macOS with system frameworks #22546

1. 
   hebasto commented at 3:38 pm on July 25, 2021: member

   Fixes #22403

   This PR follows Apple docs:

   • New in macOS 11 on Macs with Apple silicon, and starting in macOS Big Sur 11 beta 6, the operating system enforces that any executable must be signed before it’s allowed to run. There isn’t a specific identity requirement for this signature: a simple ad-hoc signature is sufficient…
   • … If you use a custom workflow involving tools that modify a binary after linking (e.g. strip or install_name_tool) you might need to manually call codesign as an additional build phase to properly ad-hoc sign your binary. These new signatures are not bound to the specific machine that was used to build the executable, they can be verified on any other system and will be sufficient to comply with the new default code signing requirement on Macs with Apple silicon…

   When building with system Qt frameworks (i.e., without depends), a new string has been added to the make deploy log on M1-based macOS:

   0% make deploy
   1...
   2+ Generating .DS_Store +
   3dist/Bitcoin-Qt.app: replacing existing signature
   4+ Preparing .dmg disk image +
   5...
   

   This PR does not change build system behavior:

   • when building with depends
   • on Intel-based macOS
2. hebasto force-pushed on Jul 25, 2021
3. hebasto force-pushed on Jul 25, 2021
4. DrahtBot added the label Scripts and tools on Jul 25, 2021
5. hebasto force-pushed on Jul 25, 2021
6. hebasto force-pushed on Jul 25, 2021
7. hebasto force-pushed on Jul 25, 2021
8. hebasto marked this as ready for review on Jul 25, 2021
9. hebasto added the label macOS on Jul 25, 2021
10. in contrib/macdeploy/macdeployqtplus:549 in 4d489dd343 outdated

    545@@ -543,6 +546,9 @@ ds.close()
    546 
    547 # ------------------------------------------------
    548 
    549+if need_to_sign_target and platform.system() == "Darwin" and platform.machine() == "arm64":
    

    ---

    ---

    

    fanquake commented at 6:33 am on July 29, 2021:

    Is there a problem with just always signing in the need_to_sign_target case, i.e non-depends builds, rather than making this specific to arm64?

    ---

    

    hebasto commented at 1:04 pm on July 29, 2021:

    Not a problem at all, just not required.

    ---

    

    fanquake commented at 3:12 am on July 30, 2021:

    Probably easier to just always sign then. Otherwise this should have an explainer.

    ---

    

    hebasto commented at 7:17 am on July 30, 2021:

    Is the following comment good as an explanation (compiled from Apple docs):

    “In macOS 11 on Macs with Apple silicon the operating system enforces that any executable must be signed before it’s allowed to run. After using tools such as strip or install_name_tool, to call codesign is required to properly ad-hoc sign binaries.”

    ?

    ---

    

    laanwj commented at 3:57 pm on September 6, 2021:

    I agree that adding a comment here makes sense. It’s not obvious why this would be ARM-only.

    ---

    

    jarolrod commented at 5:57 pm on September 6, 2021:

    I am of the opinion that it is just easier to always sign. Right now the requirement is only for apple silicon, but I have not seen anything to say that this wouldn’t expand to remaining intel Macs in future OS versions.

    If we stick with only signing for arm, then the following is a suitable comment:

    “Starting with macOS 11 on Apple silicon, executables must be signed before they are allowed to run.”

    ---

    

    hebasto commented at 11:46 am on September 14, 2021:

    Probably easier to just always sign then. Otherwise this should have an explainer.

    Updated.

11. 
    fanquake commented at 6:33 am on July 29, 2021: member

    ee722d3fdb16b374197fd80ad564146e7eff524e: It’s not clear what this commit is doing, or what Align frameworks with macOS codesign tool requirements is meant to mean. You’ve also imported subprocess and not used it.
12. 
    hebasto commented at 1:46 pm on July 29, 2021: member

    ee722d3: It’s not clear what this commit is doing, or what Align frameworks with macOS codesign tool requirements is meant to mean.

    Yeah, it was a hard time for me to choose a right wording. Without the first commit the signing tool returns an error:

     0% make deploy
     1...
     2dist/Bitcoin-Qt.app: replacing existing signature
     3dist/Bitcoin-Qt.app: bundle format unrecognized, invalid, or unsuitable
     4In subcomponent: /Users/hebasto/bitcoin/dist/Bitcoin-Qt.app/Contents/Frameworks/QtPrintSupport.framework
     5Traceback (most recent call last):
     6  File "/Users/hebasto/bitcoin/./contrib/macdeploy/macdeployqtplus", line 552, in <module>
     7    subprocess.check_call(f"codesign --deep --force --sign - {target}", shell=True)
     8  File "/opt/homebrew/Cellar/python@3.9/3.9.6/Frameworks/Python.framework/Versions/3.9/lib/python3.9/subprocess.py", line 373, in check_call
     9    raise CalledProcessError(retcode, cmd)
    10subprocess.CalledProcessError: Command 'codesign --deep --force --sign - dist/Bitcoin-Qt.app' returned non-zero exit status 1.
    11make: *** [Bitcoin-Core.dmg] Error 1
    

