[28.x] Backport #31407 #32563
pull fanquake wants to merge 11 commits into bitcoin:28.x from fanquake:backport_codesigning changing 7 files +144 −75-
fanquake commented at 12:46 pm on May 19, 2025: member
-
fanquake added this to the milestone 28.2 on May 19, 2025
-
DrahtBot commented at 12:46 pm on May 19, 2025: contributor
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.
Code Coverage & Benchmarks
For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/32563.
Reviews
See the guideline for information on the review process.
Type Reviewers ACK pinheadmz If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.
-
DrahtBot added the label Backport on May 19, 2025
-
pinheadmz commented at 1:18 pm on May 19, 2025: memberConcept ACK, starting guix build of this branch and will try to codesign with certificate
-
DrahtBot added the label CI failed on May 19, 2025
-
pinheadmz commented at 2:50 pm on May 19, 2025: member
codesigning hung forever at one point. I SIGINT it and got a possibly helpful error:
0--> ./detached-sig-create.sh <redacted> 1WARNING: Part of the file was not parsed: 37803 bytes 2Enter the passphrase for <redacted>: 3Enter the passphrase for <redacted>: 4WARNING: Part of the file was not parsed: 37803 bytes 5Code signature created 6WARNING: Part of the file was not parsed: 37803 bytes 7WARNING: Part of the file was not parsed: 37803 bytes 8Code signature applied 9WARNING: Part of the file was not parsed: 37803 bytes 10Code signature is valid 11Notarization ID: 3d941711-8e4b-473c-b504-02f5348a0176 12Uploading... 13Polling notarization status 14Polling notarization status 15Polling notarization status 16Polling notarization status 17Polling notarization status 18WARNING: Part of the file was not parsed: 37803 bytes 19Stapling 20Notarization stapled to bundle 21 22^C 23 24Traceback (most recent call last): 25 File "/opt/homebrew/Cellar/python@3.11/3.11.11/Frameworks/Python.framework/Versions/3.11/lib/python3.11/zipfile.py", line 1815, in write 26 shutil.copyfileobj(src, dest, 1024*8) 27 File "/opt/homebrew/Cellar/python@3.11/3.11.11/Frameworks/Python.framework/Versions/3.11/lib/python3.11/shutil.py", line 200, in copyfileobj 28 fdst_write(buf) 29 File "/opt/homebrew/Cellar/python@3.11/3.11.11/Frameworks/Python.framework/Versions/3.11/lib/python3.11/zipfile.py", line 1178, in write 30 data = self._compressor.compress(data) 31 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 32KeyboardInterrupt 33 34During handling of the above exception, another exception occurred: 35 36Traceback (most recent call last): 37 File "/opt/homebrew/bin/signapple", line 8, in <module> 38 sys.exit(main()) 39 ^^^^^^ 40 File "/Users/matthewzipkin/Desktop/work/signapple/signapple/__init__.py", line 192, in main 41 args.func(args) 42 File "/Users/matthewzipkin/Desktop/work/signapple/signapple/__init__.py", line 52, in do_notarize 43 notarize( 44 File "/Users/matthewzipkin/Desktop/work/signapple/signapple/notarize.py", line 345, in notarize 45 _submit_for_notarization( 46 File "/Users/matthewzipkin/Desktop/work/signapple/signapple/notarize.py", line 292, in _submit_for_notarization 47 zipped = shutil.make_archive( 48 ^^^^^^^^^^^^^^^^^^^^ 49 File "/opt/homebrew/Cellar/python@3.11/3.11.11/Frameworks/Python.framework/Versions/3.11/lib/python3.11/shutil.py", line 1165, in make_archive 50 filename = func(base_name, base_dir, **kwargs) 51 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 52 File "/opt/homebrew/Cellar/python@3.11/3.11.11/Frameworks/Python.framework/Versions/3.11/lib/python3.11/shutil.py", line 1046, in _make_zipfile 53 zf.write(path, arcname) 54 File "/opt/homebrew/Cellar/python@3.11/3.11.11/Frameworks/Python.framework/Versions/3.11/lib/python3.11/zipfile.py", line 1814, in write 55 with open(filename, "rb") as src, self.open(zinfo, 'w') as dest: 56 File "/opt/homebrew/Cellar/python@3.11/3.11.11/Frameworks/Python.framework/Versions/3.11/lib/python3.11/zipfile.py", line 1201, in close 57 raise RuntimeError("File size too large, try using force_zip64") 58RuntimeError: File size too large, try using force_zip64
-
guix: Rename unsigned.tar.gz to codesigning.tar.gz
The tarballs used for codesigning are more than merely unsigned, they also contain scripts and other data for codesigning. Rename them to codesigning.tar.gz to distinguish from tarballs containing actually just the unsigned binaries. Github-Pull: #31407 Rebased-From: c214e5268fa9322a83cbba6d47d33f830efdd89e
-
guix: Rename MacOS binaries to unsigned.tar.gz
The MacOS binaries are unsigned and therefore also unusable on MacOS. Indicate as such by naming the tarball "unsigned". Github-Pull: #31407 Rebased-From: d9d49cd533bd430776c0cbe2fd666ffec3e6637b
-
guix: Rename Windows unsigned binaries to unsigned.zip
As codesigned binaries will be published, the unsigned ones should be clearly marked as such. Github-Pull: #31407 Rebased-From: 4e5c9ceb9dd5a6ad8eea689d916a632e4d482812
-
fanquake force-pushed on May 30, 2025
-
pinheadmz commented at 3:04 pm on May 31, 2025: memberShould I try to build and sign again? Recent just looks like a repository change.
