6 files changed, 28 insertions, 21 deletions

diff --git a/contrib/builder-keys/README.md b/contrib/builder-keys/README.md
index a7c1d5ae0a..56bd87d0af 100644
--- a/contrib/builder-keys/README.md
+++ b/contrib/builder-keys/README.md
@@ -20,7 +20,7 @@ To fetch keys of builders and active developers, feed the list of fingerprints
 of the primary keys into gpg:
 
 ```sh
-while read fingerprint keyholder_name; do gpg --keyserver hkp://subset.pool.sks-keyservers.net --recv-keys ${fingerprint}; done < ./keys.txt
+while read fingerprint keyholder_name; do gpg --keyserver hkps://keys.openpgp.org --recv-keys ${fingerprint}; done < ./keys.txt
 ```
 
 Add your key to the list if you provided Guix attestations for two major or
diff --git a/contrib/builder-keys/keys.txt b/contrib/builder-keys/keys.txt
index db28cd07a0..890406c745 100644
--- a/contrib/builder-keys/keys.txt
+++ b/contrib/builder-keys/keys.txt
@@ -5,6 +5,7 @@ E944AE667CF960B1004BC32FCA662BE18B877A60 Andreas Schildbach (aschildbach)
 590B7292695AFFA5B672CBB2E13FC145CD3F4304 Antoine Poinsot (darosior)
 0AD83877C1F0CD1EE9BD660AD7CC770B81FD22A8 Ben Carman (benthecarman)
 912FD3228387123DC97E0E57D5566241A0295FA9 BtcDrak (btcdrak)
+04017A2A6D9A0CCDC81D8EC296AB007F1A7ED999 Carl Dong (dongcarl)
 C519EBCF3B926298946783EFF6430754120EC2F4 Christian Decker (cdecker)
 18AE2F798E0D239755DA4FD24B79F986CBDF8736 Chun Kuan Le (ken2812221)
 101598DC823C1B5F9A6624ABA5E0907A0380E6C3 CoinForensics (CoinForensics)
@@ -19,6 +20,7 @@ D35176BE9264832E4ACA8986BF0792FBE95DC863 fivepiece (fivepiece)
 01CDF4627A3B88AAE4A571C87588242FBE38D3A8 Gavin Andresen (gavinandresen)
 D1DBF2C4B96F2DEBF4C16654410108112E7EA81F Hennadii Stepanov (hebasto)
 A2FD494D0021AA9B4FA58F759102B7AE654A4A5A Ilyas Ridhuan (IlyasRidhuan)
+2688F5A9A4BE0F295E921E8A25F27A38A47AD566 James O'Beirne (jamesob)
 D3F22A3A4C366C2DCB66D3722DA9C5A7FA81EA35 Jarol Rodriguez (jarolrod)
 7480909378D544EA6B6DCEB7535B12980BB8A4D3 Jeffri H Frontz (jhfrontz)
 D3CC177286005BB8FF673294C5242A1AB3936517 jl2012 (jl2012)
diff --git a/contrib/devtools/test-symbol-check.py b/contrib/devtools/test-symbol-check.py
index 7d83c5f751..2da7ae793d 100755
--- a/contrib/devtools/test-symbol-check.py
+++ b/contrib/devtools/test-symbol-check.py
@@ -73,20 +73,21 @@ class TestSymbolChecks(unittest.TestCase):
                 (1, executable + ': NEEDED library libutil.so.1 is not allowed\n' +
                     executable + ': failed LIBRARY_DEPENDENCIES'))
 
-        # finally, check a conforming file that simply uses a math function
+        # finally, check a simple conforming binary
         source = 'test3.c'
         executable = 'test3'
         with open(source, 'w', encoding="utf8") as f:
             f.write('''
-                #include <math.h>
+                #include <stdio.h>
 
                 int main()
                 {
-                    return (int)pow(2.0, 4.0);
+                    printf("42");
+                    return 0;
                 }
         ''')
 
-        self.assertEqual(call_symbol_check(cc, source, executable, ['-lm']),
+        self.assertEqual(call_symbol_check(cc, source, executable, []),
                 (0, ''))
 
     def test_MACHO(self):
diff --git a/contrib/guix/guix-attest b/contrib/guix/guix-attest
index dcf709b542..6e12cbead7 100755
--- a/contrib/guix/guix-attest
+++ b/contrib/guix/guix-attest
@@ -159,23 +159,21 @@ Hint: You may wish to remove the existing attestations and their signatures by
 EOF
 }
 
