aboutsummaryrefslogtreecommitdiff
path: root/contrib
diff options
context:
space:
mode:
Diffstat (limited to 'contrib')
-rw-r--r--contrib/bitcoin-qt.pro22
-rw-r--r--contrib/debian/copyright4
-rw-r--r--contrib/devtools/README.md3
-rw-r--r--contrib/devtools/pixie.py2
-rwxr-xr-xcontrib/devtools/security-check.py147
-rwxr-xr-xcontrib/devtools/symbol-check.py119
-rwxr-xr-xcontrib/devtools/test-security-check.py54
-rwxr-xr-xcontrib/devtools/test-symbol-check.py81
-rwxr-xr-xcontrib/devtools/utils.py22
-rwxr-xr-xcontrib/gitian-build.py2
-rw-r--r--[-rwxr-xr-x]contrib/gitian-descriptors/assign_DISTNAME2
-rw-r--r--contrib/gitian-descriptors/gitian-linux.yml6
-rw-r--r--contrib/gitian-descriptors/gitian-osx-signer.yml2
-rw-r--r--contrib/gitian-descriptors/gitian-osx.yml12
-rw-r--r--contrib/gitian-descriptors/gitian-win.yml5
-rw-r--r--contrib/guix/README.md127
-rwxr-xr-xcontrib/guix/guix-attest240
-rwxr-xr-xcontrib/guix/guix-build (renamed from contrib/guix/guix-build.sh)232
-rwxr-xr-xcontrib/guix/guix-clean83
-rwxr-xr-xcontrib/guix/guix-codesign392
-rwxr-xr-xcontrib/guix/guix-verify142
-rwxr-xr-x[-rw-r--r--]contrib/guix/libexec/build.sh139
-rwxr-xr-xcontrib/guix/libexec/codesign.sh113
-rw-r--r--contrib/guix/libexec/prelude.bash66
-rw-r--r--contrib/guix/manifest.scm510
-rw-r--r--contrib/guix/patches/binutils-mingw-w64-disable-flags.patch171
-rw-r--r--contrib/guix/patches/gcc-8-sort-libtool-find-output.patch400
-rw-r--r--contrib/guix/patches/glibc-2.24-elfm-loadaddr-dynamic-rewrite.patch62
-rw-r--r--contrib/guix/patches/glibc-2.24-no-build-time-cxx-header-run.patch100
-rw-r--r--contrib/guix/patches/glibc-2.27-riscv64-Use-__has_include__-to-include-asm-syscalls.h.patch72
-rw-r--r--contrib/guix/patches/glibc-ldd-x86_64.patch10
-rw-r--r--contrib/guix/patches/glibc-versioned-locpath.patch240
-rw-r--r--contrib/guix/patches/nsis-SConstruct-sde-support.patch3
-rw-r--r--contrib/guix/patches/oscrypto-hard-code-openssl.patch13
-rw-r--r--contrib/init/bitcoind.openrc7
-rw-r--r--contrib/init/bitcoind.service3
-rw-r--r--contrib/macdeploy/README.md18
-rwxr-xr-x[-rw-r--r--]contrib/qos/tc.sh2
-rwxr-xr-xcontrib/seeds/generate-seeds.py117
-rw-r--r--contrib/seeds/nodes_main.txt548
-rw-r--r--contrib/seeds/nodes_test.txt19
-rw-r--r--contrib/shell/git-utils.bash14
-rw-r--r--contrib/shell/realpath.bash71
-rw-r--r--contrib/signet/README.md33
-rwxr-xr-xcontrib/signet/miner36
-rw-r--r--contrib/testgen/README.md4
-rwxr-xr-xcontrib/testgen/gen_key_io_test_vectors.py84
-rw-r--r--contrib/verify-commits/trusted-keys1
-rwxr-xr-xcontrib/verifybinaries/verify.py4
-rwxr-xr-xcontrib/windeploy/detached-sig-create.sh2
-rw-r--r--contrib/windeploy/win-codesign.cert177
51 files changed, 3603 insertions, 1135 deletions
diff --git a/contrib/bitcoin-qt.pro b/contrib/bitcoin-qt.pro
deleted file mode 100644
index 0e4eeee0a7..0000000000
--- a/contrib/bitcoin-qt.pro
+++ /dev/null
@@ -1,22 +0,0 @@
-FORMS += \
- ../src/qt/forms/aboutdialog.ui \
- ../src/qt/forms/addressbookpage.ui \
- ../src/qt/forms/askpassphrasedialog.ui \
- ../src/qt/forms/coincontroldialog.ui \
- ../src/qt/forms/editaddressdialog.ui \
- ../src/qt/forms/helpmessagedialog.ui \
- ../src/qt/forms/intro.ui \
- ../src/qt/forms/openuridialog.ui \
- ../src/qt/forms/optionsdialog.ui \
- ../src/qt/forms/overviewpage.ui \
- ../src/qt/forms/receivecoinsdialog.ui \
- ../src/qt/forms/receiverequestdialog.ui \
- ../src/qt/forms/debugwindow.ui \
- ../src/qt/forms/sendcoinsdialog.ui \
- ../src/qt/forms/sendcoinsentry.ui \
- ../src/qt/forms/signverifymessagedialog.ui \
- ../src/qt/forms/transactiondescdialog.ui \
- ../src/qt/forms/createwalletdialog.ui
-
-RESOURCES += \
- ../src/qt/bitcoin.qrc
diff --git a/contrib/debian/copyright b/contrib/debian/copyright
index 7ee7f056d9..6d23f600c3 100644
--- a/contrib/debian/copyright
+++ b/contrib/debian/copyright
@@ -1,7 +1,7 @@
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: Bitcoin
Upstream-Contact: Satoshi Nakamoto <satoshin@gmx.com>
- irc://#bitcoin@freenode.net
+ irc://#bitcoin-core-dev@libera.chat
Source: https://github.com/bitcoin/bitcoin
Files: *
@@ -87,7 +87,7 @@ Files: src/qt/res/icons/proxy.png
Copyright: Cristian Mircea Messel
License: public-domain
-Files: src/qt/fonts/RobotoMono-Bold.ttf
+Files: src/qt/res/fonts/RobotoMono-Bold.ttf
License: Apache-2.0
Comment: Site: https://fonts.google.com/specimen/Roboto+Mono
diff --git a/contrib/devtools/README.md b/contrib/devtools/README.md
index bdff7a84b0..1fa850af1a 100644
--- a/contrib/devtools/README.md
+++ b/contrib/devtools/README.md
@@ -7,7 +7,8 @@ clang-format-diff.py
A script to format unified git diffs according to [.clang-format](../../src/.clang-format).
-Requires `clang-format`, installed e.g. via `brew install clang-format` on macOS.
+Requires `clang-format`, installed e.g. via `brew install clang-format` on macOS,
+or `sudo apt install clang-format` on Debian/Ubuntu.
For instance, to format the last commit with 0 lines of context,
the script should be called from the git root folder as follows.
diff --git a/contrib/devtools/pixie.py b/contrib/devtools/pixie.py
index 8cf06a799a..64660968ad 100644
--- a/contrib/devtools/pixie.py
+++ b/contrib/devtools/pixie.py
@@ -217,7 +217,7 @@ def _parse_verneed(section: Section, strings: bytes, eh: ELFHeader) -> Dict[int,
result = {}
while True:
verneed = Verneed(data, ofs, eh)
- aofs = verneed.vn_aux
+ aofs = ofs + verneed.vn_aux
while True:
vernaux = Vernaux(data, aofs, eh, strings)
result[vernaux.vna_other] = vernaux.name
diff --git a/contrib/devtools/security-check.py b/contrib/devtools/security-check.py
index 7b09c42fde..0b59d8eada 100755
--- a/contrib/devtools/security-check.py
+++ b/contrib/devtools/security-check.py
@@ -6,22 +6,13 @@
Perform basic security checks on a series of executables.
