guix: use osslsigncode 2.5 #27179

fanquake commented at 5:46 PM on February 28, 2023: member

Switches to using a newer version of osslsigncode in our Guix environment.

achow101 can you test this with some sort of WIndows code-signing dry-run (no-rush).

fanquake added the label DrahtBot Guix build requested on Feb 28, 2023

DrahtBot commented at 5:46 PM on February 28, 2023: contributor

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Reviews

See the guideline for information on the review process.

Type	Reviewers
ACK	achow101

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

DrahtBot commented at 5:30 PM on March 1, 2023: contributor

Guix builds

File	commit cb40639bdf04bab31bcdceb3bf941e9bade8317a<br>(master)	commit b916631ef55a975f35ea2e19de8c6f1bb6410198<br>(master and this pull)
SHA256SUMS.part	`1f98b2497a6ec02e...`	`cfbcaec7d82c86b6...`
*-aarch64-linux-gnu-debug.tar.gz	`1902ccb3c39be2bc...`	`3aa3ecc8b75367f3...`
*-aarch64-linux-gnu.tar.gz	`9197db5573aa7f24...`	`3e3d0987ca97c0eb...`
*-arm-linux-gnueabihf-debug.tar.gz	`24062019d97d8068...`	`7439983bed89af78...`
*-arm-linux-gnueabihf.tar.gz	`f3c55ddede20053e...`	`b22b8bf87f048635...`
*-arm64-apple-darwin-unsigned.dmg	`e0adc801c7948950...`	`f27657e873eca36d...`
*-arm64-apple-darwin-unsigned.tar.gz	`8ecebc800639c98b...`	`fa4d93876eb4b53f...`
*-arm64-apple-darwin.tar.gz	`3e7650305f1ee6de...`	`59c0ec3bf6df5bff...`
*-powerpc64-linux-gnu-debug.tar.gz	`61a2f488bfd51c02...`	`d226beed92f59c6b...`
*-powerpc64-linux-gnu.tar.gz	`c0c628d23b289427...`	`c55cf03f445e18ca...`
*-powerpc64le-linux-gnu-debug.tar.gz	`ca484c0a31498d11...`	`945f01e6c6d139a6...`
*-powerpc64le-linux-gnu.tar.gz	`b82513487c288cd8...`	`5e7f0a28b9ede3f3...`
*-riscv64-linux-gnu-debug.tar.gz	`11e5ca68055073c7...`	`987d893edb83b5fb...`
*-riscv64-linux-gnu.tar.gz	`74a27cd4dc1809b2...`	`785a6039adba70fb...`
*-win64-debug.zip	`0c4e964b0f9bb588...`	`031ea84026b7c44f...`
*-win64-setup-unsigned.exe	`e3500a72399fb86d...`	`e4f94457168d1fda...`
*-win64-unsigned.tar.gz	`842b81ed521f686a...`	`b4d3610752604596...`
*-win64.zip	`37674411794a4bac...`	`7b126c84b816712f...`
*-x86_64-apple-darwin-unsigned.dmg	`f779fe36a09854b1...`	`d8eced81c09e7005...`
*-x86_64-apple-darwin-unsigned.tar.gz	`cf57254479adb0de...`	`50520ecd9bb8a990...`
*-x86_64-apple-darwin.tar.gz	`d02b880b57fa7b61...`	`2fe7c4b331f785f8...`
*-x86_64-linux-gnu-debug.tar.gz	`c8d45d6ceae08c1b...`	`aaa1ab2eb0e4d7b4...`
*-x86_64-linux-gnu.tar.gz	`05270dd05b1e676a...`	`61568ea4c863f6ed...`
*.tar.gz	`17cf9f1aac1f9c17...`	`93a652b01e83fb32...`
guix_build.log	`fcd590117ad42b3e...`	`612dfeb1ff2f365d...`
guix_build.log.diff		`ed30a2ab2db35dac...`

DrahtBot removed the label DrahtBot Guix build requested on Mar 1, 2023

DrahtBot added the label Build system on Mar 1, 2023

fanquake force-pushed on Mar 1, 2023

achow101 commented at 6:59 PM on March 10, 2023: member

It appears that osslsigncode has been updated to do more verification of the signature after applying it. It now requires having a CA bundle which is not currently present in our environment. The package nss-certs provides these, and the option -CAfile needs to be given in order for osslsigncode to find the certs. The following diff resolves these issues.

