guix: Fix osslsigncode tests #34227

1. 
   hebasto commented at 1:41 am on January 8, 2026: member

   This PR aims to improve the experience for Guix builders when creating new Guix profiles after 2025. In particular, it should be helpful for those who are new to building with Guix.

   Fixes #34220.

   Other possible alternatives to consider include:

   1. Applying a workaround as suggested here.

   2. Updating the package as suggested here.

   3. Disabling tests as suggested here.

2. hebasto added the label Build system on Jan 8, 2026
3. 
   DrahtBot commented at 1:42 am on January 8, 2026: contributor

   The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

   Code Coverage & Benchmarks

   For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/34227.

   Reviews

   See the guideline for information on the review process.

   Type	Reviewers
   ACK	janb84
   Concept ACK	danielabrozzoni

   If your review is incorrectly listed, please copy-paste <!–meta-tag:bot-skip–> into the comment that the bot should ignore.

4. 
   hebasto commented at 1:45 am on January 8, 2026: member

   My partial Guix build:

   0$ uname -m && find guix-build-$(git rev-parse --short=12 HEAD)/output/ -type f -print0 | env LC_ALL=C sort -z | xargs -r0 sha256sum
   1x86_64
   24d085ae08025ab7d34947c9a0fdf245ed2b6b5dcd489c5154641954fdcfb4566  guix-build-55c9c35b65e3/output/dist-archive/bitcoin-55c9c35b65e3.tar.gz
   3e5b220ac5fb4b25efa8b4f288538857a81b54a637a6994d9b203da876a6d1f37  guix-build-55c9c35b65e3/output/x86_64-w64-mingw32/SHA256SUMS.part
   4e38779e4cda3a41cd1f2e74e4de3e0133a8e8e04f488c1e765e96fb8916eee3b  guix-build-55c9c35b65e3/output/x86_64-w64-mingw32/bitcoin-55c9c35b65e3-win64-codesigning.tar.gz
   5b0f4780199eaf106fe7b841ebdcdcc42f17be7a850420227ad40878fbb392797  guix-build-55c9c35b65e3/output/x86_64-w64-mingw32/bitcoin-55c9c35b65e3-win64-debug.zip
   6f0b3c45ccb7ae101957351cbd0669a7d3d0ec8955a07da5e458d7db78b814eb5  guix-build-55c9c35b65e3/output/x86_64-w64-mingw32/bitcoin-55c9c35b65e3-win64-setup-unsigned.exe
   756d859f2a9971fac33f8d9b4c6da57114c919de0f3bd759bf7e0feea9d34d393  guix-build-55c9c35b65e3/output/x86_64-w64-mingw32/bitcoin-55c9c35b65e3-win64-unsigned.zip
   

5. 
   psgreco commented at 10:16 am on January 8, 2026: contributor

   Profile created correctly and partial guix build matches

   04d085ae08025ab7d34947c9a0fdf245ed2b6b5dcd489c5154641954fdcfb4566  guix-build-55c9c35b65e3/output/dist-archive/bitcoin-55c9c35b65e3.tar.gz
   1e5b220ac5fb4b25efa8b4f288538857a81b54a637a6994d9b203da876a6d1f37  guix-build-55c9c35b65e3/output/x86_64-w64-mingw32/SHA256SUMS.part
   2e38779e4cda3a41cd1f2e74e4de3e0133a8e8e04f488c1e765e96fb8916eee3b  guix-build-55c9c35b65e3/output/x86_64-w64-mingw32/bitcoin-55c9c35b65e3-win64-codesigning.tar.gz
   3b0f4780199eaf106fe7b841ebdcdcc42f17be7a850420227ad40878fbb392797  guix-build-55c9c35b65e3/output/x86_64-w64-mingw32/bitcoin-55c9c35b65e3-win64-debug.zip
   4f0b3c45ccb7ae101957351cbd0669a7d3d0ec8955a07da5e458d7db78b814eb5  guix-build-55c9c35b65e3/output/x86_64-w64-mingw32/bitcoin-55c9c35b65e3-win64-setup-unsigned.exe
   556d859f2a9971fac33f8d9b4c6da57114c919de0f3bd759bf7e0feea9d34d393  guix-build-55c9c35b65e3/output/x86_64-w64-mingw32/bitcoin-55c9c35b65e3-win64-unsigned.zip
   

6. 
   danielabrozzoni commented at 11:20 am on January 8, 2026: member

   Concept ACK, thanks for this! I was unable to build v30.2rc1 due to the same error reported in #34220, but this branch builds successfully for me.