Exit status will be 0 if successful, and the program will be silent.
Otherwise the exit status will be 1 and it will log which executables failed which checks.
-Needs `objdump` (for PE) and `otool` (for MACHO).
'''
-import subprocess
import sys
-import os
from typing import List, Optional
+import lief
import pixie
-OBJDUMP_CMD = os.getenv('OBJDUMP', '/usr/bin/objdump')
-OTOOL_CMD = os.getenv('OTOOL', '/usr/bin/otool')
-
-def run_command(command) -> str:
- p = subprocess.run(command, stdout=subprocess.PIPE, check=True, universal_newlines=True)
- return p.stdout
-
def check_ELF_PIE(executable) -> bool:
'''
Check for position independent executable (PIE), allowing for address space randomization.
@@ -143,112 +134,72 @@ def check_ELF_separate_code(executable):
return False
return True
-def get_PE_dll_characteristics(executable) -> int:
- '''Get PE DllCharacteristics bits'''
- stdout = run_command([OBJDUMP_CMD, '-x', executable])
-
- bits = 0
- for line in stdout.splitlines():
- tokens = line.split()
- if len(tokens)>=2 and tokens[0] == 'DllCharacteristics':
- bits = int(tokens[1],16)
- return bits
-
-IMAGE_DLL_CHARACTERISTICS_HIGH_ENTROPY_VA = 0x0020
-IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE = 0x0040
-IMAGE_DLL_CHARACTERISTICS_NX_COMPAT = 0x0100
-
def check_PE_DYNAMIC_BASE(executable) -> bool:
'''PIE: DllCharacteristics bit 0x40 signifies dynamicbase (ASLR)'''
- bits = get_PE_dll_characteristics(executable)
- return (bits & IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE) == IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE
+ binary = lief.parse(executable)
+ return lief.PE.DLL_CHARACTERISTICS.DYNAMIC_BASE in binary.optional_header.dll_characteristics_lists
# Must support high-entropy 64-bit address space layout randomization
# in addition to DYNAMIC_BASE to have secure ASLR.
def check_PE_HIGH_ENTROPY_VA(executable) -> bool:
'''PIE: DllCharacteristics bit 0x20 signifies high-entropy ASLR'''
- bits = get_PE_dll_characteristics(executable)
- return (bits & IMAGE_DLL_CHARACTERISTICS_HIGH_ENTROPY_VA) == IMAGE_DLL_CHARACTERISTICS_HIGH_ENTROPY_VA
+ binary = lief.parse(executable)
+ return lief.PE.DLL_CHARACTERISTICS.HIGH_ENTROPY_VA in binary.optional_header.dll_characteristics_lists
def check_PE_RELOC_SECTION(executable) -> bool:
'''Check for a reloc section. This is required for functional ASLR.'''
- stdout = run_command([OBJDUMP_CMD, '-h', executable])
+ binary = lief.parse(executable)
+ return binary.has_relocations
- for line in stdout.splitlines():
- if '.reloc' in line:
- return True
- return False
-
-def check_PE_NX(executable) -> bool:
- '''NX: DllCharacteristics bit 0x100 signifies nxcompat (DEP)'''
- bits = get_PE_dll_characteristics(executable)
- return (bits & IMAGE_DLL_CHARACTERISTICS_NX_COMPAT) == IMAGE_DLL_CHARACTERISTICS_NX_COMPAT
-
-def get_MACHO_executable_flags(executable) -> List[str]:
- stdout = run_command([OTOOL_CMD, '-vh', executable])
+def check_MACHO_NOUNDEFS(executable) -> bool:
+ '''
+ Check for no undefined references.
+ '''
+ binary = lief.parse(executable)
+ return binary.header.has(lief.MachO.HEADER_FLAGS.NOUNDEFS)
- flags: List[str] = []
- for line in stdout.splitlines():
- tokens = line.split()
- # filter first two header lines
- if 'magic' in tokens or 'Mach' in tokens:
- continue
- # filter ncmds and sizeofcmds values
- flags += [t for t in tokens if not t.isdigit()]
- return flags
+def check_MACHO_LAZY_BINDINGS(executable) -> bool:
+ '''
+ Check for no lazy bindings.
+ We don't use or check for MH_BINDATLOAD. See #18295.
+ '''
+ binary = lief.parse(executable)
+ return binary.dyld_info.lazy_bind == (0,0)
-def check_MACHO_PIE(executable) -> bool:
+def check_MACHO_Canary(executable) -> bool:
'''
- Check for position independent executable (PIE), allowing for address space randomization.
+ Check for use of stack canary
'''
- flags = get_MACHO_executable_flags(executable)
- if 'PIE' in flags:
- return True
- return False
+ binary = lief.parse(executable)
+ return binary.has_symbol('___stack_chk_fail')
-def check_MACHO_NOUNDEFS(executable) -> bool:
+def check_PIE(executable) -> bool:
'''
- Check for no undefined references.
+ Check for position independent executable (PIE),
+ allowing for address space randomization.
'''
- flags = get_MACHO_executable_flags(executable)
- if 'NOUNDEFS' in flags:
- return True
- return False
+ binary = lief.parse(executable)
+ return binary.is_pie
-def check_MACHO_NX(executable) -> bool:
+def check_NX(executable) -> bool:
'''
Check for no stack execution
'''
- flags = get_MACHO_executable_flags(executable)
- if 'ALLOW_STACK_EXECUTION' in flags:
- return False
- return True
+ binary = lief.parse(executable)
+ return binary.has_nx
-def check_MACHO_LAZY_BINDINGS(executable) -> bool:
+def check_control_flow(executable) -> bool:
'''
- Check for no lazy bindings.
- We don't use or check for MH_BINDATLOAD. See #18295.
