Guix builds fail after 2026 #34220

Is there an existing issue for this?

• I have searched the existing issues

Current behaviour

While doing a mingw guix build on a clean image, osslsigncode fails to build with error

\note: keeping build directory `/tmp/guix-build-osslsigncode-2.5.drv-0'
builder for `/gnu/store/7sm633fs4y8n6cgd9lnqkc19ccrbkxr4-osslsigncode-2.5.drv' failed with exit code 1
build of /gnu/store/7sm633fs4y8n6cgd9lnqkc19ccrbkxr4-osslsigncode-2.5.drv failed
View build log at '/var/log/guix/drvs/7s/m633fs4y8n6cgd9lnqkc19ccrbkxr4-osslsigncode-2.5.drv.gz'.
note: keeping build directory `/tmp/guix-build-gcc-13.3.0.tar.xz.drv-0'
note: keeping build directory `/tmp/guix-build-binutils-2.38.tar.xz.drv-0'
guix shell: error: build of `/gnu/store/7sm633fs4y8n6cgd9lnqkc19ccrbkxr4-osslsigncode-2.5.drv' failed

Looking at the logs, you can see that the error is produced by a failed test due to expired cert

Error: Expired CA certificate:
	Signer [#0](/bitcoin-bitcoin/0/):
		Subject: /C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA
		Issuer : /C=PL/O=osslsigncode/OU=Certification Authority/CN=Root CA
		Serial : 50F083176D60DACA4AEF9E7B1D9521A92C4196D3
		Certificate expiration date:
			notBefore : Jan  1 00:00:00 2018 GMT
			notAfter : Jan  1 00:00:00 2026 GMT


X509_verify_cert: certificate verify error: certificate has expired
Signature CRL verification: failed
Signature verification: failed

Faking the time to 2025 before the container preparation and then doing a normal build with the right time works normally.

Expected behaviour

Ideally there should be no timebombs creating guix environments

Steps to reproduce

Try a guix build from a recently created container, updating the whole time-machine

Relevant log output

No response

How did you obtain Bitcoin Core

Compiled from source

What version of Bitcoin Core are you using?

v30.1

Operating system and version

Fedora 43

Machine specifications

No response

This is a known and documented issue and affects several packages, see https://github.com/bitcoin/bitcoin/blob/master/contrib/guix/INSTALL.md#openssl-111l-and-openssl-111n

I don't think there is much that can be done on the Bitcoin Core side. You'll have to submit a fix upstream.

To avoid this problem in the future, guix should set the time in one of their CI severs to a date in the future (maybe 5 years), or someone should run a bootstrap build with the time set to the future whenever Bitcoin Core bumps the guix commit.

Updating osslsigncode dep in manifest.scm should fix the issue, at least for future releases. I tried to take it to 2.10 but it adds some dependencies, which I didn't like. From the core perspective, what could also be done is apply a patch with newer certs, which is something I'm gonna try to do as soon as I have time.

Updating osslsigncode dep in manifest.scm should fix the issue, at least for future releases. I tried to take it to 2.10 but it adds some dependencies, which I didn't like. From the core perspective, what could also be done is apply a patch with newer certs, which is something I'm gonna try to do as soon as I have time.

Alternatively, the osslsigncode tests could be disabled in manifest.scm.

@hebasto If you're ok with this, I can create a PR for it. Seems to work correctly.

diff --git a/contrib/guix/manifest.scm b/contrib/guix/manifest.scm
index 011ba0defce2..145ef45235b2 100644
--- a/contrib/guix/manifest.scm
+++ b/contrib/guix/manifest.scm
@@ -208,6 +208,8 @@ and abstract ELF, PE and MachO formats.")
                (base32
                 "1j47vwq4caxfv0xw68kw5yh00qcpbd56d7rq6c483ma3y7s96yyz"))))
     (build-system cmake-build-system)
+    ;; disable running tests due to 2026 cert timebomb
+    (arguments '(#:tests? #f))
     (inputs (list openssl))
     (home-page "https://github.com/mtrojnar/osslsigncode")
     (synopsis "Authenticode signing and timestamping tool")

A patch has been proposed in #34227.

Once we update the guix time-machine commit to bb898f243ad0c10ba1c59ddbfbf7091c19c0277d or later, we can switch to the upstream osslsigncode package.