contrib: replace deprecated --deep codesign flag, fix accidental --verify skip on ci #34914

pull Sjors wants to merge 2 commits into bitcoin:master from Sjors:2026/03/deep-sign changing 2 files +18 −5
  1. Sjors commented at 4:36 PM on March 24, 2026: member

    Replace the deprecated codesign --deep with explicit, and minimal, per-component signing of Frameworks, Plugins and the top-level bundle.

    The CI signature check introduced in #34787 is updated to use --strict.

    Can be tested with:

    cmake -B build -DBUILD_GUI=ON
# delete artifacts before rebuilding the `deploy` target
rm -rf build/Bitcoin-Qt.app build/bitcoin-macos-app.zip
cmake --build build -t deploy
codesign --verify --deep --strict --verbose=4 build/dist/Bitcoin-Qt.app

    Fixes #32486, supersedes #33592 (this is a condensed version)

    Additionally this PR modifies 03_test_script.sh to avoid modifying GOAL in place. That was causing the codesign --verify step to get skipped entirely.

  2. DrahtBot added the label Scripts and tools on Mar 24, 2026
  3. DrahtBot commented at 4:37 PM on March 24, 2026: contributor

    <!--e57a25ab6845829454e8d69fc972939a-->

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    <!--021abf342d371248e50ceaed478a90ca-->

    Reviews

    See the guideline for information on the review process.

    Type Reviewers
    Concept ACK hebasto

    If your review is incorrectly listed, please copy-paste <code>&lt;!--meta-tag:bot-skip--&gt;</code> into the comment that the bot should ignore.

    <!--5faf32d7da4f0f540f40219e4f7537a3-->

  4. Sjors renamed this:
    contrib: remove deprecated --deep codesign flag
    contrib: replace deprecated --deep codesign flag with minimal signing
    on Mar 24, 2026
  5. hebasto commented at 4:44 PM on March 24, 2026: member

    Concept ACK. This is a smaller diff than in #33592 :)

  6. fanquake added this to the milestone 32.0 on Mar 25, 2026
  7. fanquake commented at 3:07 AM on March 25, 2026: member

    codesign --verify --deep --strict --verbose=4

    You can also update the CI check to also use --strict: https://github.com/bitcoin/bitcoin/blob/2fe76ed8324af44c985b96455a05c3e8bec0a03e/ci/test/03_test_script.sh#L160

  8. Sjors force-pushed on Mar 25, 2026
  9. Sjors commented at 8:29 AM on March 25, 2026: member

    You can also update the CI check to also use --strict

    Done

  10. ci: avoid modifying GOAL in 03_test_script.sh
    The modification caused "codesign --verify" to be silently skipped.

Introduce BUILD_TARGETS for the cmake target list so GOAL remains
unmodified throughout the script.
    d79ef13c27
  11. contrib: remove deprecated --deep codesign flag
    Replace the deprecated `codesign --deep` with explicit per-component
signing of Frameworks, Plugins and the top-level bundle.

CI is updated to verify with --strict.

Can be verified with:
codesign --verify --deep --strict --verbose=4 build/dist/Bitcoin-Qt.app

Co-authored-by: amisha <amishhhaaaa@gmail.com>
    5a102a5fc2
  12. Sjors force-pushed on Mar 25, 2026
  13. Sjors commented at 10:16 AM on March 25, 2026: member

    I noticed that codesign --verify --strict didn't appear in the log. Looks like we forgot to check that in #34787 review. The problem is that 03_test_script.sh modifies GOAL. Added a commit to reduce the chances of that happening again.

  14. Sjors renamed this:
    contrib: replace deprecated --deep codesign flag with minimal signing
    contrib: replace deprecated --deep codesign flag, fix accidental sign --verify skip on ci
    on Mar 25, 2026
  15. Sjors renamed this:
    contrib: replace deprecated --deep codesign flag, fix accidental sign --verify skip on ci
    contrib: replace deprecated --deep codesign flag, fix accidental --verify skip on ci
    on Mar 25, 2026
  16. Sjors marked this as a draft on Mar 25, 2026
  17. Sjors commented at 10:36 AM on March 25, 2026: member

    The GOAL mutation was introduced here: https://github.com/bitcoin/bitcoin/pull/33810/changes/2c78814e0e182853ce44d9fd63d24ee6cab5223e

    It was trying to avoid passing all to cmake --build when GOAL=codegen, which this PR addresses by introducing BUILD_TARGETS instead.

  18. Sjors marked this as ready for review on Mar 25, 2026
  19. sedited requested review from hebasto on Apr 26, 2026
Contributors
SjorsDrahtBothebastofanquake


hebasto

Labels
Scripts and tools

Milestone
32.0

Linked (view graph)
#32486 build: deprecated arg usage in macOS deploy script#33592 contrib: remove deprecated --deep signing from macdeployqtplus#34787 build: fix native macOS deployment
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-26 09:13 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me