+ Check for control flow instrumentation
'''
- stdout = run_command([OTOOL_CMD, '-l', executable])
+ binary = lief.parse(executable)
- for line in stdout.splitlines():
- tokens = line.split()
- if 'lazy_bind_off' in tokens or 'lazy_bind_size' in tokens:
- if tokens[1] != '0':
- return False
- return True
+ content = binary.get_content_from_virtual_address(binary.entrypoint, 4, lief.Binary.VA_TYPES.AUTO)
-def check_MACHO_Canary(executable) -> bool:
- '''
- Check for use of stack canary
- '''
- stdout = run_command([OTOOL_CMD, '-Iv', executable])
+ if content == [243, 15, 30, 250]: # endbr64
+ return True
+ return False
- ok = False
- for line in stdout.splitlines():
- if '___stack_chk_fail' in line:
- ok = True
- return ok
CHECKS = {
'ELF': [
@@ -259,17 +210,19 @@ CHECKS = {
('separate_code', check_ELF_separate_code),
],
'PE': [
+ ('PIE', check_PIE),
('DYNAMIC_BASE', check_PE_DYNAMIC_BASE),
('HIGH_ENTROPY_VA', check_PE_HIGH_ENTROPY_VA),
- ('NX', check_PE_NX),
+ ('NX', check_NX),
('RELOC_SECTION', check_PE_RELOC_SECTION)
],
'MACHO': [
- ('PIE', check_MACHO_PIE),
+ ('PIE', check_PIE),
('NOUNDEFS', check_MACHO_NOUNDEFS),
- ('NX', check_MACHO_NX),
+ ('NX', check_NX),
('LAZY_BINDINGS', check_MACHO_LAZY_BINDINGS),
- ('Canary', check_MACHO_Canary)
+ ('Canary', check_MACHO_Canary),
+ ('CONTROL_FLOW', check_control_flow),
]
}
@@ -285,24 +238,24 @@ def identify_executable(executable) -> Optional[str]:
return None
if __name__ == '__main__':
- retval = 0
+ retval: int = 0
for filename in sys.argv[1:]:
try:
etype = identify_executable(filename)
if etype is None:
- print('%s: unknown format' % filename)
+ print(f'{filename}: unknown format')
retval = 1
continue
- failed = []
+ failed: List[str] = []
for (name, func) in CHECKS[etype]:
if not func(filename):
failed.append(name)
if failed:
- print('%s: failed %s' % (filename, ' '.join(failed)))
+ print(f'{filename}: failed {" ".join(failed)}')
retval = 1
except IOError:
- print('%s: cannot open' % filename)
+ print(f'{filename}: cannot open')
retval = 1
sys.exit(retval)
diff --git a/contrib/devtools/symbol-check.py b/contrib/devtools/symbol-check.py
index b30ed62521..61f727fa63 100755
--- a/contrib/devtools/symbol-check.py
+++ b/contrib/devtools/symbol-check.py
@@ -3,20 +3,22 @@
# Distributed under the MIT software license, see the accompanying
# file COPYING or http://www.opensource.org/licenses/mit-license.php.
'''
-A script to check that the executables produced by gitian only contain
-certain symbols and are only linked against allowed libraries.
+A script to check that release executables only contain certain symbols
+and are only linked against allowed libraries.
Example usage:
- find ../gitian-builder/build -type f -executable | xargs python3 contrib/devtools/symbol-check.py
+ find ../path/to/binaries -type f -executable | xargs python3 contrib/devtools/symbol-check.py
'''
import subprocess
import sys
-import os
from typing import List, Optional
+import lief
import pixie
+from utils import determine_wellknown_cmd
+
# Debian 8 (Jessie) EOL: 2020. https://wiki.debian.org/DebianReleases#Production_Releases
#
# - g++ version 4.9.2 (https://packages.debian.org/search?suite=jessie&arch=any&searchon=names&keywords=g%2B%2B)
@@ -40,8 +42,16 @@ import pixie
#
MAX_VERSIONS = {
'GCC': (4,8,0),
-'GLIBC': (2,17),
-'LIBATOMIC': (1,0)
+'GLIBC': {
+ pixie.EM_386: (2,17),
+ pixie.EM_X86_64: (2,17),
+ pixie.EM_ARM: (2,17),
+ pixie.EM_AARCH64:(2,17),
+ pixie.EM_PPC64: (2,17),
+ pixie.EM_RISCV: (2,27),
+},
+'LIBATOMIC': (1,0),
+'V': (0,5,0), # xkb (bitcoin-qt only)
}
# See here for a description of _IO_stdin_used:
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=634261#109
@@ -51,9 +61,6 @@ IGNORE_EXPORTS = {
'_edata', '_end', '__end__', '_init', '__bss_start', '__bss_start__', '_bss_end__', '__bss_end__', '_fini', '_IO_stdin_used', 'stdin', 'stdout', 'stderr',
'environ', '_environ', '__environ',
}
-CPPFILT_CMD = os.getenv('CPPFILT', '/usr/bin/c++filt')
-OBJDUMP_CMD = os.getenv('OBJDUMP', '/usr/bin/objdump')
-OTOOL_CMD = os.getenv('OTOOL', '/usr/bin/otool')
# Allowed NEEDED libraries
ELF_ALLOWED_LIBRARIES = {
@@ -73,18 +80,12 @@ ELF_ALLOWED_LIBRARIES = {
'ld-linux-riscv64-lp64d.so.1', # 64-bit RISC-V dynamic linker
# bitcoin-qt only
'libxcb.so.1', # part of X11
+'libxkbcommon.so.0', # keyboard keymapping
+'libxkbcommon-x11.so.0', # keyboard keymapping
'libfontconfig.so.1', # font support
'libfreetype.so.6', # font parsing
'libdl.so.2' # programming interface to dynamic linker
}
-ARCH_MIN_GLIBC_VER = {
-pixie.EM_386: (2,1),
-pixie.EM_X86_64: (2,2,5),
-pixie.EM_ARM: (2,4),
-pixie.EM_AARCH64:(2,17),
-pixie.EM_PPC64: (2,17),
-pixie.EM_RISCV: (2,27)
-}
MACHO_ALLOWED_LIBRARIES = {
# bitcoind and bitcoin-qt
@@ -98,10 +99,15 @@ MACHO_ALLOWED_LIBRARIES = {
'CoreGraphics', # 2D rendering
'CoreServices', # operating system services
'CoreText', # interface for laying out text and handling fonts.
+'CoreVideo', # video processing
'Foundation', # base layer functionality for apps/frameworks
'ImageIO', # read and write image file formats.
'IOKit', # user-space access to hardware devices and drivers.
+'IOSurface', # cross process image/drawing buffers
'libobjc.A.dylib', # Objective-C runtime library
+'Metal', # 3D graphics
+'Security', # access control and authentication
+'QuartzCore', # animation
}
PE_ALLOWED_LIBRARIES = {
@@ -116,12 +122,15 @@ PE_ALLOWED_LIBRARIES = {
'dwmapi.dll', # desktop window manager
'GDI32.dll', # graphics device interface
'IMM32.dll', # input method editor
+'NETAPI32.dll',
'ole32.dll', # component object model
'OLEAUT32.dll', # OLE Automation API
'SHLWAPI.dll', # light weight shell API
+'USERENV.dll',
'UxTheme.dll',
'VERSION.dll', # version checking
'WINMM.dll', # WinMM audio API
+'WTSAPI32.dll',
}
class CPPFilt(object):
@@ -131,7 +140,7 @@ class CPPFilt(object):
Use a pipe to the 'c++filt' command.
'''
def __init__(self):
- self.proc = subprocess.Popen(CPPFILT_CMD, stdin=subprocess.PIPE, stdout=subprocess.PIPE, universal_newlines=True)
+ self.proc = subprocess.Popen(determine_wellknown_cmd('CPPFILT', 'c++filt'), stdin=subprocess.PIPE, stdout=subprocess.PIPE, universal_newlines=True)
def __call__(self, mangled):
self.proc.stdin.write(mangled + '\n')
@@ -152,7 +161,10 @@ def check_version(max_versions, version, arch) -> bool:
ver = tuple([int(x) for x in ver.split('.')])
if not lib in max_versions:
return False
- return ver <= max_versions[lib] or lib == 'GLIBC' and ver <= ARCH_MIN_GLIBC_VER[arch]
+ if isinstance(max_versions[lib], tuple):
+ return ver <= max_versions[lib]
+ else:
+ return ver <= max_versions[lib][arch]
def check_imported_symbols(filename) -> bool:
elf = pixie.load(filename)
@@ -193,47 +205,45 @@ def check_ELF_libraries(filename) -> bool:
ok = False
return ok
-def macho_read_libraries(filename) -> List[str]:
- p = subprocess.Popen([OTOOL_CMD, '-L', filename], stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE, universal_newlines=True)
- (stdout, stderr) = p.communicate()
- if p.returncode:
- raise IOError('Error opening file')
- libraries = []
- for line in stdout.splitlines():
- tokens = line.split()
- if len(tokens) == 1: # skip executable name
- continue
- libraries.append(tokens[0].split('/')[-1])
- return libraries
-
def check_MACHO_libraries(filename) -> bool:
ok: bool = True
- for dylib in macho_read_libraries(filename):
- if dylib not in MACHO_ALLOWED_LIBRARIES:
- print('{} is not in ALLOWED_LIBRARIES!'.format(dylib))
+ binary = lief.parse(filename)
+ for dylib in binary.libraries:
+ split = dylib.name.split('/')
+ if split[-1] not in MACHO_ALLOWED_LIBRARIES:
+ print(f'{split[-1]} is not in ALLOWED_LIBRARIES!')