-# Given a document with unix line endings (just <LF>) in stdin, make all lines
-# end in <CR><LF> and make sure there's no trailing <LF> at the end of the file.
-#
-# This is necessary as cleartext signatures are calculated on text after their
-# line endings are canonicalized.
+echo "Attesting to build outputs for version: '${VERSION}'"
+echo ""
+
+# Given a SHA256SUMS file as stdin that has lines like:
+#     0ba536819b221a91d3d42e978be016aac918f40984754d74058aa0c921cd3ea6  a/b/d/c/d/s/bitcoin-22.0rc2-riscv64-linux-gnu.tar.gz
+#     ...
 #
-# For more information:
-#     1. https://security.stackexchange.com/a/104261
-#     2. https://datatracker.ietf.org/doc/html/rfc4880#section-7.1
+# Replace each line's file name with its basename:
+#     0ba536819b221a91d3d42e978be016aac918f40984754d74058aa0c921cd3ea6  bitcoin-22.0rc2-riscv64-linux-gnu.tar.gz
+#     ...
 #
-rfc4880_normalize_document() {
-    sed 's/$/\r/' | head -c -2
+basenameify_SHA256SUMS() {
+    sed -E 's@(^[[:xdigit:]]{64}[[:space:]]+).+/([^/]+$)@\1\2@'
 }
 
-echo "Attesting to build outputs for version: '${VERSION}'"
-echo ""
-
 outsigdir="$GUIX_SIGS_REPO/$VERSION/$signer_name"
 mkdir -p "$outsigdir"
 (
@@ -188,7 +186,7 @@ mkdir -p "$outsigdir"
         cat "${noncodesigned_fragments[@]}" \
             | sort -u \
             | sort -k2 \
-            | rfc4880_normalize_document \
+            | basenameify_SHA256SUMS \
                 > "$temp_noncodesigned"
         if [ -e noncodesigned.SHA256SUMS ]; then
             # The SHA256SUMS already exists, make sure it's exactly what we
@@ -216,7 +214,7 @@ mkdir -p "$outsigdir"
         cat "${sha256sum_fragments[@]}" \
             | sort -u \
             | sort -k2 \
-            | rfc4880_normalize_document \
+            | basenameify_SHA256SUMS \
                 > "$temp_all"
         if [ -e all.SHA256SUMS ]; then
             # The SHA256SUMS already exists, make sure it's exactly what we
diff --git a/contrib/guix/guix-verify b/contrib/guix/guix-verify
index e4863f115b..02ae022741 100755
--- a/contrib/guix/guix-verify
+++ b/contrib/guix/guix-verify
@@ -77,11 +77,13 @@ verify() {
         echo ""
         echo "Hint: Either the signature is invalid or the public key is missing"
         echo ""
+        failure=1
     elif ! diff --report-identical "$compare_manifest" "$current_manifest" 1>&2; then
         echo "ERR: The SHA256SUMS attestation in these two directories differ:"
         echo "    '${compare_manifest}'"
         echo "    '${current_manifest}'"
         echo ""
+        failure=1
     else
         echo "Verified: '${current_manifest}'"
         echo ""
@@ -166,3 +168,7 @@ if (( ${#all_noncodesigned[@]} + ${#all_all[@]} == 0 )); then
     echo ""
     exit 1
 fi
+
+if [ -n "$failure" ]; then
+    exit 1
+fi
diff --git a/contrib/verify-commits/README.md b/contrib/verify-commits/README.md
index e95a57586f..b8b15280ba 100644
--- a/contrib/verify-commits/README.md
+++ b/contrib/verify-commits/README.md
@@ -40,7 +40,7 @@ Import trusted keys
 In order to check the commit signatures, you must add the trusted PGP keys to your machine. [GnuPG](https://gnupg.org/) may be used to import the trusted keys by running the following command:
 
 ```sh
-gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys $(<contrib/verify-commits/trusted-keys)
+gpg --keyserver hkps://keys.openpgp.org --recv-keys $(<contrib/verify-commits/trusted-keys)
 ```
 
 Key expiry/revocation