cmake: Add application manifests when cross-compiling for Windows #32396

pull hebasto wants to merge 2 commits into bitcoin:master from hebasto:250501-app-manifest changing 6 files +62 −2
  1. hebasto commented at 3:28 pm on May 1, 2025: member

    Windows application manifests provide several benefits—such as enhanced security settings, and the ability to set a process-wide code page (required for #32380), as well as granular control over supported Windows versions. Most of these benefits lie beyond the scope of this PR and will be evaluated separately.

    On the current master branch @ fc6346dbc8dc3db40aad4079210332b5f8b332ed, the linker generates and embeds a manifest only when building with MSVC:

    0<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
1<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
2  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
3    <security>
4      <requestedPrivileges>
5        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
6      </requestedPrivileges>
7    </security>
8  </trustInfo>
9</assembly>

    However, this manifest fails validation:

    0> mt.exe -nologo -inputresource:build\bin\Release\bitcoind.exe -validate_manifest
1
2mt.exe : general error 10100ba: The manifest is missing the definition identity.

    This PR unifies manifest embedding for both native and cross-compilation builds.

    Here is the change in the manifest on Windows:

    0--- bitcoind-master.manifest
1+++ bitcoind-pr.manifest
2@@ -1,5 +1,6 @@
3 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
4 <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
5+  <assemblyIdentity type="win32" name="org.bitcoincore.bitcoind" version="29.99.0.0"></assemblyIdentity>
6   <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
7     <security>
8       <requestedPrivileges>

    which effectively resolves the “missing the definition identity” error.

    Finally, “Get bitcoind manifest” steps have been added to the Windows CI jobs to ensure the manifest is embedded and validated.

  2. cmake: Add application manifests when cross-compiling for Windows 
    Windows application manifests provide several benefits. However, on the
master branch, the linker generates and embeds manifests only when
building with MSVC.

This change unifies manifest embedding for both native and
cross-compilation.
    aae78531fe
  3. ci: Add "Get bitcoind manifest" steps to Windows CI jobs 
    This change makes it easy to verify any changes in the application
manifests.
    665b2ba999
  4. hebasto added the label Windows on May 1, 2025
  5. hebasto added the label Build system on May 1, 2025
  6. DrahtBot commented at 3:28 pm on May 1, 2025: contributor

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Code Coverage & Benchmarks

    For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/32396.

    Reviews

    See the guideline for information on the review process.

    Type Reviewers
    Concept ACK laanwj

    If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

  7. laanwj commented at 7:35 pm on May 2, 2025: member
    Concept ACK
  8. hebasto commented at 8:05 pm on May 2, 2025: member

    My Guix build:

    050de79d47cf8e15acd94d189a88423a89003e287c0e30978d45cb13a478a8a7c  guix-build-665b2ba99955/output/dist-archive/bitcoin-665b2ba99955.tar.gz
1edae04ce1b66195e3afb9fcdd399719e20085c0d42e55f30a17fd8d1b972b798  guix-build-665b2ba99955/output/x86_64-w64-mingw32/SHA256SUMS.part
233dfd8539f6dae306a7ee3f8ff2c6e4eafe8d7740a76629767fb4f4601c9c61c  guix-build-665b2ba99955/output/x86_64-w64-mingw32/bitcoin-665b2ba99955-win64-codesigning.tar.gz
39acd0edc19836d7aeed0e776d69795b8d27f78df3c1282a615e074a31e46fd93  guix-build-665b2ba99955/output/x86_64-w64-mingw32/bitcoin-665b2ba99955-win64-debug.zip
4daa1472c667d009835420e9d42edb09ee9d56e7912d622e29d20d641d0ce81b5  guix-build-665b2ba99955/output/x86_64-w64-mingw32/bitcoin-665b2ba99955-win64-setup-unsigned.exe
5df4c74e83e6159e02e06934f21f67aabaddd2f3d449cffe5c4a4fe323ff984fe  guix-build-665b2ba99955/output/x86_64-w64-mingw32/bitcoin-665b2ba99955-win64-unsigned.zip
  9. maflcko added the label DrahtBot Guix build requested on May 4, 2025
  10. DrahtBot commented at 11:01 pm on May 4, 2025: contributor