ok = False
return ok
-def pe_read_libraries(filename) -> List[str]:
- p = subprocess.Popen([OBJDUMP_CMD, '-x', filename], stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE, universal_newlines=True)
- (stdout, stderr) = p.communicate()
- if p.returncode:
- raise IOError('Error opening file')
- libraries = []
- for line in stdout.splitlines():
- if 'DLL Name:' in line:
- tokens = line.split(': ')
- libraries.append(tokens[1])
- return libraries
+def check_MACHO_min_os(filename) -> bool:
+ binary = lief.parse(filename)
+ if binary.build_version.minos == [10,14,0]:
+ return True
+ return False
+
+def check_MACHO_sdk(filename) -> bool:
+ binary = lief.parse(filename)
+ if binary.build_version.sdk == [10, 15, 6]:
+ return True
+ return False
def check_PE_libraries(filename) -> bool:
ok: bool = True
- for dylib in pe_read_libraries(filename):
+ binary = lief.parse(filename)
+ for dylib in binary.libraries:
if dylib not in PE_ALLOWED_LIBRARIES:
- print('{} is not in ALLOWED_LIBRARIES!'.format(dylib))
+ print(f'{dylib} is not in ALLOWED_LIBRARIES!')
ok = False
return ok
+def check_PE_subsystem_version(filename) -> bool:
+ binary = lief.parse(filename)
+ major: int = binary.optional_header.major_subsystem_version
+ minor: int = binary.optional_header.minor_subsystem_version
+ if major == 6 and minor == 1:
+ return True
+ return False
+
CHECKS = {
'ELF': [
('IMPORTED_SYMBOLS', check_imported_symbols),
@@ -241,10 +251,13 @@ CHECKS = {
('LIBRARY_DEPENDENCIES', check_ELF_libraries)
],
'MACHO': [
- ('DYNAMIC_LIBRARIES', check_MACHO_libraries)
+ ('DYNAMIC_LIBRARIES', check_MACHO_libraries),
+ ('MIN_OS', check_MACHO_min_os),
+ ('SDK', check_MACHO_sdk),
],
'PE' : [
- ('DYNAMIC_LIBRARIES', check_PE_libraries)
+ ('DYNAMIC_LIBRARIES', check_PE_libraries),
+ ('SUBSYSTEM_VERSION', check_PE_subsystem_version),
]
}
@@ -265,7 +278,7 @@ if __name__ == '__main__':
try:
etype = identify_executable(filename)
if etype is None:
- print('{}: unknown format'.format(filename))
+ print(f'{filename}: unknown format')
retval = 1
continue
@@ -274,9 +287,9 @@ if __name__ == '__main__':
if not func(filename):
failed.append(name)
if failed:
- print('{}: failed {}'.format(filename, ' '.join(failed)))
+ print(f'{filename}: failed {" ".join(failed)}')
retval = 1
except IOError:
- print('{}: cannot open'.format(filename))
+ print(f'{filename}: cannot open')
retval = 1
sys.exit(retval)
diff --git a/contrib/devtools/test-security-check.py b/contrib/devtools/test-security-check.py
index ec2d886653..14058e2cc8 100755
--- a/contrib/devtools/test-security-check.py
+++ b/contrib/devtools/test-security-check.py
@@ -5,9 +5,12 @@
'''
Test script for security-check.py
'''
+import os
import subprocess
import unittest
+from utils import determine_wellknown_cmd
+
def write_testcode(filename):
with open(filename, 'w', encoding="utf8") as f:
f.write('''
@@ -19,8 +22,12 @@ def write_testcode(filename):
}
''')
+def clean_files(source, executable):
+ os.remove(source)
+ os.remove(executable)
+
def call_security_check(cc, source, executable, options):
- subprocess.run([cc,source,'-o',executable] + options, check=True)
+ subprocess.run([*cc,source,'-o',executable] + options, check=True)
p = subprocess.run(['./contrib/devtools/security-check.py',executable], stdout=subprocess.PIPE, universal_newlines=True)
return (p.returncode, p.stdout.rstrip())
@@ -28,7 +35,7 @@ class TestSecurityChecks(unittest.TestCase):
def test_ELF(self):
source = 'test1.c'
executable = 'test1'
- cc = 'gcc'
+ cc = determine_wellknown_cmd('CC', 'gcc')
write_testcode(source)
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-zexecstack','-fno-stack-protector','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
@@ -44,42 +51,51 @@ class TestSecurityChecks(unittest.TestCase):
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,separate-code']),
(0, ''))
+ clean_files(source, executable)
+
def test_PE(self):
source = 'test1.c'
executable = 'test1.exe'
- cc = 'x86_64-w64-mingw32-gcc'
+ cc = determine_wellknown_cmd('CC', 'x86_64-w64-mingw32-gcc')
write_testcode(source)
- self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--no-nxcompat','-Wl,--no-dynamicbase','-Wl,--no-high-entropy-va','-no-pie','-fno-PIE']),
- (1, executable+': failed DYNAMIC_BASE HIGH_ENTROPY_VA NX RELOC_SECTION'))
- self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--no-dynamicbase','-Wl,--no-high-entropy-va','-no-pie','-fno-PIE']),
- (1, executable+': failed DYNAMIC_BASE HIGH_ENTROPY_VA RELOC_SECTION'))
- self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--dynamicbase','-Wl,--no-high-entropy-va','-no-pie','-fno-PIE']),
- (1, executable+': failed HIGH_ENTROPY_VA RELOC_SECTION'))
- self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--dynamicbase','-Wl,--high-entropy-va','-no-pie','-fno-PIE']),
- (1, executable+': failed RELOC_SECTION'))
- self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--dynamicbase','-Wl,--high-entropy-va','-pie','-fPIE']),
+ self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--no-nxcompat','-Wl,--disable-reloc-section','-Wl,--no-dynamicbase','-Wl,--no-high-entropy-va','-no-pie','-fno-PIE']),
+ (1, executable+': failed PIE DYNAMIC_BASE HIGH_ENTROPY_VA NX RELOC_SECTION'))
+ self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--disable-reloc-section','-Wl,--no-dynamicbase','-Wl,--no-high-entropy-va','-no-pie','-fno-PIE']),
+ (1, executable+': failed PIE DYNAMIC_BASE HIGH_ENTROPY_VA RELOC_SECTION'))
+ self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--enable-reloc-section','-Wl,--no-dynamicbase','-Wl,--no-high-entropy-va','-no-pie','-fno-PIE']),
+ (1, executable+': failed PIE DYNAMIC_BASE HIGH_ENTROPY_VA'))
+ self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--enable-reloc-section','-Wl,--no-dynamicbase','-Wl,--no-high-entropy-va','-pie','-fPIE']),
+ (1, executable+': failed PIE DYNAMIC_BASE HIGH_ENTROPY_VA')) # -pie -fPIE does nothing unless --dynamicbase is also supplied
+ self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--enable-reloc-section','-Wl,--dynamicbase','-Wl,--no-high-entropy-va','-pie','-fPIE']),
+ (1, executable+': failed HIGH_ENTROPY_VA'))
+ self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--enable-reloc-section','-Wl,--dynamicbase','-Wl,--high-entropy-va','-pie','-fPIE']),
(0, ''))
+ clean_files(source, executable)
+
def test_MACHO(self):
source = 'test1.c'
executable = 'test1'
- cc = 'clang'
+ cc = determine_wellknown_cmd('CC', 'clang')
write_testcode(source)
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fno-stack-protector']),
- (1, executable+': failed PIE NOUNDEFS NX LAZY_BINDINGS Canary'))
+ (1, executable+': failed PIE NOUNDEFS NX LAZY_BINDINGS Canary CONTROL_FLOW'))
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fstack-protector-all']),
- (1, executable+': failed PIE NOUNDEFS NX LAZY_BINDINGS'))