   I am very unfamiliar with guix and the build system, so i can’t code review, unfortunately.

   My build checksum:

    0> sha256sum dist-archive/*.tar.gz
    1sha256sum x86_64-w64-mingw32/SHA256SUMS.part
    2sha256sum x86_64-w64-mingw32/*.tar.gz
    3sha256sum x86_64-w64-mingw32/*.zip
    4sha256sum x86_64-w64-mingw32/*.exe
    5
    64d085ae08025ab7d34947c9a0fdf245ed2b6b5dcd489c5154641954fdcfb4566  dist-archive/bitcoin-55c9c35b65e3.tar.gz
    7e5b220ac5fb4b25efa8b4f288538857a81b54a637a6994d9b203da876a6d1f37  x86_64-w64-mingw32/SHA256SUMS.part
    8e38779e4cda3a41cd1f2e74e4de3e0133a8e8e04f488c1e765e96fb8916eee3b  x86_64-w64-mingw32/bitcoin-55c9c35b65e3-win64-codesigning.tar.gz
    9b0f4780199eaf106fe7b841ebdcdcc42f17be7a850420227ad40878fbb392797  x86_64-w64-mingw32/bitcoin-55c9c35b65e3-win64-debug.zip
   1056d859f2a9971fac33f8d9b4c6da57114c919de0f3bd759bf7e0feea9d34d393  x86_64-w64-mingw32/bitcoin-55c9c35b65e3-win64-unsigned.zip
   11f0b3c45ccb7ae101957351cbd0669a7d3d0ec8955a07da5e458d7db78b814eb5  x86_64-w64-mingw32/bitcoin-55c9c35b65e3-win64-setup-unsigned.exe
   

7. in contrib/guix/manifest.scm:218 in 55c9c35b65

   214+     (list
   215+      #:phases
   216+      #~(modify-phases %standard-phases
   217+          (add-after 'patch-source-shebangs 'patch-dates
   218+            (lambda _
   219+              ;; Add 5 years to dates in tests.
   

   ---

   ---

   

   maflcko commented at 11:27 am on January 8, 2026:

   Can you explain why this is needed? Shouldn’t libfaketime be enough to not have to touch the hardcoded dates?

   5 years is probably enough, but I am sure someone will forget to bump this, and the same issue will re-appear in 5 years?

   So either this isn’t needed, or the fix is insufficient?

   ---

   

   hebasto commented at 11:38 am on January 8, 2026:

   Can you explain why this is needed? Shouldn’t libfaketime be enough to not have to touch the hardcoded dates?

   libfaketime does not affect the content of the OpenSSL configuration files.

   5 years is probably enough, but I am sure someone will forget to bump this, and the same issue will re-appear in 5 years?

   I assume that other options, such as updating or replacing the package, will be evaluated over the next 5 years, and that this patch could then be discarded.

   So either this isn’t needed, or the fix is insufficient?

   If I thought this proposal were perfect, I would not have mentioned alternatives in the PR description :)

   ---

   

   maflcko commented at 11:58 am on January 8, 2026:

   Can you explain why this is needed? Shouldn’t libfaketime be enough to not have to touch the hardcoded dates?

   libfaketime does not affect the content of the OpenSSL configuration files.

   I understand that libfaketime does not modify file contents, but I don’t see why it would be needed to modify config files. The tests passed in 2025, so just setting libfaketime to use a date in that year should be sufficient for the tests to pass.

   ---

   

   hebasto commented at 12:07 pm on January 8, 2026:

   The tests passed in 2025, so just setting libfaketime to use a date in that year should be sufficient for the tests to pass.

   Right.

   ---

   

   hebasto commented at 12:14 pm on January 8, 2026:

   Can you explain why this is needed? Shouldn’t libfaketime be enough to not have to touch the hardcoded dates?

   libfaketime does not affect the content of the OpenSSL configuration files.

   I understand that libfaketime does not modify file contents, but I don’t see why it would be needed to modify config files. The tests passed in 2025, so just setting libfaketime to use a date in that year should be sufficient for the tests to pass.

   I don’t think this will work, because libfaketime is only used when generating the test certificates, not when running the tests themselves.

   UPDATE. However, we might want to run tests under libfaketime.

