[28.x] Backport #31407 #32563

pull fanquake wants to merge 11 commits into bitcoin:28.x from fanquake:backport_codesigning changing 7 files +144 −75
  1. fanquake commented at 12:46 pm on May 19, 2025: member
    Backports #31407 + #32003.
  2. fanquake added this to the milestone 28.2 on May 19, 2025
  3. DrahtBot commented at 12:46 pm on May 19, 2025: contributor

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Code Coverage & Benchmarks

    For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/32563.

    Reviews

    See the guideline for information on the review process.

    Type Reviewers
    ACK pinheadmz

    If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

  4. DrahtBot added the label Backport on May 19, 2025
  5. pinheadmz commented at 1:18 pm on May 19, 2025: member
    Concept ACK, starting guix build of this branch and will try to codesign with certificate
  6. DrahtBot added the label CI failed on May 19, 2025
  7. pinheadmz commented at 2:50 pm on May 19, 2025: member

    codesigning hung forever at one point. I SIGINT it and got a possibly helpful error:

     0--> ./detached-sig-create.sh <redacted>
 1WARNING: Part of the file was not parsed: 37803 bytes
 2Enter the passphrase for <redacted>:
 3Enter the passphrase for <redacted>:
 4WARNING: Part of the file was not parsed: 37803 bytes
 5Code signature created
 6WARNING: Part of the file was not parsed: 37803 bytes
 7WARNING: Part of the file was not parsed: 37803 bytes
 8Code signature applied
 9WARNING: Part of the file was not parsed: 37803 bytes
10Code signature is valid
11Notarization ID: 3d941711-8e4b-473c-b504-02f5348a0176
12Uploading...
13Polling notarization status
14Polling notarization status
15Polling notarization status
16Polling notarization status
17Polling notarization status
18WARNING: Part of the file was not parsed: 37803 bytes
19Stapling
20Notarization stapled to bundle
21
22^C
23
24Traceback (most recent call last):
25  File "/opt/homebrew/Cellar/python@3.11/3.11.11/Frameworks/Python.framework/Versions/3.11/lib/python3.11/zipfile.py", line 1815, in write
26    shutil.copyfileobj(src, dest, 1024*8)
27  File "/opt/homebrew/Cellar/python@3.11/3.11.11/Frameworks/Python.framework/Versions/3.11/lib/python3.11/shutil.py", line 200, in copyfileobj
28    fdst_write(buf)
29  File "/opt/homebrew/Cellar/python@3.11/3.11.11/Frameworks/Python.framework/Versions/3.11/lib/python3.11/zipfile.py", line 1178, in write
30    data = self._compressor.compress(data)
31           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
32KeyboardInterrupt
33
34During handling of the above exception, another exception occurred:
35
36Traceback (most recent call last):
37  File "/opt/homebrew/bin/signapple", line 8, in <module>
38    sys.exit(main())
39             ^^^^^^
40  File "/Users/matthewzipkin/Desktop/work/signapple/signapple/__init__.py", line 192, in main
41    args.func(args)
42  File "/Users/matthewzipkin/Desktop/work/signapple/signapple/__init__.py", line 52, in do_notarize
43    notarize(
44  File "/Users/matthewzipkin/Desktop/work/signapple/signapple/notarize.py", line 345, in notarize
45    _submit_for_notarization(
46  File "/Users/matthewzipkin/Desktop/work/signapple/signapple/notarize.py", line 292, in _submit_for_notarization
47    zipped = shutil.make_archive(
48             ^^^^^^^^^^^^^^^^^^^^
49  File "/opt/homebrew/Cellar/python@3.11/3.11.11/Frameworks/Python.framework/Versions/3.11/lib/python3.11/shutil.py", line 1165, in make_archive
50    filename = func(base_name, base_dir, **kwargs)
51               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
52  File "/opt/homebrew/Cellar/python@3.11/3.11.11/Frameworks/Python.framework/Versions/3.11/lib/python3.11/shutil.py", line 1046, in _make_zipfile
53    zf.write(path, arcname)
54  File "/opt/homebrew/Cellar/python@3.11/3.11.11/Frameworks/Python.framework/Versions/3.11/lib/python3.11/zipfile.py", line 1814, in write
55    with open(filename, "rb") as src, self.open(zinfo, 'w') as dest:
56  File "/opt/homebrew/Cellar/python@3.11/3.11.11/Frameworks/Python.framework/Versions/3.11/lib/python3.11/zipfile.py", line 1201, in close
57    raise RuntimeError("File size too large, try using force_zip64")
58RuntimeError: File size too large, try using force_zip64
  8. guix: Rename unsigned.tar.gz to codesigning.tar.gz 
    The tarballs used for codesigning are more than merely unsigned, they
also contain scripts and other data for codesigning. Rename them to
codesigning.tar.gz to distinguish from tarballs containing actually just
the unsigned binaries.