+ (1, executable+': failed PIE NOUNDEFS NX LAZY_BINDINGS CONTROL_FLOW'))
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-fstack-protector-all']),
- (1, executable+': failed PIE NOUNDEFS LAZY_BINDINGS'))
+ (1, executable+': failed PIE NOUNDEFS LAZY_BINDINGS CONTROL_FLOW'))
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all']),
- (1, executable+': failed PIE LAZY_BINDINGS'))
+ (1, executable+': failed PIE LAZY_BINDINGS CONTROL_FLOW'))
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-bind_at_load','-fstack-protector-all']),
+ (1, executable+': failed PIE CONTROL_FLOW'))
+ self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-bind_at_load','-fstack-protector-all', '-fcf-protection=full']),
(1, executable+': failed PIE'))
- self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-pie','-Wl,-bind_at_load','-fstack-protector-all']),
+ self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-pie','-Wl,-bind_at_load','-fstack-protector-all', '-fcf-protection=full']),
(0, ''))
+ clean_files(source, executable)
+
if __name__ == '__main__':
unittest.main()
-
diff --git a/contrib/devtools/test-symbol-check.py b/contrib/devtools/test-symbol-check.py
index ee7bfc9805..7d83c5f751 100755
--- a/contrib/devtools/test-symbol-check.py
+++ b/contrib/devtools/test-symbol-check.py
@@ -5,44 +5,53 @@
'''
Test script for symbol-check.py
'''
+import os
import subprocess
+from typing import List
import unittest
-def call_symbol_check(cc, source, executable, options):
- subprocess.run([cc,source,'-o',executable] + options, check=True)
+from utils import determine_wellknown_cmd
+
+def call_symbol_check(cc: List[str], source, executable, options):
+ subprocess.run([*cc,source,'-o',executable] + options, check=True)
p = subprocess.run(['./contrib/devtools/symbol-check.py',executable], stdout=subprocess.PIPE, universal_newlines=True)
+ os.remove(source)
+ os.remove(executable)
return (p.returncode, p.stdout.rstrip())
-def get_machine(cc):
- p = subprocess.run([cc,'-dumpmachine'], stdout=subprocess.PIPE, universal_newlines=True)
+def get_machine(cc: List[str]):
+ p = subprocess.run([*cc,'-dumpmachine'], stdout=subprocess.PIPE, universal_newlines=True)
return p.stdout.rstrip()
class TestSymbolChecks(unittest.TestCase):
def test_ELF(self):
source = 'test1.c'
executable = 'test1'
- cc = 'gcc'
+ cc = determine_wellknown_cmd('CC', 'gcc')
+
+ # there's no way to do this test for RISC-V at the moment; we build for
+ # RISC-V in a glibc 2.27 envinonment and we allow all symbols from 2.27.
+ if 'riscv' in get_machine(cc):
+ self.skipTest("test not available for RISC-V")
- # renameat2 was introduced in GLIBC 2.28, so is newer than the upper limit
- # of glibc for all platforms
+ # nextup was introduced in GLIBC 2.24, so is newer than our supported
+ # glibc (2.17), and available in our release build environment (2.24).
with open(source, 'w', encoding="utf8") as f:
f.write('''
#define _GNU_SOURCE
- #include <stdio.h>
- #include <linux/fs.h>
+ #include <math.h>
- int renameat2(int olddirfd, const char *oldpath,
- int newdirfd, const char *newpath, unsigned int flags);
+ double nextup(double x);
int main()
{
- renameat2(0, "test", 0, "test_", RENAME_EXCHANGE);
+ nextup(3.14);
return 0;
}
''')
- self.assertEqual(call_symbol_check(cc, source, executable, []),
- (1, executable + ': symbol renameat2 from unsupported version GLIBC_2.28\n' +
+ self.assertEqual(call_symbol_check(cc, source, executable, ['-lm']),
+ (1, executable + ': symbol nextup from unsupported version GLIBC_2.24\n' +
executable + ': failed IMPORTED_SYMBOLS'))
# -lutil is part of the libc6 package so a safe bet that it's installed
@@ -83,7 +92,7 @@ class TestSymbolChecks(unittest.TestCase):
def test_MACHO(self):
source = 'test1.c'
executable = 'test1'
- cc = 'clang'
+ cc = determine_wellknown_cmd('CC', 'clang')
with open(source, 'w', encoding="utf8") as f:
f.write('''
@@ -97,9 +106,9 @@ class TestSymbolChecks(unittest.TestCase):
''')
- self.assertEqual(call_symbol_check(cc, source, executable, ['-lexpat']),
+ self.assertEqual(call_symbol_check(cc, source, executable, ['-lexpat', '-Wl,-platform_version','-Wl,macos', '-Wl,11.4', '-Wl,11.4']),
(1, 'libexpat.1.dylib is not in ALLOWED_LIBRARIES!\n' +
- executable + ': failed DYNAMIC_LIBRARIES'))
+ f'{executable}: failed DYNAMIC_LIBRARIES MIN_OS SDK'))
source = 'test2.c'
executable = 'test2'
@@ -114,13 +123,26 @@ class TestSymbolChecks(unittest.TestCase):
}
''')
- self.assertEqual(call_symbol_check(cc, source, executable, ['-framework', 'CoreGraphics']),
- (0, ''))
+ self.assertEqual(call_symbol_check(cc, source, executable, ['-framework', 'CoreGraphics', '-Wl,-platform_version','-Wl,macos', '-Wl,11.4', '-Wl,11.4']),
+ (1, f'{executable}: failed MIN_OS SDK'))
+
+ source = 'test3.c'
+ executable = 'test3'
+ with open(source, 'w', encoding="utf8") as f:
+ f.write('''
+ int main()
+ {
+ return 0;
+ }
+ ''')
+
+ self.assertEqual(call_symbol_check(cc, source, executable, ['-Wl,-platform_version','-Wl,macos', '-Wl,10.14', '-Wl,11.4']),
+ (1, f'{executable}: failed SDK'))
def test_PE(self):
source = 'test1.c'
executable = 'test1.exe'
- cc = 'x86_64-w64-mingw32-gcc'
+ cc = determine_wellknown_cmd('CC', 'x86_64-w64-mingw32-gcc')
with open(source, 'w', encoding="utf8") as f:
f.write('''
@@ -133,12 +155,26 @@ class TestSymbolChecks(unittest.TestCase):
}
''')
- self.assertEqual(call_symbol_check(cc, source, executable, ['-lpdh']),
+ self.assertEqual(call_symbol_check(cc, source, executable, ['-lpdh', '-Wl,--major-subsystem-version', '-Wl,6', '-Wl,--minor-subsystem-version', '-Wl,1']),
(1, 'pdh.dll is not in ALLOWED_LIBRARIES!\n' +
executable + ': failed DYNAMIC_LIBRARIES'))
source = 'test2.c'
executable = 'test2.exe'
+
+ with open(source, 'w', encoding="utf8") as f:
+ f.write('''
+ int main()
+ {
+ return 0;
+ }
+ ''')
+
+ self.assertEqual(call_symbol_check(cc, source, executable, ['-Wl,--major-subsystem-version', '-Wl,9', '-Wl,--minor-subsystem-version', '-Wl,9']),
+ (1, executable + ': failed SUBSYSTEM_VERSION'))
+
+ source = 'test3.c'
+ executable = 'test3.exe'
with open(source, 'w', encoding="utf8") as f:
f.write('''
#include <windows.h>
@@ -150,10 +186,9 @@ class TestSymbolChecks(unittest.TestCase):
}
''')
- self.assertEqual(call_symbol_check(cc, source, executable, ['-lole32']),
+ self.assertEqual(call_symbol_check(cc, source, executable, ['-lole32', '-Wl,--major-subsystem-version', '-Wl,6', '-Wl,--minor-subsystem-version', '-Wl,1']),
(0, ''))
if __name__ == '__main__':
unittest.main()
-
diff --git a/contrib/devtools/utils.py b/contrib/devtools/utils.py
new file mode 100755
index 0000000000..68ad1c3aba
--- /dev/null
+++ b/contrib/devtools/utils.py
@@ -0,0 +1,22 @@
+#!/usr/bin/env python3
+# Copyright (c) 2021 The Bitcoin Core developers
+# Distributed under the MIT software license, see the accompanying
+# file COPYING or http://www.opensource.org/licenses/mit-license.php.
