Guix builds fail after 2026 #34220

issue psgreco openend this issue on January 7, 2026
  1. psgreco commented at 1:27 pm on January 7, 2026: contributor

    Is there an existing issue for this?

    • I have searched the existing issues

    Current behaviour

    While doing a mingw guix build on a clean image, osslsigncode fails to build with error

    0\note: keeping build directory `/tmp/guix-build-osslsigncode-2.5.drv-0'
1builder for `/gnu/store/7sm633fs4y8n6cgd9lnqkc19ccrbkxr4-osslsigncode-2.5.drv' failed with exit code 1
2build of /gnu/store/7sm633fs4y8n6cgd9lnqkc19ccrbkxr4-osslsigncode-2.5.drv failed
3View build log at '/var/log/guix/drvs/7s/m633fs4y8n6cgd9lnqkc19ccrbkxr4-osslsigncode-2.5.drv.gz'.
4note: keeping build directory `/tmp/guix-build-gcc-13.3.0.tar.xz.drv-0'
5note: keeping build directory `/tmp/guix-build-binutils-2.38.tar.xz.drv-0'
6guix shell: error: build of `/gnu/store/7sm633fs4y8n6cgd9lnqkc19ccrbkxr4-osslsigncode-2.5.drv' failed

    Looking at the logs, you can see that the error is produced by a failed test due to expired cert

     0Error: Expired CA certificate:
 1	Signer [#0](/bitcoin-bitcoin/0/):
 2		Subject: /C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA
 3		Issuer : /C=PL/O=osslsigncode/OU=Certification Authority/CN=Root CA
 4		Serial : 50F083176D60DACA4AEF9E7B1D9521A92C4196D3
 5		Certificate expiration date:
 6			notBefore : Jan  1 00:00:00 2018 GMT
 7			notAfter : Jan  1 00:00:00 2026 GMT
 8
 9
10X509_verify_cert: certificate verify error: certificate has expired
11Signature CRL verification: failed
12Signature verification: failed

    Faking the time to 2025 before the container preparation and then doing a normal build with the right time works normally.

    Expected behaviour

    Ideally there should be no timebombs creating guix environments

    Steps to reproduce

    Try a guix build from a recently created container, updating the whole time-machine

    Relevant log output

    No response

    How did you obtain Bitcoin Core

    Compiled from source

    What version of Bitcoin Core are you using?

    v30.1

    Operating system and version

    Fedora 43

    Machine specifications

    No response

  2. maflcko added the label Upstream on Jan 7, 2026
  3. maflcko commented at 1:50 pm on January 7, 2026: member

    This is a known and documented issue and affects several packages, see https://github.com/bitcoin/bitcoin/blob/master/contrib/guix/INSTALL.md#openssl-111l-and-openssl-111n

    I don’t think there is much that can be done on the Bitcoin Core side. You’ll have to submit a fix upstream.

    To avoid this problem in the future, guix should set the time in one of their CI severs to a date in the future (maybe 5 years), or someone should run a bootstrap build with the time set to the future whenever Bitcoin Core bumps the guix commit.

  4. psgreco commented at 1:59 pm on January 7, 2026: contributor
    Updating osslsigncode dep in manifest.scm should fix the issue, at least for future releases. I tried to take it to 2.10 but it adds some dependencies, which I didn’t like. From the core perspective, what could also be done is apply a patch with newer certs, which is something I’m gonna try to do as soon as I have time.
  5. hebasto commented at 3:51 pm on January 7, 2026: member

    Updating osslsigncode dep in manifest.scm should fix the issue, at least for future releases. I tried to take it to 2.10 but it adds some dependencies, which I didn’t like. From the core perspective, what could also be done is apply a patch with newer certs, which is something I’m gonna try to do as soon as I have time.

    Alternatively, the osslsigncode tests could be disabled in manifest.scm.

  6. psgreco commented at 8:33 pm on January 7, 2026: contributor

    @hebasto If you’re ok with this, I can create a PR for it. Seems to work correctly.

     0diff --git a/contrib/guix/manifest.scm b/contrib/guix/manifest.scm
 1index 011ba0defce2..145ef45235b2 100644
 2--- a/contrib/guix/manifest.scm
 3+++ b/contrib/guix/manifest.scm
 4@@ -208,6 +208,8 @@ and abstract ELF, PE and MachO formats.")
 5                (base32
 6                 "1j47vwq4caxfv0xw68kw5yh00qcpbd56d7rq6c483ma3y7s96yyz"))))
 7     (build-system cmake-build-system)
 8+    ;; disable running tests due to 2026 cert timebomb
 9+    (arguments '(#:tests? #f))
10     (inputs (list openssl))
11     (home-page "https://github.com/mtrojnar/osslsigncode")
12     (synopsis "Authenticode signing and timestamping tool")
  7. hebasto commented at 1:42 am on January 8, 2026: member
    A patch has been proposed in #34227.
  8. fanquake closed this on Jan 9, 2026
  9. fanquake referenced this in commit 2d87afcf7d on Jan 9, 2026


psgreco maflcko hebasto

Labels
Upstream

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-01-10 00:13 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me