   ---

   

   hebasto commented at 12:46 pm on January 8, 2026:

   Thanks! Reworked.
8. 
   fanquake commented at 11:27 am on January 8, 2026: member

   Not sure about the approach, given it’s going to make any future package updates much more complicated, and doesn’t fully fix the issue (just makes it occur later).
9. 
   hebasto commented at 11:39 am on January 8, 2026: member

   Not sure about the approach, given it’s going to make any future package updates much more complicated, and doesn’t fully fix the issue (just makes it occur later).

   I consider this fix as a temporarily mitigation. I assume that other options, such as updating or replacing the package, will be evaluated over the next 5 years, and that this patch could then be discarded.

10. 
    fanquake commented at 11:39 am on January 8, 2026: member

    Also, was this reported upstream, so it can be fixed, if it hasn’t been already (and if it has, can we just take that patch)?
11. 
    hebasto commented at 11:42 am on January 8, 2026: member

    Also, was this reported upstream, so it can be fixed, if it hasn’t been already (and if it has, can we just take that patch)?

    Not yet. The upstream project does not maintain version branches, and I haven’t evaluated the current master branch yet.

    UPDATE. It even fails to compile on my system due to a syntax (!) error.

12. 
    psgreco commented at 12:35 pm on January 8, 2026: contributor

    Current release (2.10) has changed completely the way the certs are generated. I tried to update the manifest.scm to use 2.10, but it requires an extra dependency to build, zlib IIRC so it looked like a bigger change and didn’t wanna mess with it
13. guix: Fix `osslsigncode` tests 194114daf3
14. hebasto force-pushed on Jan 8, 2026
15. 
    hebasto commented at 12:47 pm on January 8, 2026: member

    The feedback from @maflcko has been addressed.
16. 
    psgreco commented at 1:08 pm on January 8, 2026: contributor

    06c15853ed61a18b993443f25401a2b3418177652ce0110edc57389709363abf8  guix-build-194114daf385/output/dist-archive/bitcoin-194114daf385.tar.gz
    1bdc487aa76acc262e18cbc3fc9768c0b703fcf3713513d08ba560889db006e5c  guix-build-194114daf385/output/x86_64-w64-mingw32/SHA256SUMS.part
    2f40f77736a5634dc1efce929d1ebdd702a89b1f15f1f12709af2f6cf0ea6373d  guix-build-194114daf385/output/x86_64-w64-mingw32/bitcoin-194114daf385-win64-codesigning.tar.gz
    3be623ed97291551ff3372ff19bb1cc74b0e9694d969bfb73919842ff85e036e9  guix-build-194114daf385/output/x86_64-w64-mingw32/bitcoin-194114daf385-win64-debug.zip
    43734b69bc7f83a12ab68585a84b748dfc3cab1d861d8f506922b5ff7d7e9a8da  guix-build-194114daf385/output/x86_64-w64-mingw32/bitcoin-194114daf385-win64-setup-unsigned.exe
    538c148cedb37fe6f7fc24e4d0d0651c6c0445ed48c99b7a7e1edcf2e5efdf3c3  guix-build-194114daf385/output/x86_64-w64-mingw32/bitcoin-194114daf385-win64-unsigned.zip
    

17. 
    hebasto commented at 1:44 pm on January 8, 2026: member

    My partial Guix build:

    0$ uname -m && find guix-build-$(git rev-parse --short=12 HEAD)/output/ -type f -print0 | env LC_ALL=C sort -z | xargs -r0 sha256sum
    1aarch64
    26c15853ed61a18b993443f25401a2b3418177652ce0110edc57389709363abf8  guix-build-194114daf385/output/dist-archive/bitcoin-194114daf385.tar.gz
    3bdc487aa76acc262e18cbc3fc9768c0b703fcf3713513d08ba560889db006e5c  guix-build-194114daf385/output/x86_64-w64-mingw32/SHA256SUMS.part
    4f40f77736a5634dc1efce929d1ebdd702a89b1f15f1f12709af2f6cf0ea6373d  guix-build-194114daf385/output/x86_64-w64-mingw32/bitcoin-194114daf385-win64-codesigning.tar.gz
    5be623ed97291551ff3372ff19bb1cc74b0e9694d969bfb73919842ff85e036e9  guix-build-194114daf385/output/x86_64-w64-mingw32/bitcoin-194114daf385-win64-debug.zip
    63734b69bc7f83a12ab68585a84b748dfc3cab1d861d8f506922b5ff7d7e9a8da  guix-build-194114daf385/output/x86_64-w64-mingw32/bitcoin-194114daf385-win64-setup-unsigned.exe
    738c148cedb37fe6f7fc24e4d0d0651c6c0445ed48c99b7a7e1edcf2e5efdf3c3  guix-build-194114daf385/output/x86_64-w64-mingw32/bitcoin-194114daf385-win64-unsigned.zip
    

18. 
    janb84 commented at 3:21 pm on January 8, 2026: contributor

    ACK 194114daf385a5db50e1507fda79a1a93240d494

    Simple temporary solution to fake the time for one package where it’s certificates are expired.