+'''
+Common utility functions
+'''
+import shutil
+import sys
+import os
+from typing import List
+
+
+def determine_wellknown_cmd(envvar, progname) -> List[str]:
+ maybe_env = os.getenv(envvar)
+ maybe_which = shutil.which(progname)
+ if maybe_env:
+ return maybe_env.split(' ') # Well-known vars are often meant to be word-split
+ elif maybe_which:
+ return [ maybe_which ]
+ else:
+ sys.exit(f"{progname} not found")
diff --git a/contrib/gitian-build.py b/contrib/gitian-build.py
index 60acb0d593..5df87d9e70 100755
--- a/contrib/gitian-build.py
+++ b/contrib/gitian-build.py
@@ -210,7 +210,7 @@ def main():
args.macos = 'm' in args.os
# Disable for MacOS if no SDK found
- if args.macos and not os.path.isfile('gitian-builder/inputs/Xcode-11.3.1-11C505-extracted-SDK-with-libcxx-headers.tar.gz'):
+ if args.macos and not os.path.isfile('gitian-builder/inputs/Xcode-12.1-12A7403-extracted-SDK-with-libcxx-headers.tar.gz'):
print('Cannot build for MacOS, SDK does not exist. Will build for other OSes')
args.macos = False
diff --git a/contrib/gitian-descriptors/assign_DISTNAME b/contrib/gitian-descriptors/assign_DISTNAME
index a2ca768aaa..330fbc041b 100755..100644
--- a/contrib/gitian-descriptors/assign_DISTNAME
+++ b/contrib/gitian-descriptors/assign_DISTNAME
@@ -4,7 +4,7 @@
#
# A helper script to be sourced into the gitian descriptors
-if RECENT_TAG="$(git describe --exact-match HEAD)"; then
+if RECENT_TAG="$(git describe --exact-match HEAD 2> /dev/null)"; then
VERSION="${RECENT_TAG#v}"
else
VERSION="$(git rev-parse --short=12 HEAD)"
diff --git a/contrib/gitian-descriptors/gitian-linux.yml b/contrib/gitian-descriptors/gitian-linux.yml
index b06fc782a3..e6dce7a8c6 100644
--- a/contrib/gitian-descriptors/gitian-linux.yml
+++ b/contrib/gitian-descriptors/gitian-linux.yml
@@ -11,6 +11,7 @@ packages:
- "autoconf"
- "automake"
- "binutils"
+- "bison"
- "bsdmainutils"
- "ca-certificates"
- "curl"
@@ -22,6 +23,7 @@ packages:
- "patch"
- "pkg-config"
- "python3"
+- "python3-pip"
# Cross compilation HOSTS:
# - arm-linux-gnueabihf
- "binutils-arm-linux-gnueabihf"
@@ -54,8 +56,6 @@ script: |
HOST_CXXFLAGS="-O2 -g"
HOST_LDFLAGS_BASE="-static-libstdc++ -Wl,-O2"
- export QT_RCC_TEST=1
- export QT_RCC_SOURCE_DATE_OVERRIDE=1
export TZ="UTC"
export BUILD_DIR="$PWD"
mkdir -p ${WRAP_DIR}
@@ -99,6 +99,8 @@ script: |
done
}
+ pip3 install lief==0.11.5
+
# Faketime for depends so intermediate results are comparable
export PATH_orig=${PATH}
create_global_faketime_wrappers "2000-01-01 12:00:00"
diff --git a/contrib/gitian-descriptors/gitian-osx-signer.yml b/contrib/gitian-descriptors/gitian-osx-signer.yml
index 3f0c0c3332..addad0a5d2 100644
--- a/contrib/gitian-descriptors/gitian-osx-signer.yml
+++ b/contrib/gitian-descriptors/gitian-osx-signer.yml
@@ -14,7 +14,7 @@ remotes:
"dir": "signature"
- "url": "https://github.com/achow101/signapple.git"
"dir": "signapple"
- "commit": "c7e73aa27a7615ac9506559173f787e2906b25eb"
+ "commit": "b084cbbf44d5330448ffce0c7d118f75781b64bd"
files:
- "bitcoin-osx-unsigned.tar.gz"
script: |
diff --git a/contrib/gitian-descriptors/gitian-osx.yml b/contrib/gitian-descriptors/gitian-osx.yml
index 0dc531df0e..a39618adb7 100644
--- a/contrib/gitian-descriptors/gitian-osx.yml
+++ b/contrib/gitian-descriptors/gitian-osx.yml
@@ -21,11 +21,9 @@ packages:
- "bsdmainutils"
- "cmake"
- "imagemagick"
-- "libcap-dev"
- "libz-dev"
-- "libbz2-dev"
- "python3"
-- "python3-dev"
+- "python3-pip"
- "python3-setuptools"
- "fonts-tuffy"
- "xorriso"
@@ -34,7 +32,7 @@ remotes:
- "url": "https://github.com/bitcoin/bitcoin.git"
"dir": "bitcoin"
files:
-- "Xcode-11.3.1-11C505-extracted-SDK-with-libcxx-headers.tar.gz"
+- "Xcode-12.1-12A7403-extracted-SDK-with-libcxx-headers.tar.gz"
script: |
set -e -o pipefail
@@ -44,8 +42,6 @@ script: |
FAKETIME_HOST_PROGS=""
FAKETIME_PROGS="ar ranlib date dmg xorrisofs"
- export QT_RCC_TEST=1
- export QT_RCC_SOURCE_DATE_OVERRIDE=1
export TZ="UTC"
export BUILD_DIR="$PWD"
mkdir -p ${WRAP_DIR}
@@ -82,6 +78,8 @@ script: |
done
}
+ pip3 install lief==0.11.5
+
# Faketime for depends so intermediate results are comparable
export PATH_orig=${PATH}
create_global_faketime_wrappers "2000-01-01 12:00:00"
@@ -92,7 +90,7 @@ script: |
BASEPREFIX="${PWD}/depends"
mkdir -p ${BASEPREFIX}/SDKs
- tar -C ${BASEPREFIX}/SDKs -xf ${BUILD_DIR}/Xcode-11.3.1-11C505-extracted-SDK-with-libcxx-headers.tar.gz
+ tar -C ${BASEPREFIX}/SDKs -xf ${BUILD_DIR}/Xcode-12.1-12A7403-extracted-SDK-with-libcxx-headers.tar.gz
# Build dependencies for each host
for i in $HOSTS; do
diff --git a/contrib/gitian-descriptors/gitian-win.yml b/contrib/gitian-descriptors/gitian-win.yml
index 95cf0185e2..ffe228a032 100644
--- a/contrib/gitian-descriptors/gitian-win.yml
+++ b/contrib/gitian-descriptors/gitian-win.yml
@@ -22,6 +22,7 @@ packages:
- "zip"
- "ca-certificates"
- "python3"
+- "python3-pip"
remotes:
- "url": "https://github.com/bitcoin/bitcoin.git"
"dir": "bitcoin"
@@ -37,8 +38,6 @@ script: |
HOST_CFLAGS="-O2 -g -fno-ident"
HOST_CXXFLAGS="-O2 -g -fno-ident"
- export QT_RCC_TEST=1
- export QT_RCC_SOURCE_DATE_OVERRIDE=1
export TZ="UTC"
export BUILD_DIR="$PWD"
mkdir -p ${WRAP_DIR}