13. hebasto force-pushed on Jul 29, 2021
14. 
    hebasto commented at 3:15 pm on July 29, 2021: member

    Updated 4d489dd34330478315b128f14e3e57e5cd284655 -> bbdd5889da71955e8004b43217b740ddaf799d4e (pr22546.02 -> pr22546.03, diff):

    • addressed @fanquake’s comment:

    You’ve also imported subprocess and not used it.

15. 
    fanquake commented at 3:13 am on July 30, 2021: member

    Yeah, it was a hard time for me to choose a right wording. Without the first commit the signing tool returns an error:

    Ok. I’ll have a look. This needs a better commit message (with explanation), otherwise by itself, it’s not clear what problem it’s fixing or why it’s the correct solution.

16. 
    RandyMcMillan commented at 4:52 am on August 11, 2021: contributor

    Tested on macOS 11.4 (20F71)

    

    ---

    Note:

    Technically the package import order is not standard. This may be a good time to bring it into compliance.

    https://github.com/RandyMcMillan/bitcoin/commit/d8deef3b9176c26ae0ee10b9596c861a67514e6c

    

17. fanquake deleted a comment on Aug 12, 2021
18. 
    Zero-1729 commented at 2:01 am on August 13, 2021: contributor

    tACK bbdd5889da71955e8004b43217b740ddaf799d4e

    Tested on macOS v11.4

    On master, the built app from DMG is broken. I get the following error when attempting to launch it:

    After Patch

    I can confirm this patch fixes that; opening the built app in the DMG works as expected (Bitcoin-Qt.app opens normally).

     0$ make -j9 deploy
     1...
     2+ Adding Qt translations +
     3+ Installing qt.conf +
     4+ Generating .DS_Store +
     5dist/Bitcoin-Qt.app: replacing existing signature
     6+ Preparing .dmg disk image +
     7........................................................................................................
     8created: /Users/abubakar/Github/bitcoin/Bitcoin-Core.temp.dmg
     9+ Applying fancy settings +
    10+ Finalizing .dmg disk image +
    11"disk4" ejected.
    12Preparing imaging engine…
    13Reading Protective Master Boot Record (MBR : 0)…
    14   (CRC32 $251F7180: Protective Master Boot Record (MBR : 0))
    15Reading GPT Header (Primary GPT Header : 1)…
    16   (CRC32 $0E7F79E8: GPT Header (Primary GPT Header : 1))
    17Reading GPT Partition Data (Primary GPT Table : 2)…
    18   (CRC32 $46B32FF2: GPT Partition Data (Primary GPT Table : 2))
    19Reading  (Apple_Free : 3)…
    20   (CRC32 $00000000:  (Apple_Free : 3))
    21Reading disk image (Apple_APFS : 4)…
    22.................................................................................................................................................................................
    23   (CRC32 $0AE0B07F: disk image (Apple_APFS : 4))
    24Reading  (Apple_Free : 5)…
    25.................................................................................................................................................................................
    26   (CRC32 $00000000:  (Apple_Free : 5))
    27Reading GPT Partition Data (Backup GPT Table : 6)…
    28.................................................................................................................................................................................
    29   (CRC32 $46B32FF2: GPT Partition Data (Backup GPT Table : 6))
    30Reading GPT Header (Backup GPT Header : 7)…
    31.................................................................................................................................................................................
    32   (CRC32 $F4C2505D: GPT Header (Backup GPT Header : 7))
    33Adding resources…
    34.................................................................................................................................................................................
    35Elapsed Time:  3.616s
    36File size: 17954445 bytes, Checksum: CRC32 $CA646B34
    37Sectors processed: 134790, 80803 compressed
    38Speed: 10.9Mbytes/sec
    39Savings: 74.0%
    40created: /Users/abubakar/Github/bitcoin/Bitcoin-Core.dmg
    41+ Done +
    

    0$ file Bitcoin-Qt.app/Contents/MacOS/Bitcoin-Qt 
    1Bitcoin-Qt.app/Contents/MacOS/Bitcoin-Qt: Mach-O 64-bit executable arm64
    

19. 
    jarolrod commented at 8:14 pm on September 4, 2021: member

    on an M1 mac, the application is recognized as an IOS application, it should be recognized as Apple Silicon. Obviously, we are not building an IOS application and it is not an IOS executable. The system is just categorizing it wrong. But, why?

