guix: use osslsigncode 2.5 #27179

pull fanquake wants to merge 1 commits into bitcoin:master from fanquake:osslsigncode_2_4 changing 2 files +9 −13
  1. fanquake commented at 5:46 pm on February 28, 2023: member

    Switches to using a newer version of osslsigncode in our Guix environment.

    achow101 can you test this with some sort of WIndows code-signing dry-run (no-rush).

  2. fanquake added the label DrahtBot Guix build requested on Feb 28, 2023
  3. DrahtBot commented at 5:46 pm on February 28, 2023: contributor

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Reviews

    See the guideline for information on the review process.

    Type Reviewers
    ACK achow101

    If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

  4. DrahtBot commented at 5:30 pm on March 1, 2023: contributor

    Guix builds

    File commit cb40639bdf04bab31bcdceb3bf941e9bade8317a(master) commit b916631ef55a975f35ea2e19de8c6f1bb6410198(master and this pull)
    SHA256SUMS.part 1f98b2497a6ec02e... cfbcaec7d82c86b6...
    *-aarch64-linux-gnu-debug.tar.gz 1902ccb3c39be2bc... 3aa3ecc8b75367f3...
    *-aarch64-linux-gnu.tar.gz 9197db5573aa7f24... 3e3d0987ca97c0eb...
    *-arm-linux-gnueabihf-debug.tar.gz 24062019d97d8068... 7439983bed89af78...
    *-arm-linux-gnueabihf.tar.gz f3c55ddede20053e... b22b8bf87f048635...
    *-arm64-apple-darwin-unsigned.dmg e0adc801c7948950... f27657e873eca36d...
    *-arm64-apple-darwin-unsigned.tar.gz 8ecebc800639c98b... fa4d93876eb4b53f...
    *-arm64-apple-darwin.tar.gz 3e7650305f1ee6de... 59c0ec3bf6df5bff...
    *-powerpc64-linux-gnu-debug.tar.gz 61a2f488bfd51c02... d226beed92f59c6b...
    *-powerpc64-linux-gnu.tar.gz c0c628d23b289427... c55cf03f445e18ca...
    *-powerpc64le-linux-gnu-debug.tar.gz ca484c0a31498d11... 945f01e6c6d139a6...
    *-powerpc64le-linux-gnu.tar.gz b82513487c288cd8... 5e7f0a28b9ede3f3...
    *-riscv64-linux-gnu-debug.tar.gz 11e5ca68055073c7... 987d893edb83b5fb...
    *-riscv64-linux-gnu.tar.gz 74a27cd4dc1809b2... 785a6039adba70fb...
    *-win64-debug.zip 0c4e964b0f9bb588... 031ea84026b7c44f...
    *-win64-setup-unsigned.exe e3500a72399fb86d... e4f94457168d1fda...
    *-win64-unsigned.tar.gz 842b81ed521f686a... b4d3610752604596...
    *-win64.zip 37674411794a4bac... 7b126c84b816712f...
    *-x86_64-apple-darwin-unsigned.dmg f779fe36a09854b1... d8eced81c09e7005...
    *-x86_64-apple-darwin-unsigned.tar.gz cf57254479adb0de... 50520ecd9bb8a990...
    *-x86_64-apple-darwin.tar.gz d02b880b57fa7b61... 2fe7c4b331f785f8...
    *-x86_64-linux-gnu-debug.tar.gz c8d45d6ceae08c1b... aaa1ab2eb0e4d7b4...
    *-x86_64-linux-gnu.tar.gz 05270dd05b1e676a... 61568ea4c863f6ed...
    *.tar.gz 17cf9f1aac1f9c17... 93a652b01e83fb32...
    guix_build.log fcd590117ad42b3e... 612dfeb1ff2f365d...
    guix_build.log.diff ed30a2ab2db35dac...
  5. DrahtBot removed the label DrahtBot Guix build requested on Mar 1, 2023
  6. DrahtBot added the label Build system on Mar 1, 2023
  7. fanquake force-pushed on Mar 1, 2023
  8. achow101 commented at 6:59 pm on March 10, 2023: member

    It appears that osslsigncode has been updated to do more verification of the signature after applying it. It now requires having a CA bundle which is not currently present in our environment. The package nss-certs provides these, and the option -CAfile needs to be given in order for osslsigncode to find the certs. The following diff resolves these issues.