Github-Pull: #31407
Rebased-From: c214e5268fa9322a83cbba6d47d33f830efdd89e
    00b401c648
  9. guix: Rename MacOS binaries to unsigned.tar.gz 
    The MacOS binaries are unsigned and therefore also unusable on MacOS.
Indicate as such by naming the tarball "unsigned".

Github-Pull: #31407
Rebased-From: d9d49cd533bd430776c0cbe2fd666ffec3e6637b
    9f0ee1cc9b
  10. guix: Rename Windows unsigned binaries to unsigned.zip 
    As codesigned binaries will be published, the unsigned ones should be
clearly marked as such.

Github-Pull: #31407
Rebased-From: 4e5c9ceb9dd5a6ad8eea689d916a632e4d482812
    2c21db657f
  11. fanquake force-pushed on May 30, 2025
  12. pinheadmz commented at 3:04 pm on May 31, 2025: member
    Should I try to build and sign again? Recent just looks like a repository change.
  13. fanquake commented at 3:08 pm on May 31, 2025: member
    Yea, just a rebase on the Guix repo change. If you don’t mind building again, that’d be great. Can debug.
  14. pinheadmz commented at 4:46 pm on May 31, 2025: member
    same issue, RuntimeError: File size too large, try using force_zip64
  15. build: Include all MacOS binaries for codesigning 
    Github-Pull: #31407
Rebased-From: dd4ec840eeb468e94cfc9e3c72cfbfd6704dc0da
    ac2b6083ba
  16. build: Include all Windows binaries for codesigning 
    Github-Pull: #31407
Rebased-From: e8b3c44da6e060464970717bbd0a5bf84867b82c
    2b279a2138
  17. guix: Update signapple 
    Github-Pull: #31407
Rebased-From: 710d5b5149d0bc36d2643281d81f8f9b0c51b480
    0bd5cb7ac4
  18. contrib: Sign and notarize all MacOS binaries 
    Signapple has been updated to sign individual binaries, and notarize app
bundles and binaries. When codesigning, all individual binaries will be
codesigned, and both the app bundle and individual binaries will be
notarized.

Github-Pull: #31407
Rebased-From: 31d325464d0cf2d06888e0c543ae26a944f2ec6b
    c60055c637
  19. guix: Apply codesignatures to all MacOS binaries 
    Github-Pull: #31407
Rebased-From: aafbd23fd97ac242f7f83e5f0fff20044176e126
    812cadefa2
  20. guix: Apply all codesignatures to Windows binaries 
    Github-Pull: #31407
Rebased-From: e181bda061ca63021511be6e286fdf6a5818df49
    744b1c8581
  21. doc: remove note about macOS self-signing 
    Followup to #31407.

Github-Pull: #32003
Rebased-From: c873ab6f23e027af1c5837256ce3c9eccaf409cb
    52f09633d0
  22. doc: update release-notes.md b1f694fce2
  23. in contrib/macdeploy/detached-sig-create.sh:47 in 0ce4a9d443 outdated 
    51+${SIGNAPPLE} sign -f --hardened-runtime --detach "${OUTROOT}/${BUNDLE_ROOT}" --passphrase "${cs_key_pass}" "$1" "${UNSIGNED_BUNDLE}"
52+${SIGNAPPLE} apply "${UNSIGNED_BUNDLE}" "${OUTROOT}/${BUNDLE_ROOT}/${BUNDLE_NAME}"
53+${SIGNAPPLE} notarize --detach "${OUTROOT}/${BUNDLE_ROOT}" --passphrase "${api_key_pass}" "$2" "$3" "${UNSIGNED_BUNDLE}"
54+
55+# Sign each binary
56+find . -maxdepth 3 -wholename "*/bin/*" -type f -exec realpath --relative-to=. {} \; | while read -r bin
    pinheadmz commented at 11:07 pm on June 1, 2025:
    This is the issue maybe? Is #31161 merged into 28.x at this point? There isn’t a bin/ directory codesigning.tar.gz archive, just a dist/
    pinheadmz commented at 11:41 pm on June 1, 2025:
    By contrast, the 29.0 codesigning tar had ./bitcoin-29.0/bin/
    fanquake commented at 9:21 am on June 2, 2025:
    Thanks, is should be fixed now. It’s unrelated to #31161, was a bad cherry-pick fixup by me.
  24. fanquake force-pushed on Jun 2, 2025
  25. fanquake marked this as ready for review on Jun 2, 2025
  26. pinheadmz commented at 3:17 pm on June 2, 2025: member

    I think all macos signing is working now.