    Given all the alternatives, this seems like the best solution for now, until upstream is patched / other version is ready for use.

    Edit: is the PR description still correct ?

    my Guix Build Output

    Host architecture: aarch64 Commit: 194114daf385

     089ac809be13e442df676a1e7fc88b75307756fdd208e271117e9b6899d97a3da  guix-build-194114daf385/output/aarch64-linux-gnu/SHA256SUMS.part
     1c3322b9fe8f0f4fe4b20d328207c5db490db499d452e1f97241dc267410746cf  guix-build-194114daf385/output/aarch64-linux-gnu/bitcoin-194114daf385-aarch64-linux-gnu-debug.tar.gz
     29f9ca36622e86c7ebb9d1999a5aad529cce99c0266c0929c6cb059e2acfe35da  guix-build-194114daf385/output/aarch64-linux-gnu/bitcoin-194114daf385-aarch64-linux-gnu.tar.gz
     3228a1740c214bd94bb307a6a7ae7b89ff2c5be7b378126cd96a1ccde0a9a08fc  guix-build-194114daf385/output/arm-linux-gnueabihf/SHA256SUMS.part
     4f0f8a374ae54a8877dd7e5a8b7fa0796bf13e0694a20b7f305d3815b7fbb03ce  guix-build-194114daf385/output/arm-linux-gnueabihf/bitcoin-194114daf385-arm-linux-gnueabihf-debug.tar.gz
     5d0568db306f2cd2d56ecc9ac4d104e38c15cc254fc2c0c5de77720516045cf3d  guix-build-194114daf385/output/arm-linux-gnueabihf/bitcoin-194114daf385-arm-linux-gnueabihf.tar.gz
     6e291c15edcd5312aa482ea108a48e4a0b5993440a9ad2f680568240080572154  guix-build-194114daf385/output/arm64-apple-darwin/SHA256SUMS.part
     7ebd1aad46a0c7cbc133cd857ae8c6b652f1c665ba9680c3370b28f43b026c692  guix-build-194114daf385/output/arm64-apple-darwin/bitcoin-194114daf385-arm64-apple-darwin-codesigning.tar.gz
     8421245463534af51444e270f3a6f92ee754aa9fba920585f124dad2bdba5e526  guix-build-194114daf385/output/arm64-apple-darwin/bitcoin-194114daf385-arm64-apple-darwin-unsigned.tar.gz
     96c2abba20837fd5c1ccfb12dbb72c561b6dc80d9ff611d2be45137bc3f27de18  guix-build-194114daf385/output/arm64-apple-darwin/bitcoin-194114daf385-arm64-apple-darwin-unsigned.zip
    106c15853ed61a18b993443f25401a2b3418177652ce0110edc57389709363abf8  guix-build-194114daf385/output/dist-archive/bitcoin-194114daf385.tar.gz
    11a759c23990e3bbaeb11c955c4f5441777cbb053e68f91e60e341042c4a64e8f0  guix-build-194114daf385/output/powerpc64-linux-gnu/SHA256SUMS.part
    12a0b2190f985f6549e9dd3fbd009fb694815bb1975d63e704da6836f2f990dcd1  guix-build-194114daf385/output/powerpc64-linux-gnu/bitcoin-194114daf385-powerpc64-linux-gnu-debug.tar.gz
    137e907a068e2bd2c4f4bde86f6b9b01ce8d0de6b70df126e9d4ecc0ad7a2d8576  guix-build-194114daf385/output/powerpc64-linux-gnu/bitcoin-194114daf385-powerpc64-linux-gnu.tar.gz
    14fa2f30524890e939e9046003422c3c39dee680c4d15e0b8b47905a040197e3e6  guix-build-194114daf385/output/riscv64-linux-gnu/SHA256SUMS.part
    15ef330ee1703549d50df39af872c7ea6cafe5a43c0ccb068da18a3504b10740db  guix-build-194114daf385/output/riscv64-linux-gnu/bitcoin-194114daf385-riscv64-linux-gnu-debug.tar.gz
    161c094f1297cf1a2aa9da798e69a28b3cd15aa7588567f598af782022dde139e9  guix-build-194114daf385/output/riscv64-linux-gnu/bitcoin-194114daf385-riscv64-linux-gnu.tar.gz