-
fanquake commented at 3:08 pm on May 31, 2025: memberYea, just a rebase on the Guix repo change. If you don’t mind building again, that’d be great. Can debug.
-
pinheadmz commented at 4:46 pm on May 31, 2025: membersame issue,
RuntimeError: File size too large, try using force_zip64
-
build: Include all MacOS binaries for codesigning
Github-Pull: #31407 Rebased-From: dd4ec840eeb468e94cfc9e3c72cfbfd6704dc0da
-
build: Include all Windows binaries for codesigning
Github-Pull: #31407 Rebased-From: e8b3c44da6e060464970717bbd0a5bf84867b82c
-
guix: Update signapple
Github-Pull: #31407 Rebased-From: 710d5b5149d0bc36d2643281d81f8f9b0c51b480
-
contrib: Sign and notarize all MacOS binaries
Signapple has been updated to sign individual binaries, and notarize app bundles and binaries. When codesigning, all individual binaries will be codesigned, and both the app bundle and individual binaries will be notarized. Github-Pull: #31407 Rebased-From: 31d325464d0cf2d06888e0c543ae26a944f2ec6b
-
guix: Apply codesignatures to all MacOS binaries
Github-Pull: #31407 Rebased-From: aafbd23fd97ac242f7f83e5f0fff20044176e126
-
guix: Apply all codesignatures to Windows binaries
Github-Pull: #31407 Rebased-From: e181bda061ca63021511be6e286fdf6a5818df49
-
doc: remove note about macOS self-signing
Followup to #31407. Github-Pull: #32003 Rebased-From: c873ab6f23e027af1c5837256ce3c9eccaf409cb
-
doc: update release-notes.md b1f694fce2
-
in contrib/macdeploy/detached-sig-create.sh:47 in 0ce4a9d443 outdated
51+${SIGNAPPLE} sign -f --hardened-runtime --detach "${OUTROOT}/${BUNDLE_ROOT}" --passphrase "${cs_key_pass}" "$1" "${UNSIGNED_BUNDLE}" 52+${SIGNAPPLE} apply "${UNSIGNED_BUNDLE}" "${OUTROOT}/${BUNDLE_ROOT}/${BUNDLE_NAME}" 53+${SIGNAPPLE} notarize --detach "${OUTROOT}/${BUNDLE_ROOT}" --passphrase "${api_key_pass}" "$2" "$3" "${UNSIGNED_BUNDLE}" 54+ 55+# Sign each binary 56+find . -maxdepth 3 -wholename "*/bin/*" -type f -exec realpath --relative-to=. {} \; | while read -r bin
pinheadmz commented at 11:41 pm on June 1, 2025:By contrast, the 29.0 codesigning tar had./bitcoin-29.0/bin/
fanquake force-pushed on Jun 2, 2025fanquake marked this as ready for review on Jun 2, 2025pinheadmz commented at 3:17 pm on June 2, 2025: memberI think all macos signing is working now.