     0diff --git a/contrib/guix/libexec/codesign.sh b/contrib/guix/libexec/codesign.sh
     1index f6322d761c..6ffa0f07b2 100755
     2--- a/contrib/guix/libexec/codesign.sh
     3+++ b/contrib/guix/libexec/codesign.sh
     4@@ -77,6 +77,7 @@ mkdir -p "$DISTSRC"
     5                 osslsigncode attach-signature \
     6                                  -in "$infile" \
     7                                  -out "${OUTDIR}/${infile_base/-unsigned}" \
     8+                                 -CAfile "$GUIX_ENVIRONMENT/etc/ssl/certs/ca-certificates.crt" \
     9                                  -sigin codesignatures/win/"$infile_base".pem
    10             done
    11             ;;
    12diff --git a/contrib/guix/manifest.scm b/contrib/guix/manifest.scm
    13index 3519ec4b2b..85e3213ff9 100644
    14--- a/contrib/guix/manifest.scm
    15+++ b/contrib/guix/manifest.scm
    16@@ -601,7 +601,8 @@ inspecting signatures in Mach-O binaries.")
    17            (list zip
    18                  (make-mingw-pthreads-cross-toolchain "x86_64-w64-mingw32")
    19                  (make-nsis-for-gcc-10 nsis-x86_64)
    20-                 osslsigncode))
    21+                 osslsigncode
    22+                 nss-certs))
    23           ((string-contains target "-linux-")
    24            (list (make-bitcoin-cross-toolchain target)))
    25           ((string-contains target "darwin")
    
  9. guix: use osslsigncode 2.5
    Co-authored-by: Andrew Chow <github@achow101.com>
    285edfadca
  10. fanquake force-pushed on Mar 12, 2023
  11. fanquake commented at 6:39 pm on March 12, 2023: member
    @achow101 thanks for taking a look. Rebased, and pulled your changes in here, for further testing.
  12. fanquake commented at 7:02 pm on March 12, 2023: member
    0c1471783bd078d094d886dc010ba6798c6d6abbd3b5329d7ce0ff3df05a3bcd9  guix-build-285edfadcacd/output/dist-archive/bitcoin-285edfadcacd.tar.gz
    1151e208ad965f1c89dda0ea01cff659930cdce060e1fc32e7db474fe5814a4a1  guix-build-285edfadcacd/output/x86_64-w64-mingw32/SHA256SUMS.part
    2d83fb0326d5c195d32a3243d494c34b6d0810c0aa36e174ff0d1eb1664f40413  guix-build-285edfadcacd/output/x86_64-w64-mingw32/bitcoin-285edfadcacd-win64-debug.zip
    36f557b84042874ffbb6755cd279b3e45fa16b89eece12f8c3ab2546d4222c129  guix-build-285edfadcacd/output/x86_64-w64-mingw32/bitcoin-285edfadcacd-win64-setup-unsigned.exe
    4bb7e6579f81289046922b183676fa8e38502a19f61e3ad80969143ebdc602896  guix-build-285edfadcacd/output/x86_64-w64-mingw32/bitcoin-285edfadcacd-win64-unsigned.tar.gz
    5c87d623f93ff8995cc84e19af5a8195aa4b97c6c8c59bf37bc4f7c347ed69601  guix-build-285edfadcacd/output/x86_64-w64-mingw32/bitcoin-285edfadcacd-win64.zip
    
  13. achow101 commented at 6:50 pm on March 14, 2023: member

    ACK 285edfadcacde4921c0afa2092c613daf21a55aa

    0c1471783bd078d094d886dc010ba6798c6d6abbd3b5329d7ce0ff3df05a3bcd9  guix-build-285edfadcacd/output/dist-archive/bitcoin-285edfadcacd.tar.gz
    1151e208ad965f1c89dda0ea01cff659930cdce060e1fc32e7db474fe5814a4a1  guix-build-285edfadcacd/output/x86_64-w64-mingw32/SHA256SUMS.part
    2d83fb0326d5c195d32a3243d494c34b6d0810c0aa36e174ff0d1eb1664f40413  guix-build-285edfadcacd/output/x86_64-w64-mingw32/bitcoin-285edfadcacd-win64-debug.zip
    36f557b84042874ffbb6755cd279b3e45fa16b89eece12f8c3ab2546d4222c129  guix-build-285edfadcacd/output/x86_64-w64-mingw32/bitcoin-285edfadcacd-win64-setup-unsigned.exe
    4bb7e6579f81289046922b183676fa8e38502a19f61e3ad80969143ebdc602896  guix-build-285edfadcacd/output/x86_64-w64-mingw32/bitcoin-285edfadcacd-win64-unsigned.tar.gz
    5c87d623f93ff8995cc84e19af5a8195aa4b97c6c8c59bf37bc4f7c347ed69601  guix-build-285edfadcacd/output/x86_64-w64-mingw32/bitcoin-285edfadcacd-win64.zip
    
  14. fanquake marked this as ready for review on Mar 14, 2023
  15. fanquake requested review from TheCharlatan on Mar 17, 2023
  16. achow101 merged this on Mar 20, 2023
  17. achow101 closed this on Mar 20, 2023

  18. fanquake deleted the branch on Mar 20, 2023
  19. sidhujag referenced this in commit 6c0dc0141e on Mar 20, 2023
  20. PastaPastaPasta referenced this in commit ed7965547c on Jan 14, 2024
  21. PastaPastaPasta referenced this in commit 334aede583 on Jan 16, 2024
  22. PastaPastaPasta referenced this in commit 2d01233451 on Jan 19, 2024
  23. PastaPastaPasta referenced this in commit 1568a5dedc on Jan 24, 2024
  24. Fabcien referenced this in commit 2ee8d556d6 on Jan 31, 2024
  25. bitcoin locked this on Mar 19, 2024

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-10-30 00:12 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me