    1710d4063e11acc45ebce88229c680a8cf40367c299acd24448e66a29e94738e57  guix-build-194114daf385/output/x86_64-apple-darwin/SHA256SUMS.part
    18a9892d8e7234e22203e595ede1bae78df5a5979730ffd9adb9e431be9345efe6  guix-build-194114daf385/output/x86_64-apple-darwin/bitcoin-194114daf385-x86_64-apple-darwin-codesigning.tar.gz
    19ed8f5bc3b6a3e07ccd48879482eeec05a85be2ed70fe44f80728d310c25cfc1c  guix-build-194114daf385/output/x86_64-apple-darwin/bitcoin-194114daf385-x86_64-apple-darwin-unsigned.tar.gz
    20e71cf6637a482b02eafd5b866ed1d99e0e10c345cf97c2080191b43846156a52  guix-build-194114daf385/output/x86_64-apple-darwin/bitcoin-194114daf385-x86_64-apple-darwin-unsigned.zip
    2150686adb8d106a3d8896c09e84a35d329dfe14e4805877e7dd523618a9ca9bab  guix-build-194114daf385/output/x86_64-linux-gnu/SHA256SUMS.part
    222410bc01c7382ad3f04632f4c8acbb6e90279248bb02951092ce962c88254f77  guix-build-194114daf385/output/x86_64-linux-gnu/bitcoin-194114daf385-x86_64-linux-gnu-debug.tar.gz
    237d75c6b30deeb2ec7fb71338b9778ee53a0d202e21cbbc674ca9584c4e8b9b1a  guix-build-194114daf385/output/x86_64-linux-gnu/bitcoin-194114daf385-x86_64-linux-gnu.tar.gz
    24bdc487aa76acc262e18cbc3fc9768c0b703fcf3713513d08ba560889db006e5c  guix-build-194114daf385/output/x86_64-w64-mingw32/SHA256SUMS.part
    25f40f77736a5634dc1efce929d1ebdd702a89b1f15f1f12709af2f6cf0ea6373d  guix-build-194114daf385/output/x86_64-w64-mingw32/bitcoin-194114daf385-win64-codesigning.tar.gz
    26be623ed97291551ff3372ff19bb1cc74b0e9694d969bfb73919842ff85e036e9  guix-build-194114daf385/output/x86_64-w64-mingw32/bitcoin-194114daf385-win64-debug.zip
    273734b69bc7f83a12ab68585a84b748dfc3cab1d861d8f506922b5ff7d7e9a8da  guix-build-194114daf385/output/x86_64-w64-mingw32/bitcoin-194114daf385-win64-setup-unsigned.exe
    2838c148cedb37fe6f7fc24e4d0d0651c6c0445ed48c99b7a7e1edcf2e5efdf3c3  guix-build-194114daf385/output/x86_64-w64-mingw32/bitcoin-194114daf385-win64-unsigned.zip
    

19. DrahtBot requested review from danielabrozzoni on Jan 8, 2026
20. 
    hebasto commented at 6:01 pm on January 8, 2026: member

    Edit: is the PR description still correct ?

    Which part are you referring to?

21. 
    janb84 commented at 7:24 pm on January 8, 2026: contributor

    Edit: is the PR description still correct ?

    Which part are you referring to?

    This Part (especially the last part.?)

    “This PR aims to improve the experience for Guix builders when creating new Guix profiles after 2025. In particular, it should be helpful for those who are new to building with Guix.”

    Given the new (temporary) time faking solution, wouldn’t something like this be more descriptive?

    “This PR aims to improve the experience for Guix builders when creating new Guix profiles after 2025. Before this PR, creating a new Guix profile fails because of expired certificates. This PR provides a fix until an upstream permanent solution is provided.

    Fixes […] « rest of pr description » "

Contributors
hebasto DrahtBot psgreco danielabrozzoni maflcko fanquake janb84

Review Requested
danielabrozzoni

Labels
Build system