    My current thinking with what is going on is that it could be related to LSArchitecturePriority, this field is still set as x86_64 when it should be set as arm64:

    0  <key>LSArchitecturePriority</key>
    1  <array>
    2    <string>x86_64</string>
    3  </array>
    

20. in contrib/macdeploy/macdeployqtplus:269 in bbdd5889da outdated

    278+        if os.path.exists(to_dir):
    279+            return None # Already there
    280+
    281+        from_dir = framework.frameworkPath
    282+        if not os.path.exists(from_dir):
    283+            raise RuntimeError(f"No diretory at {from_dir}")
    

    ---

    ---

    

    jarolrod commented at 11:34 pm on September 4, 2021:

    0            raise RuntimeError(f"No directory at {from_dir}")
    

    ---

    

    hebasto commented at 9:56 am on September 5, 2021:

    Thanks! Updated.
21. 
    jarolrod commented at 3:28 am on September 5, 2021: member

    Concept ACK, need to do more testing in relation to signing and macOS 12.

    I have fixed the issue mentioned here about the deployed app’s categorization in #418. If you find it appropriate, feel free to close that PR and include the commit here 🥃

22. hebasto force-pushed on Sep 5, 2021
23. 
    hebasto commented at 9:56 am on September 5, 2021: member

    Updated bbdd5889da71955e8004b43217b740ddaf799d4e -> 462e63220867982495804397beb782ebc0b2e17a (pr22546.03 -> pr22546.04):

    • addressed @jarolrod’s comment
    • rebased on the recent CI code
24. in contrib/macdeploy/macdeployqtplus:291 in 462e632208 outdated

    324-                print(" to:", toContentsDir)
    325-    
    326     return toPath
    327 
    328 def deployFrameworks(frameworks: List[FrameworkInfo], bundlePath: str, binaryPath: str, strip: bool, verbose: int, deploymentInfo: Optional[DeploymentInfo] = None) -> DeploymentInfo:
    329+    global need_to_sign_target
    

    ---

    ---

    

    laanwj commented at 4:07 pm on September 6, 2021:

    It’s kind of ugly to use a global here, can’t we return the flag in DeploymentInfo.

    ---

    

    hebasto commented at 11:46 am on September 14, 2021:

    Updated.
25. hebasto referenced this in commit b5ede2aa7f on Sep 14, 2021
26. hebasto force-pushed on Sep 14, 2021
27. hebasto marked this as a draft on Sep 14, 2021
28. 
    hebasto commented at 11:45 am on September 14, 2021: member

    Updated 462e63220867982495804397beb782ebc0b2e17a -> c206adc4a304c85cfaeb67eeea38dd8c0409ed95 (pr22546.04 -> pr22546.05):

    • addressed @fanquake’s comment:

    Probably easier to just always sign then. Otherwise this should have an explainer.

    • rebased on top of the merged https://github.com/bitcoin-core/gui/pull/418
29. hebasto marked this as ready for review on Sep 14, 2021
30. sidhujag referenced this in commit 366cfea7b2 on Sep 15, 2021
31. 
    RandyMcMillan commented at 8:19 pm on September 22, 2021: contributor

    tACK c206adc

    

32. 
    dongcarl commented at 8:23 pm on January 26, 2022: member

    Haven’t looked into the code deeply, but I had the exact same problem as #22546#pullrequestreview-729205518, and using this patch fixed it.

    Apparently codesigning verification with M1 Macs are a lot stricter than with non-M1 Macs, which is what causes the above problem.

33. 
    fanquake commented at 6:38 am on January 28, 2022: member

    Could you rebase this now that #21851 has been merged?
34. hebasto force-pushed on Jan 28, 2022
35. 
    hebasto commented at 8:54 pm on January 28, 2022: member

    Could you rebase this now that #21851 has been merged?

    Rebased c206adc4a304c85cfaeb67eeea38dd8c0409ed95 -> c9cb5574468d59eca6ef73cd4e6487070845e09d (pr22546.05 -> pr22546.06).

36. 
    hebasto commented at 9:12 pm on January 28, 2022: member

    Guix builds:

     0$ env HOSTS='x86_64-apple-darwin arm64-apple-darwin' ./contrib/guix/guix-build
     1$ find guix-build-$(git rev-parse --short=12 HEAD)/output/ -type f -print0 | env LC_ALL=C sort -z | xargs -r0 sha256sum
     2f62bd85dd3928ba391afbff31ccdd9907e5cb60d8ffa80b3d30941910e6c0dbb  guix-build-c9cb5574468d/output/arm64-apple-darwin/SHA256SUMS.part
     36c154b25f46966b1b4f3db68efcd6ba7dc98b6777af30d28ced87c510a6b9ef3  guix-build-c9cb5574468d/output/arm64-apple-darwin/bitcoin-c9cb5574468d-arm64-apple-darwin.tar.gz
     41ba428c8c5af244b2a3ae17f3fec2f0c56da54214034fb4499f6c915dfe8c6fd  guix-build-c9cb5574468d/output/arm64-apple-darwin/bitcoin-c9cb5574468d-osx-unsigned.dmg
     546fd56b4566dec7df25f941cc61a51d9e0645f6729da1955725eb6e877f5a96f  guix-build-c9cb5574468d/output/arm64-apple-darwin/bitcoin-c9cb5574468d-osx-unsigned.tar.gz
     69ddf675f91d5dc0c89cc7adb929e60d26e113d4a0e7ec309c4ee0da5e57164d8  guix-build-c9cb5574468d/output/dist-archive/bitcoin-c9cb5574468d.tar.gz
     78d7545aa56cd6ab7aca5f0e65a43a6d14644cd65768cb3fda6396edb934bf7e3  guix-build-c9cb5574468d/output/x86_64-apple-darwin/SHA256SUMS.part
     8a37588563758c493241e3be2422919a51933c73b48458f7e01bde5f51470a3b3  guix-build-c9cb5574468d/output/x86_64-apple-darwin/bitcoin-c9cb5574468d-osx-unsigned.dmg
     933075026fbc8cde0b83988d8f544e3d56a894b02f684554bc06143cc1400e102  guix-build-c9cb5574468d/output/x86_64-apple-darwin/bitcoin-c9cb5574468d-osx-unsigned.tar.gz
    101769bb344dc7ff2caf32ed21a645f7c24b1cb736550508f8c654c2096140e11e  guix-build-c9cb5574468d/output/x86_64-apple-darwin/bitcoin-c9cb5574468d-osx64.tar.gz
    

37. hebasto force-pushed on Feb 6, 2022
38. 
    hebasto commented at 10:20 am on February 6, 2022: member

    Rebased c9cb5574468d59eca6ef73cd4e6487070845e09d -> 06909e4f26780514438aa9e2987b5fbfbdd0f061 (pr22546.06 -> pr22546.07).
39. 
    hebasto commented at 10:53 am on February 6, 2022: member

    Guix builds:

     0$ env HOSTS='x86_64-apple-darwin arm64-apple-darwin' ./contrib/guix/guix-build
     1$ find guix-build-$(git rev-parse --short=12 HEAD)/output/ -type f -print0 | env LC_ALL=C sort -z | xargs -r0 sha256sum
     2e7699d91489e62f0593b92b4a2bb7c55a0234f2dcbf988c91ac56fcf10828c3e  guix-build-06909e4f2678/output/arm64-apple-darwin/SHA256SUMS.part
     345e0526a05685158bf20fd1c57cd412a3f82c1bdf1250a244f0890b32ed025f6  guix-build-06909e4f2678/output/arm64-apple-darwin/bitcoin-06909e4f2678-arm64-apple-darwin.tar.gz
     4ce1ff6b4fc996c38c1e681ad268fd110cd452c9da666b46d06cea6f55a7e19fd  guix-build-06909e4f2678/output/arm64-apple-darwin/bitcoin-06909e4f2678-osx-unsigned.dmg
     56fdbf122cecc8e07d8d2853e805dbe2df7d470a8de3594a454df0817f5ba8f71  guix-build-06909e4f2678/output/arm64-apple-darwin/bitcoin-06909e4f2678-osx-unsigned.tar.gz
     6cca1b3b2029c780165bb1206c7810298c1996134541a649b124a34b607ae26fa  guix-build-06909e4f2678/output/dist-archive/bitcoin-06909e4f2678.tar.gz
     78a433dc326f3c054d0f607727fcebfb46585e0d83ddcfc27b511c2421d760734  guix-build-06909e4f2678/output/x86_64-apple-darwin/SHA256SUMS.part
     806a838d7388bbdac7ec9be89d467b061d72256215e787695f05513d3a0c112ae  guix-build-06909e4f2678/output/x86_64-apple-darwin/bitcoin-06909e4f2678-osx-unsigned.dmg
     9c388c66896ea0c201d735f236ad9733ae14c4c9f78618cdaae7d7fefbd552ab8  guix-build-06909e4f2678/output/x86_64-apple-darwin/bitcoin-06909e4f2678-osx-unsigned.tar.gz
    100e04bff3b9b0f33a83782a7dab5720a2f64344ae44c338ae2ab2292cc23146f4  guix-build-06909e4f2678/output/x86_64-apple-darwin/bitcoin-06909e4f2678-osx64.tar.gz
    

40. meshcollider added this to the milestone 23.0 on Feb 7, 2022
41. 
    Zero-1729 commented at 6:03 pm on February 14, 2022: contributor

    re-tACK 06909e4f26780514438aa9e2987b5fbfbdd0f061

    Tested on macOS 12.2.1 (21D62)

    Patch still works as expected; the generated app in the DMG launches without any errors.