@@ -87,6 +86,8 @@ script: |
done
}
+ pip3 install lief==0.11.5
+
# Faketime for depends so intermediate results are comparable
export PATH_orig=${PATH}
create_global_faketime_wrappers "2000-01-01 12:00:00"
diff --git a/contrib/guix/README.md b/contrib/guix/README.md
index e218ba89a0..e604b370e3 100644
--- a/contrib/guix/README.md
+++ b/contrib/guix/README.md
@@ -80,6 +80,50 @@ at the end of the `guix pull`)
export PATH="${HOME}/.config/guix/current/bin${PATH:+:}$PATH"
```
+### Controlling the number of threads used by `guix` build commands
+
+By default, the scripts under `./contrib/guix` will invoke all `guix` build
+commands with `--cores="$JOBS"`. Note that `$JOBS` defaults to `$(nproc)` if not
+specified. However, astute manual readers will also notice that there is a
+`--max-jobs=` flag (which defaults to 1 if unspecified).
+
+Here is the difference between `--cores=` and `--max-jobs=`:
+
+> Note: When I say "derivation," think "package"
+
+`--cores=`
+
+ - controls the number of CPU cores to build each derivation. This is the value
+ passed to `make`'s `--jobs=` flag.
+
+`--max-jobs=`
+
+ - controls how many derivations can be built in parallel
+ - defaults to 1
+
+Therefore, the default is for `guix` build commands to build one derivation at a
+time, utilizing `$JOBS` threads.
+
+Specifying the `$JOBS` environment variable will only modify `--cores=`, but you
+can also modify the value for `--max-jobs=` by specifying
+`$ADDITIONAL_GUIX_COMMON_FLAGS`. For example, if you have a LOT of memory, you
+may want to set:
+
+```sh
+export ADDITIONAL_GUIX_COMMON_FLAGS='--max-jobs=8'
+```
+
+Which allows for a maximum of 8 derivations to be built at the same time, each
+utilizing `$JOBS` threads.
+
+Or, if you'd like to avoid spurious build failures caused by issues with
+parallelism within a single package, but would still like to build multiple
+packages when the dependency graph allows for it, you may want to try:
+
+```sh
+export JOBS=1 ADDITIONAL_GUIX_COMMON_FLAGS='--max-jobs=8'
+```
+
## Usage
### As a Tool for Deterministic Builds
@@ -87,7 +131,7 @@ export PATH="${HOME}/.config/guix/current/bin${PATH:+:}$PATH"
From the top of a clean Bitcoin Core repository:
```sh
-./contrib/guix/guix-build.sh
+./contrib/guix/guix-build
```
After the build finishes successfully (check the status code please), compare
@@ -103,8 +147,8 @@ find output/ -type f -print0 | sort -z | xargs -r0 sha256sum
Override the space-separated list of platform triples for which to perform a
bootstrappable build. _(defaults to "x86\_64-linux-gnu arm-linux-gnueabihf
- aarch64-linux-gnu riscv64-linux-gnu x86_64-w64-mingw32
- x86_64-apple-darwin18")_
+ aarch64-linux-gnu riscv64-linux-gnu powerpc64-linux-gnu powerpc64le-linux-gnu
+ x86\_64-w64-mingw32 x86\_64-apple-darwin18")_
* _**SOURCES_PATH**_
@@ -118,12 +162,23 @@ find output/ -type f -print0 | sort -z | xargs -r0 sha256sum
depends tree. Setting this to the same directory across multiple builds of the
depends tree can eliminate unnecessary building of packages.
-* _**MAX_JOBS**_
+* _**SDK_PATH**_
+
+ Set the path where _extracted_ SDKs can be found. This is passed through to
+ the depends tree. Note that this is should be set to the _parent_ directory of
+ the actual SDK (e.g. SDK_PATH=$HOME/Downloads/macOS-SDKs instead of
+ $HOME/Downloads/macOS-SDKs/Xcode-12.1-12A7403-extracted-SDK-with-libcxx-headers).
+
+* _**JOBS**_
+
+ Override the number of jobs to run simultaneously, you might want to do so on
+ a memory-limited machine. This may be passed to:
- Override the maximum number of jobs to run simultaneously, you might want to
- do so on a memory-limited machine. This may be passed to `make` as in `make
- --jobs="$MAX_JOBS"` or `xargs` as in `xargs -P"$MAX_JOBS"`. _(defaults to the
- value of `nproc` outside the container)_
+ - `guix` build commands as in `guix environment --cores="$JOBS"`
+ - `make` as in `make --jobs="$JOBS"`
+ - `xargs` as in `xargs -P"$JOBS"`
+
+ _(defaults to the value of `nproc` outside the container)_
* _**SOURCE_DATE_EPOCH**_
@@ -150,10 +205,7 @@ find output/ -type f -print0 | sort -z | xargs -r0 sha256sum
* _**ADDITIONAL_GUIX_COMMON_FLAGS**_
- Additional flags to be passed to all `guix` commands. For a fully-bootstrapped
- build, set this to `--bootstrap --no-substitutes` (refer to the [security
- model section](#choosing-your-security-model) for more details). Note that a
- fully-bootstrapped build will take quite a long time on the first run.
+ Additional flags to be passed to all `guix` commands.
* _**ADDITIONAL_GUIX_TIMEMACHINE_FLAGS**_
@@ -210,6 +262,57 @@ To use dongcarl's substitute server for Bitcoin Core builds after having
export SUBSTITUTE_URLS='https://guix.carldong.io https://ci.guix.gnu.org'
```
+## Troubleshooting
+
+### Derivation failed to build
+
+When you see a build failure like below:
+
+```
+building /gnu/store/...-foo-3.6.12.drv...
+/ 'check' phasenote: keeping build directory `/tmp/guix-build-foo-3.6.12.drv-0'
+builder for `/gnu/store/...-foo-3.6.12.drv' failed with exit code 1
+build of /gnu/store/...-foo-3.6.12.drv failed
+View build log at '/var/log/guix/drvs/../...-foo-3.6.12.drv.bz2'.