diff --git a/contrib/guix/libexec/codesign.sh b/contrib/guix/libexec/codesign.sh
index f6322d761c..6ffa0f07b2 100755
--- a/contrib/guix/libexec/codesign.sh
+++ b/contrib/guix/libexec/codesign.sh
@@ -77,6 +77,7 @@ mkdir -p "$DISTSRC"
                 osslsigncode attach-signature \
                                  -in "$infile" \
                                  -out "${OUTDIR}/${infile_base/-unsigned}" \
+                                 -CAfile "$GUIX_ENVIRONMENT/etc/ssl/certs/ca-certificates.crt" \
                                  -sigin codesignatures/win/"$infile_base".pem
             done
             ;;
diff --git a/contrib/guix/manifest.scm b/contrib/guix/manifest.scm
index 3519ec4b2b..85e3213ff9 100644
--- a/contrib/guix/manifest.scm
+++ b/contrib/guix/manifest.scm
@@ -601,7 +601,8 @@ inspecting signatures in Mach-O binaries.")
            (list zip
                  (make-mingw-pthreads-cross-toolchain "x86_64-w64-mingw32")
                  (make-nsis-for-gcc-10 nsis-x86_64)
-                 osslsigncode))
+                 osslsigncode
+                 nss-certs))
           ((string-contains target "-linux-")
            (list (make-bitcoin-cross-toolchain target)))
           ((string-contains target "darwin")

guix: use osslsigncode 2.5

Co-authored-by: Andrew Chow <github@achow101.com>

285edfadca

fanquake force-pushed on Mar 12, 2023

fanquake commented at 6:39 PM on March 12, 2023: member

@achow101 thanks for taking a look. Rebased, and pulled your changes in here, for further testing.

fanquake commented at 7:02 PM on March 12, 2023: member

c1471783bd078d094d886dc010ba6798c6d6abbd3b5329d7ce0ff3df05a3bcd9  guix-build-285edfadcacd/output/dist-archive/bitcoin-285edfadcacd.tar.gz
151e208ad965f1c89dda0ea01cff659930cdce060e1fc32e7db474fe5814a4a1  guix-build-285edfadcacd/output/x86_64-w64-mingw32/SHA256SUMS.part
d83fb0326d5c195d32a3243d494c34b6d0810c0aa36e174ff0d1eb1664f40413  guix-build-285edfadcacd/output/x86_64-w64-mingw32/bitcoin-285edfadcacd-win64-debug.zip
6f557b84042874ffbb6755cd279b3e45fa16b89eece12f8c3ab2546d4222c129  guix-build-285edfadcacd/output/x86_64-w64-mingw32/bitcoin-285edfadcacd-win64-setup-unsigned.exe
bb7e6579f81289046922b183676fa8e38502a19f61e3ad80969143ebdc602896  guix-build-285edfadcacd/output/x86_64-w64-mingw32/bitcoin-285edfadcacd-win64-unsigned.tar.gz
c87d623f93ff8995cc84e19af5a8195aa4b97c6c8c59bf37bc4f7c347ed69601  guix-build-285edfadcacd/output/x86_64-w64-mingw32/bitcoin-285edfadcacd-win64.zip

achow101 commented at 6:50 PM on March 14, 2023: member

ACK 285edfadcacde4921c0afa2092c613daf21a55aa

c1471783bd078d094d886dc010ba6798c6d6abbd3b5329d7ce0ff3df05a3bcd9  guix-build-285edfadcacd/output/dist-archive/bitcoin-285edfadcacd.tar.gz
151e208ad965f1c89dda0ea01cff659930cdce060e1fc32e7db474fe5814a4a1  guix-build-285edfadcacd/output/x86_64-w64-mingw32/SHA256SUMS.part
d83fb0326d5c195d32a3243d494c34b6d0810c0aa36e174ff0d1eb1664f40413  guix-build-285edfadcacd/output/x86_64-w64-mingw32/bitcoin-285edfadcacd-win64-debug.zip
6f557b84042874ffbb6755cd279b3e45fa16b89eece12f8c3ab2546d4222c129  guix-build-285edfadcacd/output/x86_64-w64-mingw32/bitcoin-285edfadcacd-win64-setup-unsigned.exe
bb7e6579f81289046922b183676fa8e38502a19f61e3ad80969143ebdc602896  guix-build-285edfadcacd/output/x86_64-w64-mingw32/bitcoin-285edfadcacd-win64-unsigned.tar.gz
c87d623f93ff8995cc84e19af5a8195aa4b97c6c8c59bf37bc4f7c347ed69601  guix-build-285edfadcacd/output/x86_64-w64-mingw32/bitcoin-285edfadcacd-win64.zip

fanquake marked this as ready for review on Mar 14, 2023

fanquake requested review from TheCharlatan on Mar 17, 2023

achow101 merged this on Mar 20, 2023

achow101 closed this on Mar 20, 2023

fanquake deleted the branch on Mar 20, 2023

sidhujag referenced this in commit 6c0dc0141e on Mar 20, 2023

PastaPastaPasta referenced this in commit ed7965547c on Jan 14, 2024

PastaPastaPasta referenced this in commit 334aede583 on Jan 16, 2024

PastaPastaPasta referenced this in commit 2d01233451 on Jan 19, 2024

PastaPastaPasta referenced this in commit 1568a5dedc on Jan 24, 2024

Fabcien referenced this in commit 2ee8d556d6 on Jan 31, 2024

bitcoin locked this on Mar 19, 2024