    Detached sigs for this commit: https://github.com/pinheadmz/bitcoin-detached-sigs/tree/fanquake-backport_codesigning-b1f694fce2

    Tested signed binaries on macos/arm64:

    0--> ./bitcoind --version
1Bitcoin Core version v28.2.0rc1
2Copyright (C) 2009-2025 The Bitcoin Core developers

    codesigned guix builds SHASUMS:

    030af3e1bbfa4a3f891c2e62887aa8ef5be3cf1bf7d0029f2b1b2ba30886791c6  arm64-apple-darwin-codesigned/bitcoin-b1f694fce276-arm64-apple-darwin.tar.gz
10120313d6bc0e7a93a9df1507a2c5838183cd1d8ec7f0ac5e82e2ad5260770f8  arm64-apple-darwin-codesigned/bitcoin-b1f694fce276-arm64-apple-darwin.zip
23c3612cb3419940be1b19adad354169c913d2cb8fd3431addce6bbeab0e35892  arm64-apple-darwin/bitcoin-b1f694fce276-arm64-apple-darwin-codesigning.tar.gz
339125b89de8903cf111df70abe5f2d9874fcc98f3dd234f4c202e9d59057ca48  dist-archive/bitcoin-b1f694fce276-codesignatures-bd42dd2a53b0.tar.gz
439125b89de8903cf111df70abe5f2d9874fcc98f3dd234f4c202e9d59057ca48  dist-archive/bitcoin-b1f694fce276-codesignatures-bd42dd2a53b0.tar.gz
56ec5b4badd4c4f64c09762626a4b4c727b5c90a8d74699a3af5a21cbbda4bba9  x86_64-apple-darwin-codesigned/bitcoin-b1f694fce276-x86_64-apple-darwin.tar.gz
6fbdfc915ef1a77eaab181667f09481081a3fd7131d53279044999744fdfd0d87  x86_64-apple-darwin-codesigned/bitcoin-b1f694fce276-x86_64-apple-darwin.zip
7a0e546b23fdef1466ae3c5d856967a34067665d8daa75a4621b1ec0b8f8185ab  x86_64-apple-darwin/bitcoin-b1f694fce276-x86_64-apple-darwin-codesigning.tar.gz
  27. pinheadmz approved
  28. pinheadmz commented at 3:17 pm on June 2, 2025: member

    ACK b1f694fce276d68a5b983c187a4efbb231d83f79

     0-----BEGIN PGP SIGNED MESSAGE-----
 1Hash: SHA256
 2
 3ACK b1f694fce276d68a5b983c187a4efbb231d83f79
 4-----BEGIN PGP SIGNATURE-----
 5
 6iQIzBAEBCAAdFiEE5hdzzW4BBA4vG9eM5+KYS2KJyToFAmg9wI8ACgkQ5+KYS2KJ
 7yTqh2g//VaBp+xI3eip80BQVqdSq0zaeMnvE+n92xXkb2FQANL7PR+qvxjYVU0KA
 8+dQ5yqJZH4QZQA4WnZhsM9ZQAzWQ+BKCeoQGyzw13YUU3vX7qBxqJxFeXgOb5b3a
 9EeDW6EKhPTdtekHTaHhyqlBklL6RXQpepMVbp3CAZsUBpzlRz/8r0q7oZTqzHS8Z
10UADA3Q1XWsodcOtL22hy1BFB6cvAoIgHgR9kF2810XZ3oHh5EoFfk0sunfLFmXWP
11kled3F+efmbRbeMMkaREU7QQB0jhYad9fKbntGaGPwDYAe25ieeWDHrg8juOpmBh
127Kin98AcR//Fz//v84cUAG4nvK8UCPgVrL79U+WWRUxFCxesTTSboo6RRvDE7XbD
13l29p8uA1dqrPi2M+iuk6yCOQ6Ls9thWQET8Vht3LG8E2K9tkMWFzu3WYiZvyLxtz
14O8s8ozEfD2IShnXwbBaHWT6+JHRSb/UlhthQeiwkvcbP1Zd78Vqv6RTo5D9Xd+xK
15Dba5Up33YuNQ+K+Kl5XcdvttygAXFd2tV59+L1tfHxp/4tGbKe+M9XoGcyh7cZPX
16eUQziKWIakFKSd/RF4JUsUudJ4EoDEl8fDnlYncLfF6BpIzz29aAe5hq5KpPdJo2
17kJVSJA/3w1LhdtF+uTzHVKthOxz9Ypp/YW+iN/sGTwSka77h90I=
18=2/K1
19-----END PGP SIGNATURE-----

    pinheadmz’s public key is on openpgp.org

  29. fanquake requested review from achow101 on Jun 2, 2025
  30. fanquake merged this on Jun 5, 2025
  31. fanquake closed this on Jun 5, 2025
  32. fanquake deleted the branch on Jun 5, 2025
  33. glozow referenced this in commit cb13264169 on Jun 9, 2025
  34. achow101 commented at 6:30 pm on June 10, 2025: member
    Looks like 3656b828dc2204418974e94928cc8d915b10ed95 wasn’t cherry-picked? I think that’s necessary for 744b1c8581a88cdb2c3a1f7730b5c7caae86a702 to work.
  35. fanquake commented at 9:45 am on June 12, 2025: member
    Thanks, addressed in #32735.


fanquake DrahtBot pinheadmz achow101


achow101

Labels
Backport CI failed

Milestone
28.2

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2025-06-30 06:13 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me