42. build, qt: Align frameworks with macOS codesign tool requirements

    Currently the codesign tool fails to sign copied frameworks.

    c26a0a5af7
43. build, qt: (Re-)sign package

    Starting with macOS 11 on Apple silicon, executables must be signed
    before they are allowed to run.

    1513727e2b
44. hebasto force-pushed on Feb 17, 2022
45. 
    hebasto commented at 12:12 pm on February 17, 2022: member

    Rebased 06909e4f26780514438aa9e2987b5fbfbdd0f061 -> 1513727e2b38800c694d1204cb454cc6fabc4937 (pr22546.07 -> pr22546.08) on top of the merged #24348.
46. 
    hebasto commented at 5:33 pm on February 17, 2022: member

    Guix builds:

     0$ find guix-build-$(git rev-parse --short=12 HEAD)/output/ -type f -print0 | env LC_ALL=C sort -z | xargs -r0 sha256sum
     10793e0ac20b1f3abc2e5159e9038d70eb0138630eef595782fc996f5e704d68a  guix-build-1513727e2b38/output/aarch64-linux-gnu/SHA256SUMS.part
     256cdca87802db062b32a4bba60ef7f39e5aee4a9779cef35071cc914fea1bf0e  guix-build-1513727e2b38/output/aarch64-linux-gnu/bitcoin-1513727e2b38-aarch64-linux-gnu-debug.tar.gz
     3576308ed1fb69ebebbce4f7c1252373de8875cd949386b1a13b53fe6d6c954b5  guix-build-1513727e2b38/output/aarch64-linux-gnu/bitcoin-1513727e2b38-aarch64-linux-gnu.tar.gz
     40f39af36a605bac0f1bfe5118a1e9e4b0807f6fc25ee72600aabb19bb9a85fb5  guix-build-1513727e2b38/output/arm-linux-gnueabihf/SHA256SUMS.part
     504f402e3b75c3643d74e7f1ecbcb9f56e45561d39423755abb9d5f1ecbaa1019  guix-build-1513727e2b38/output/arm-linux-gnueabihf/bitcoin-1513727e2b38-arm-linux-gnueabihf-debug.tar.gz
     6027ee6368839531b57c1907927dd4967765299447ded1c12cc17c64b13fddbef  guix-build-1513727e2b38/output/arm-linux-gnueabihf/bitcoin-1513727e2b38-arm-linux-gnueabihf.tar.gz
     70cf76bb70bd6f446a99ea7cade2357cceef16fe63f1d1258087d13642f024f9c  guix-build-1513727e2b38/output/arm64-apple-darwin/SHA256SUMS.part
     80c9246cef1ae82f37f5618308b477e7548e09ce94613ab9c43e3160a0f0450a7  guix-build-1513727e2b38/output/arm64-apple-darwin/bitcoin-1513727e2b38-arm64-apple-darwin.tar.gz
     951dcbcfd86e55e36ee299ff4f3a5e2e2baec06755a4b149742616fa5c691a3b5  guix-build-1513727e2b38/output/arm64-apple-darwin/bitcoin-1513727e2b38-osx-unsigned.dmg
    10fd16a158dd2ae9f90d61de4a8d4e287458d42e5e6b5bd6aece6b2bd18cbc73c5  guix-build-1513727e2b38/output/arm64-apple-darwin/bitcoin-1513727e2b38-osx-unsigned.tar.gz
    11b18f242456aeeddf37cc31f001221593283b020f35ba72e375f69a4c602a3970  guix-build-1513727e2b38/output/dist-archive/bitcoin-1513727e2b38.tar.gz
    126b411193b4a60fb37e7809a1df45e465feaf09ff4ad2d7cbb293e0838774591d  guix-build-1513727e2b38/output/powerpc64-linux-gnu/SHA256SUMS.part
    135b8d26f66d30de098f790ef3cf632eb8aa85f9c680f6c2cdaee9076227f627c2  guix-build-1513727e2b38/output/powerpc64-linux-gnu/bitcoin-1513727e2b38-powerpc64-linux-gnu-debug.tar.gz
    1495d6811384228b2b2dca487b87027fc3704416def3d2574df511c1f75febb7af  guix-build-1513727e2b38/output/powerpc64-linux-gnu/bitcoin-1513727e2b38-powerpc64-linux-gnu.tar.gz
    152887fd0d7f618b1ece5dee2909867606d2ff60e10d9bb4f48d69bcb4f4256948  guix-build-1513727e2b38/output/powerpc64le-linux-gnu/SHA256SUMS.part