Detached sigs for this commit: https://github.com/pinheadmz/bitcoin-detached-sigs/tree/fanquake-backport_codesigning-b1f694fce2
Tested signed binaries on macos/arm64:
0--> ./bitcoind --version 1Bitcoin Core version v28.2.0rc1 2Copyright (C) 2009-2025 The Bitcoin Core developers
codesigned guix builds SHASUMS:
030af3e1bbfa4a3f891c2e62887aa8ef5be3cf1bf7d0029f2b1b2ba30886791c6 arm64-apple-darwin-codesigned/bitcoin-b1f694fce276-arm64-apple-darwin.tar.gz 10120313d6bc0e7a93a9df1507a2c5838183cd1d8ec7f0ac5e82e2ad5260770f8 arm64-apple-darwin-codesigned/bitcoin-b1f694fce276-arm64-apple-darwin.zip 23c3612cb3419940be1b19adad354169c913d2cb8fd3431addce6bbeab0e35892 arm64-apple-darwin/bitcoin-b1f694fce276-arm64-apple-darwin-codesigning.tar.gz 339125b89de8903cf111df70abe5f2d9874fcc98f3dd234f4c202e9d59057ca48 dist-archive/bitcoin-b1f694fce276-codesignatures-bd42dd2a53b0.tar.gz 439125b89de8903cf111df70abe5f2d9874fcc98f3dd234f4c202e9d59057ca48 dist-archive/bitcoin-b1f694fce276-codesignatures-bd42dd2a53b0.tar.gz 56ec5b4badd4c4f64c09762626a4b4c727b5c90a8d74699a3af5a21cbbda4bba9 x86_64-apple-darwin-codesigned/bitcoin-b1f694fce276-x86_64-apple-darwin.tar.gz 6fbdfc915ef1a77eaab181667f09481081a3fd7131d53279044999744fdfd0d87 x86_64-apple-darwin-codesigned/bitcoin-b1f694fce276-x86_64-apple-darwin.zip 7a0e546b23fdef1466ae3c5d856967a34067665d8daa75a4621b1ec0b8f8185ab x86_64-apple-darwin/bitcoin-b1f694fce276-x86_64-apple-darwin-codesigning.tar.gz
pinheadmz approvedpinheadmz commented at 3:17 pm on June 2, 2025: memberACK b1f694fce276d68a5b983c187a4efbb231d83f79
0-----BEGIN PGP SIGNED MESSAGE----- 1Hash: SHA256 2 3ACK b1f694fce276d68a5b983c187a4efbb231d83f79 4-----BEGIN PGP SIGNATURE----- 5 6iQIzBAEBCAAdFiEE5hdzzW4BBA4vG9eM5+KYS2KJyToFAmg9wI8ACgkQ5+KYS2KJ 7yTqh2g//VaBp+xI3eip80BQVqdSq0zaeMnvE+n92xXkb2FQANL7PR+qvxjYVU0KA 8+dQ5yqJZH4QZQA4WnZhsM9ZQAzWQ+BKCeoQGyzw13YUU3vX7qBxqJxFeXgOb5b3a 9EeDW6EKhPTdtekHTaHhyqlBklL6RXQpepMVbp3CAZsUBpzlRz/8r0q7oZTqzHS8Z 10UADA3Q1XWsodcOtL22hy1BFB6cvAoIgHgR9kF2810XZ3oHh5EoFfk0sunfLFmXWP 11kled3F+efmbRbeMMkaREU7QQB0jhYad9fKbntGaGPwDYAe25ieeWDHrg8juOpmBh 127Kin98AcR//Fz//v84cUAG4nvK8UCPgVrL79U+WWRUxFCxesTTSboo6RRvDE7XbD 13l29p8uA1dqrPi2M+iuk6yCOQ6Ls9thWQET8Vht3LG8E2K9tkMWFzu3WYiZvyLxtz 14O8s8ozEfD2IShnXwbBaHWT6+JHRSb/UlhthQeiwkvcbP1Zd78Vqv6RTo5D9Xd+xK 15Dba5Up33YuNQ+K+Kl5XcdvttygAXFd2tV59+L1tfHxp/4tGbKe+M9XoGcyh7cZPX 16eUQziKWIakFKSd/RF4JUsUudJ4EoDEl8fDnlYncLfF6BpIzz29aAe5hq5KpPdJo2 17kJVSJA/3w1LhdtF+uTzHVKthOxz9Ypp/YW+iN/sGTwSka77h90I= 18=2/K1 19-----END PGP SIGNATURE-----
pinheadmz’s public key is on openpgp.org
fanquake requested review from achow101 on Jun 2, 2025fanquake merged this on Jun 5, 2025fanquake closed this on Jun 5, 2025
fanquake deleted the branch on Jun 5, 2025
This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2025-06-09 12:13 UTC
More mirrored repositories can be found on mirror.b10c.me