    Guix builds (on x86_64) [untrusted test-only build, possibly unsafe, not for production use]

    File commit eba5f9c4b63fe46261fbb3e71b9a94832d105b23(master) commit 03bf9426ca2d85a238edd479f0fca43b7d724347(pull/32396/merge)
    *-aarch64-linux-gnu-debug.tar.gz dd18c4706ae0a247... 22fd911cdca5f23f...
    *-aarch64-linux-gnu.tar.gz 4216933d26250c15... 56d3516964cb838e...
    *-arm-linux-gnueabihf-debug.tar.gz f972e0bd2981ac67... b6bbdf3a12f4d3d1...
    *-arm-linux-gnueabihf.tar.gz 3ca06111b5a591e8... f23cd5718708fd92...
    *-arm64-apple-darwin-codesigning.tar.gz 8a9c416ffe2e3d36... 4c35272ed40b015a...
    *-arm64-apple-darwin-unsigned.tar.gz 216c1a1f68356c92... 3f081d62c74d64ab...
    *-arm64-apple-darwin-unsigned.zip 1f4d27d16e6c3eea... 2248ccfb6a320e5b...
    *-powerpc64-linux-gnu-debug.tar.gz 8900b88ab21f9f48... 22879bf8fc16e965...
    *-powerpc64-linux-gnu.tar.gz c7ed6137d21d3e52... 0720ff99a9b101c7...
    *-riscv64-linux-gnu-debug.tar.gz aad7744d23e2a136... ff235a2fca38f416...
    *-riscv64-linux-gnu.tar.gz d49be6063aa6a124... a73b612d564072ad...
    *-x86_64-apple-darwin-codesigning.tar.gz c8973dacfc9e519c... 2b838a9c81c72f9a...
    *-x86_64-apple-darwin-unsigned.tar.gz 9ca6afb860f0b246... 0396b321579258d3...
    *-x86_64-apple-darwin-unsigned.zip a364bd58765172cc... bd56b96ce917e383...
    *-x86_64-linux-gnu-debug.tar.gz c11030172812a7c1... fd027bd4898a0824...
    *-x86_64-linux-gnu.tar.gz f288901ecf194ab8... ebe6647276375d7c...
    *.tar.gz 82d1cd8e8b352d6b... 20f3b6dcebbb7510...
    SHA256SUMS.part a0c3bbbfdd25fd25... 11507f51e80138ba...
    guix_build.log 61a3fea347bc8654... 9c91effb71754bb2...
    guix_build.log.diff f9e5c44297d7a800...
  11. DrahtBot removed the label DrahtBot Guix build requested on May 4, 2025
  12. in .github/workflows/ci.yml:244 in 665b2ba999 
    236@@ -237,6 +237,15 @@ jobs:
237         run: |
238           cmake --build . -j $NUMBER_OF_PROCESSORS --config Release
239 
240+      - name: Get bitcoind manifest
241+        if: matrix.job-type == 'standard'
242+        working-directory: build
243+        run: |
244+          mt.exe -nologo -inputresource:bin/Release/bitcoind.exe -out:bitcoind.manifest
    laanwj commented at 10:39 am on May 5, 2025:
    Should it be checking all the manifests or is just checking bitcoind.exe’s enough?
    hebasto commented at 11:48 am on May 5, 2025:
    Since we use the same CMake function to embed the manifest for all executables, I believe checking just one of them in CI is sufficient.
  13. laanwj commented at 10:40 am on May 5, 2025: member
    We might also want to add a check for correct manifests to the symbols / security checks in the guix build. No idea if LIEF makes this easy or not (will look into it).


hebasto DrahtBot laanwj

Labels
Windows Build system

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2025-05-05 12:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me