    16a8f9598eefb77bdcbe7317636921d633b1af0210608d9f033027bf1d5d0152f2  guix-build-1513727e2b38/output/powerpc64le-linux-gnu/bitcoin-1513727e2b38-powerpc64le-linux-gnu-debug.tar.gz
    170b7851c32dc1df406b71e68a5bd1c61dc4062b4e5a7d08c026ed3191682e5d2a  guix-build-1513727e2b38/output/powerpc64le-linux-gnu/bitcoin-1513727e2b38-powerpc64le-linux-gnu.tar.gz
    18cff4e6eb1afd5fb403e3afebc15b59ae34f593cc956666e692eff1ac0b031eb0  guix-build-1513727e2b38/output/riscv64-linux-gnu/SHA256SUMS.part
    19093723e11f3fd55feb34acd5fae2c1d48cf9251edfd8e286ccfca26d5b3d4408  guix-build-1513727e2b38/output/riscv64-linux-gnu/bitcoin-1513727e2b38-riscv64-linux-gnu-debug.tar.gz
    20d8cc7ffdc9e3ce0ff610d0fa71d5eeca18f7f27b9a76a4b21fd89c343a002eaa  guix-build-1513727e2b38/output/riscv64-linux-gnu/bitcoin-1513727e2b38-riscv64-linux-gnu.tar.gz
    21c33f78cbf09ff0d71bae8a971030fac0a7fcf8e8ae745b7ae35ec8ef0979105b  guix-build-1513727e2b38/output/x86_64-apple-darwin/SHA256SUMS.part
    226bc78aa850bfe906ae6593e6e44b9d1d95b0977ff9dd227fd355f938b75cdd64  guix-build-1513727e2b38/output/x86_64-apple-darwin/bitcoin-1513727e2b38-osx-unsigned.dmg
    236066fc635615cf9e918c0ec8579588683d5f9b2a0f14d57a4d2576f199746b9a  guix-build-1513727e2b38/output/x86_64-apple-darwin/bitcoin-1513727e2b38-osx-unsigned.tar.gz
    24c43582f8ecef39f049cbba11c4e646e011ac3cff4a59582435bb8733b30b12f0  guix-build-1513727e2b38/output/x86_64-apple-darwin/bitcoin-1513727e2b38-osx64.tar.gz
    2504da85b5eeeb4549f1d74902596853ace814d704fac21ee963d737142f5cee7d  guix-build-1513727e2b38/output/x86_64-linux-gnu/SHA256SUMS.part
    2653274875268d4b18b36c487e3410961381d1960772c5def082bf3048659bc899  guix-build-1513727e2b38/output/x86_64-linux-gnu/bitcoin-1513727e2b38-x86_64-linux-gnu-debug.tar.gz
    278e93f32641da9f574d228429dc8133bccb9b3a499c0654ea81148a6ca2a4124d  guix-build-1513727e2b38/output/x86_64-linux-gnu/bitcoin-1513727e2b38-x86_64-linux-gnu.tar.gz
    28e911fc37258f7a26976fe0a66f0af69bf89ed95e71064cdbd3e2615d18e13d8c  guix-build-1513727e2b38/output/x86_64-w64-mingw32/SHA256SUMS.part
    29e1f9ce7c661e97d69f9f5518071cf70fd4cc75c186941fed9ba4678ad8a9ed22  guix-build-1513727e2b38/output/x86_64-w64-mingw32/bitcoin-1513727e2b38-win-unsigned.tar.gz
    30ddbc59f27da63b2e2a65b1b323bcda604570c63e5886692808d0bda455c97ce1  guix-build-1513727e2b38/output/x86_64-w64-mingw32/bitcoin-1513727e2b38-win64-debug.zip
    3153e2fd55381470496fe800854c03a03bbf2189bd8e0ab5617942281c9df1ef4f  guix-build-1513727e2b38/output/x86_64-w64-mingw32/bitcoin-1513727e2b38-win64-setup-unsigned.exe
    3279519d66034fecd41886f5ec4caae433fd7d3d5c182d068fc45ef9260ef2bdf7  guix-build-1513727e2b38/output/x86_64-w64-mingw32/bitcoin-1513727e2b38-win64.zip
    

47. 
    jarolrod commented at 10:17 am on February 23, 2022: member

    ACK 1513727e2b38800c694d1204cb454cc6fabc4937

    Testing on an m1 machine; I have confirmed the issue on master, and this PR fixes it. Also tested on an Intel Mac to ensure that there’s no ill side effects of this change on that platform.

