Switches to using a newer version of osslsigncode in our Guix environment.
achow101 can you test this with some sort of WIndows code-signing dry-run (no-rush).
Switches to using a newer version of osslsigncode in our Guix environment.
achow101 can you test this with some sort of WIndows code-signing dry-run (no-rush).
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.
See the guideline for information on the review process.
Type | Reviewers |
---|---|
ACK | achow101 |
If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.
It appears that osslsigncode has been updated to do more verification of the signature after applying it. It now requires having a CA bundle which is not currently present in our environment. The package nss-certs
provides these, and the option -CAfile
needs to be given in order for osslsigncode to find the certs. The following diff resolves these issues.
0diff --git a/contrib/guix/libexec/codesign.sh b/contrib/guix/libexec/codesign.sh
1index f6322d761c..6ffa0f07b2 100755
2--- a/contrib/guix/libexec/codesign.sh
3+++ b/contrib/guix/libexec/codesign.sh
4@@ -77,6 +77,7 @@ mkdir -p "$DISTSRC"
5 osslsigncode attach-signature \
6 -in "$infile" \
7 -out "${OUTDIR}/${infile_base/-unsigned}" \
8+ -CAfile "$GUIX_ENVIRONMENT/etc/ssl/certs/ca-certificates.crt" \
9 -sigin codesignatures/win/"$infile_base".pem
10 done
11 ;;
12diff --git a/contrib/guix/manifest.scm b/contrib/guix/manifest.scm
13index 3519ec4b2b..85e3213ff9 100644
14--- a/contrib/guix/manifest.scm
15+++ b/contrib/guix/manifest.scm
16@@ -601,7 +601,8 @@ inspecting signatures in Mach-O binaries.")
17 (list zip
18 (make-mingw-pthreads-cross-toolchain "x86_64-w64-mingw32")
19 (make-nsis-for-gcc-10 nsis-x86_64)
20- osslsigncode))
21+ osslsigncode
22+ nss-certs))
23 ((string-contains target "-linux-")
24 (list (make-bitcoin-cross-toolchain target)))
25 ((string-contains target "darwin")
Co-authored-by: Andrew Chow <github@achow101.com>
0c1471783bd078d094d886dc010ba6798c6d6abbd3b5329d7ce0ff3df05a3bcd9 guix-build-285edfadcacd/output/dist-archive/bitcoin-285edfadcacd.tar.gz
1151e208ad965f1c89dda0ea01cff659930cdce060e1fc32e7db474fe5814a4a1 guix-build-285edfadcacd/output/x86_64-w64-mingw32/SHA256SUMS.part
2d83fb0326d5c195d32a3243d494c34b6d0810c0aa36e174ff0d1eb1664f40413 guix-build-285edfadcacd/output/x86_64-w64-mingw32/bitcoin-285edfadcacd-win64-debug.zip
36f557b84042874ffbb6755cd279b3e45fa16b89eece12f8c3ab2546d4222c129 guix-build-285edfadcacd/output/x86_64-w64-mingw32/bitcoin-285edfadcacd-win64-setup-unsigned.exe
4bb7e6579f81289046922b183676fa8e38502a19f61e3ad80969143ebdc602896 guix-build-285edfadcacd/output/x86_64-w64-mingw32/bitcoin-285edfadcacd-win64-unsigned.tar.gz
5c87d623f93ff8995cc84e19af5a8195aa4b97c6c8c59bf37bc4f7c347ed69601 guix-build-285edfadcacd/output/x86_64-w64-mingw32/bitcoin-285edfadcacd-win64.zip
ACK 285edfadcacde4921c0afa2092c613daf21a55aa
0c1471783bd078d094d886dc010ba6798c6d6abbd3b5329d7ce0ff3df05a3bcd9 guix-build-285edfadcacd/output/dist-archive/bitcoin-285edfadcacd.tar.gz
1151e208ad965f1c89dda0ea01cff659930cdce060e1fc32e7db474fe5814a4a1 guix-build-285edfadcacd/output/x86_64-w64-mingw32/SHA256SUMS.part
2d83fb0326d5c195d32a3243d494c34b6d0810c0aa36e174ff0d1eb1664f40413 guix-build-285edfadcacd/output/x86_64-w64-mingw32/bitcoin-285edfadcacd-win64-debug.zip
36f557b84042874ffbb6755cd279b3e45fa16b89eece12f8c3ab2546d4222c129 guix-build-285edfadcacd/output/x86_64-w64-mingw32/bitcoin-285edfadcacd-win64-setup-unsigned.exe
4bb7e6579f81289046922b183676fa8e38502a19f61e3ad80969143ebdc602896 guix-build-285edfadcacd/output/x86_64-w64-mingw32/bitcoin-285edfadcacd-win64-unsigned.tar.gz
5c87d623f93ff8995cc84e19af5a8195aa4b97c6c8c59bf37bc4f7c347ed69601 guix-build-285edfadcacd/output/x86_64-w64-mingw32/bitcoin-285edfadcacd-win64.zip