48. in contrib/macdeploy/macdeployqtplus:545 in 1513727e2b

    540@@ -543,6 +541,9 @@ ds.close()
    541 
    542 # ------------------------------------------------
    543 
    544+if platform.system() == "Darwin":
    545+    subprocess.check_call(f"codesign --deep --force --sign - {target}", shell=True)
    

    ---

    ---

    

    fanquake commented at 3:12 pm on February 23, 2022:

    For anyone else’s reference, passing - to --sign invokes ad-hoc signing, which is more limited in it’s capabilities, but sufficient for locally running/testing binaries.

    If identity is the single letter “-” (dash), ad-hoc signing is performed. Ad-hoc signing does not use an identity at all, and identifies exactly one instance of code. Significant restrictions apply to the use of ad-hoc signed code; consult documentation before using this.

49. fanquake approved
50. 
    fanquake commented at 3:44 pm on February 23, 2022: member

    ACK 1513727e2b38800c694d1204cb454cc6fabc4937 - although didn’t test on M1 hardware. Given the forced signing is scoped to only occur when running the deploy script on macOS, this doesn’t interfere with our release signing.

    Guix Build:

     0bash-5.1# find guix-build-$(git rev-parse --short=12 HEAD)/output/ -type f -print0 | env LC_ALL=C sort -z | xargs -r0 sha256sum
     10793e0ac20b1f3abc2e5159e9038d70eb0138630eef595782fc996f5e704d68a  guix-build-1513727e2b38/output/aarch64-linux-gnu/SHA256SUMS.part
     256cdca87802db062b32a4bba60ef7f39e5aee4a9779cef35071cc914fea1bf0e  guix-build-1513727e2b38/output/aarch64-linux-gnu/bitcoin-1513727e2b38-aarch64-linux-gnu-debug.tar.gz
     3576308ed1fb69ebebbce4f7c1252373de8875cd949386b1a13b53fe6d6c954b5  guix-build-1513727e2b38/output/aarch64-linux-gnu/bitcoin-1513727e2b38-aarch64-linux-gnu.tar.gz
     40f39af36a605bac0f1bfe5118a1e9e4b0807f6fc25ee72600aabb19bb9a85fb5  guix-build-1513727e2b38/output/arm-linux-gnueabihf/SHA256SUMS.part
     504f402e3b75c3643d74e7f1ecbcb9f56e45561d39423755abb9d5f1ecbaa1019  guix-build-1513727e2b38/output/arm-linux-gnueabihf/bitcoin-1513727e2b38-arm-linux-gnueabihf-debug.tar.gz
     6027ee6368839531b57c1907927dd4967765299447ded1c12cc17c64b13fddbef  guix-build-1513727e2b38/output/arm-linux-gnueabihf/bitcoin-1513727e2b38-arm-linux-gnueabihf.tar.gz
     70cf76bb70bd6f446a99ea7cade2357cceef16fe63f1d1258087d13642f024f9c  guix-build-1513727e2b38/output/arm64-apple-darwin/SHA256SUMS.part
     80c9246cef1ae82f37f5618308b477e7548e09ce94613ab9c43e3160a0f0450a7  guix-build-1513727e2b38/output/arm64-apple-darwin/bitcoin-1513727e2b38-arm64-apple-darwin.tar.gz
     951dcbcfd86e55e36ee299ff4f3a5e2e2baec06755a4b149742616fa5c691a3b5  guix-build-1513727e2b38/output/arm64-apple-darwin/bitcoin-1513727e2b38-osx-unsigned.dmg
    10fd16a158dd2ae9f90d61de4a8d4e287458d42e5e6b5bd6aece6b2bd18cbc73c5  guix-build-1513727e2b38/output/arm64-apple-darwin/bitcoin-1513727e2b38-osx-unsigned.tar.gz
    11b18f242456aeeddf37cc31f001221593283b020f35ba72e375f69a4c602a3970  guix-build-1513727e2b38/output/dist-archive/bitcoin-1513727e2b38.tar.gz
    126b411193b4a60fb37e7809a1df45e465feaf09ff4ad2d7cbb293e0838774591d  guix-build-1513727e2b38/output/powerpc64-linux-gnu/SHA256SUMS.part
    135b8d26f66d30de098f790ef3cf632eb8aa85f9c680f6c2cdaee9076227f627c2  guix-build-1513727e2b38/output/powerpc64-linux-gnu/bitcoin-1513727e2b38-powerpc64-linux-gnu-debug.tar.gz
    1495d6811384228b2b2dca487b87027fc3704416def3d2574df511c1f75febb7af  guix-build-1513727e2b38/output/powerpc64-linux-gnu/bitcoin-1513727e2b38-powerpc64-linux-gnu.tar.gz
    152887fd0d7f618b1ece5dee2909867606d2ff60e10d9bb4f48d69bcb4f4256948  guix-build-1513727e2b38/output/powerpc64le-linux-gnu/SHA256SUMS.part
    16a8f9598eefb77bdcbe7317636921d633b1af0210608d9f033027bf1d5d0152f2  guix-build-1513727e2b38/output/powerpc64le-linux-gnu/bitcoin-1513727e2b38-powerpc64le-linux-gnu-debug.tar.gz
    170b7851c32dc1df406b71e68a5bd1c61dc4062b4e5a7d08c026ed3191682e5d2a  guix-build-1513727e2b38/output/powerpc64le-linux-gnu/bitcoin-1513727e2b38-powerpc64le-linux-gnu.tar.gz
    18cff4e6eb1afd5fb403e3afebc15b59ae34f593cc956666e692eff1ac0b031eb0  guix-build-1513727e2b38/output/riscv64-linux-gnu/SHA256SUMS.part
    19093723e11f3fd55feb34acd5fae2c1d48cf9251edfd8e286ccfca26d5b3d4408  guix-build-1513727e2b38/output/riscv64-linux-gnu/bitcoin-1513727e2b38-riscv64-linux-gnu-debug.tar.gz
    20d8cc7ffdc9e3ce0ff610d0fa71d5eeca18f7f27b9a76a4b21fd89c343a002eaa  guix-build-1513727e2b38/output/riscv64-linux-gnu/bitcoin-1513727e2b38-riscv64-linux-gnu.tar.gz
    21c33f78cbf09ff0d71bae8a971030fac0a7fcf8e8ae745b7ae35ec8ef0979105b  guix-build-1513727e2b38/output/x86_64-apple-darwin/SHA256SUMS.part
    226bc78aa850bfe906ae6593e6e44b9d1d95b0977ff9dd227fd355f938b75cdd64  guix-build-1513727e2b38/output/x86_64-apple-darwin/bitcoin-1513727e2b38-osx-unsigned.dmg
    236066fc635615cf9e918c0ec8579588683d5f9b2a0f14d57a4d2576f199746b9a  guix-build-1513727e2b38/output/x86_64-apple-darwin/bitcoin-1513727e2b38-osx-unsigned.tar.gz
    24c43582f8ecef39f049cbba11c4e646e011ac3cff4a59582435bb8733b30b12f0  guix-build-1513727e2b38/output/x86_64-apple-darwin/bitcoin-1513727e2b38-osx64.tar.gz
    2504da85b5eeeb4549f1d74902596853ace814d704fac21ee963d737142f5cee7d  guix-build-1513727e2b38/output/x86_64-linux-gnu/SHA256SUMS.part
    2653274875268d4b18b36c487e3410961381d1960772c5def082bf3048659bc899  guix-build-1513727e2b38/output/x86_64-linux-gnu/bitcoin-1513727e2b38-x86_64-linux-gnu-debug.tar.gz
    278e93f32641da9f574d228429dc8133bccb9b3a499c0654ea81148a6ca2a4124d  guix-build-1513727e2b38/output/x86_64-linux-gnu/bitcoin-1513727e2b38-x86_64-linux-gnu.tar.gz
    28e911fc37258f7a26976fe0a66f0af69bf89ed95e71064cdbd3e2615d18e13d8c  guix-build-1513727e2b38/output/x86_64-w64-mingw32/SHA256SUMS.part
    29e1f9ce7c661e97d69f9f5518071cf70fd4cc75c186941fed9ba4678ad8a9ed22  guix-build-1513727e2b38/output/x86_64-w64-mingw32/bitcoin-1513727e2b38-win-unsigned.tar.gz
    30ddbc59f27da63b2e2a65b1b323bcda604570c63e5886692808d0bda455c97ce1  guix-build-1513727e2b38/output/x86_64-w64-mingw32/bitcoin-1513727e2b38-win64-debug.zip
    3153e2fd55381470496fe800854c03a03bbf2189bd8e0ab5617942281c9df1ef4f  guix-build-1513727e2b38/output/x86_64-w64-mingw32/bitcoin-1513727e2b38-win64-setup-unsigned.exe
    3279519d66034fecd41886f5ec4caae433fd7d3d5c182d068fc45ef9260ef2bdf7  guix-build-1513727e2b38/output/x86_64-w64-mingw32/bitcoin-1513727e2b38-win64.zip
    

51. fanquake merged this on Feb 23, 2022
52. fanquake closed this on Feb 23, 2022

    ---

53. sidhujag referenced this in commit 88aeaee14c on Feb 23, 2022
54. hebasto deleted the branch on Feb 23, 2022
55. DrahtBot locked this on Feb 23, 2023

Contributors
hebasto fanquake laanwj jarolrod RandyMcMillan Zero-1729 dongcarl

Labels
macOS Scripts and tools

Milestone
23.0