+cannot build derivation `/gnu/store/...-qux-7.69.1.drv': 1 dependencies couldn't be built
+cannot build derivation `/gnu/store/...-bar-3.16.5.drv': 1 dependencies couldn't be built
+cannot build derivation `/gnu/store/...-baz-2.0.5.drv': 1 dependencies couldn't be built
+guix time-machine: error: build of `/gnu/store/...-baz-2.0.5.drv' failed
+```
+
+It means that `guix` failed to build a package named `foo`, which was a
+dependency of `qux`, `bar`, and `baz`. Importantly, note that the last "failed"
+line is not necessarily the root cause, the first "failed" line is.
+
+Most of the time, the build failure is due to a spurious test failure or the
+package's build system/test suite breaking when running multi-threaded. To
+rebuild _just_ this derivation in a single-threaded fashion:
+
+```sh
+$ guix build --cores=1 /gnu/store/...-foo-3.6.12.drv
+```
+
+If the single-threaded rebuild did not succeed, you may need to dig deeper.
+You may view `foo`'s build logs in `less` like so (please replace paths with the
+path you see in the build failure output):
+
+```sh
+$ bzcat /var/log/guix/drvs/../...-foo-3.6.12.drv.bz2 | less
+```
+
+`foo`'s build directory is also preserved and available at
+`/tmp/guix-build-foo-3.6.12.drv-0`. However, if you fail to build `foo` multiple
+times, it may be `/tmp/...drv-1` or `/tmp/...drv-2`. Always consult the build
+failure output for the most accurate, up-to-date information.
+
+#### python(-minimal): [Errno 84] Invalid or incomplete multibyte or wide character
+
+This error occurs when your `$TMPDIR` (default: /tmp) exists on a filesystem
+which rejects characters not present in the UTF-8 character code set. An example
+is ZFS with the utf8only=on option set.
+
+More information: https://bugs.python.org/issue37584
+
## FAQ
### How can I trust the binary installation?
diff --git a/contrib/guix/guix-attest b/contrib/guix/guix-attest
new file mode 100755
index 0000000000..c8cf73d400
--- /dev/null
+++ b/contrib/guix/guix-attest
@@ -0,0 +1,240 @@
+#!/usr/bin/env bash
+export LC_ALL=C
+set -e -o pipefail
+
+# Source the common prelude, which:
+# 1. Checks if we're at the top directory of the Bitcoin Core repository
+# 2. Defines a few common functions and variables
+#
+# shellcheck source=libexec/prelude.bash
+source "$(dirname "${BASH_SOURCE[0]}")/libexec/prelude.bash"
+
+
+###################
+## Sanity Checks ##
+###################
+
+################
+# Required non-builtin commands should be invokable
+################
+
+check_tools cat env basename mkdir xargs find
+if [ -z "$NO_SIGN" ]; then
+ check_tools gpg
+fi
+
+################
+# Required env vars should be non-empty
+################
+
+cmd_usage() {
+cat <<EOF
+Synopsis:
+
+ env GUIX_SIGS_REPO=<path/to/guix.sigs> \\
+ SIGNER=GPG_KEY_NAME[=SIGNER_NAME] \\
+ [ NO_SIGN=1 ]
+ ./contrib/guix/guix-attest
+
+Example w/o overriding signing name:
+
+ env GUIX_SIGS_REPO=/home/achow101/guix.sigs \\
+ SIGNER=achow101 \\
+ ./contrib/guix/guix-attest
+
+Example overriding signing name:
+
+ env GUIX_SIGS_REPO=/home/dongcarl/guix.sigs \\
+ SIGNER=0x96AB007F1A7ED999=dongcarl \\
+ ./contrib/guix/guix-attest
+
+Example w/o signing, just creating SHA256SUMS:
+
+ env GUIX_SIGS_REPO=/home/achow101/guix.sigs \\
+ SIGNER=achow101 \\
+ NO_SIGN=1 \\
+ ./contrib/guix/guix-attest
+
+EOF
+}
+
+if [ -z "$GUIX_SIGS_REPO" ] || [ -z "$SIGNER" ]; then
+ cmd_usage
+ exit 1
+fi
+
+################
+# GUIX_SIGS_REPO should exist as a directory
+################
+
+if [ ! -d "$GUIX_SIGS_REPO" ]; then
+cat << EOF
+ERR: The specified GUIX_SIGS_REPO is not an existent directory:
+
+ '$GUIX_SIGS_REPO'
+
+Hint: Please clone the guix.sigs repository and point to it with the
+ GUIX_SIGS_REPO environment variable.
+
+EOF
+cmd_usage
+exit 1
+fi
+
+################
+# The key specified in SIGNER should be usable
+################
+
+IFS='=' read -r gpg_key_name signer_name <<< "$SIGNER"
+if [ -z "${signer_name}" ]; then
+ signer_name="$gpg_key_name"
+fi
+
+if [ -z "$NO_SIGN" ] && ! gpg --dry-run --list-secret-keys "${gpg_key_name}" >/dev/null 2>&1; then
+ echo "ERR: GPG can't seem to find any key named '${gpg_key_name}'"
+ exit 1
+fi
+
+################
+# We should be able to find at least one output
+################
+
+echo "Looking for build output SHA256SUMS fragments in ${OUTDIR_BASE}"
+
+shopt -s nullglob
+sha256sum_fragments=( "$OUTDIR_BASE"/*/SHA256SUMS.part ) # This expands to an array of directories...
+shopt -u nullglob
+
+noncodesigned_fragments=()
+codesigned_fragments=()
+
+if (( ${#sha256sum_fragments[@]} )); then
+ echo "Found build output SHA256SUMS fragments:"
+ for outdir in "${sha256sum_fragments[@]}"; do
+ echo " '$outdir'"
+ case "$outdir" in
+ "$OUTDIR_BASE"/*-codesigned/SHA256SUMS.part)
+ codesigned_fragments+=("$outdir")
+ ;;
+ *)
+ noncodesigned_fragments+=("$outdir")
+ ;;
+ esac
+ done
+ echo
+else
+ echo "ERR: Could not find any build output SHA256SUMS fragments in ${OUTDIR_BASE}"
+ exit 1
+fi
+
+##############
+## Attest ##
+##############
+
+# Usage: out_name $outdir
+#
+# HOST: The output directory being attested
+#
+out_name() {
+ basename "$(dirname "$1")"
+}
+
+shasum_already_exists() {
+cat <<EOF
+--
+
+ERR: An ${1} file already exists for '${VERSION}' and attests
+ differently. You likely previously attested to a partial build (e.g. one
+ where you specified the HOST environment variable).
+
+ See the diff above for more context.
+
+Hint: You may wish to remove the existing attestations and their signatures by
+ invoking:
+
+ rm '${PWD}/${1}'{,.asc}
+
+ Then try running this script again.
+
+EOF
+}
+
+echo "Attesting to build outputs for version: '${VERSION}'"
+echo ""
+
+outsigdir="$GUIX_SIGS_REPO/$VERSION/$signer_name"
+mkdir -p "$outsigdir"
+(
+ cd "$outsigdir"
+
+ temp_noncodesigned="$(mktemp)"
+ trap 'rm -rf -- "$temp_noncodesigned"' EXIT
+
+ if (( ${#noncodesigned_fragments[@]} )); then
+ cat "${noncodesigned_fragments[@]}" \
+ | sort -u \
+ | sort -k2 \
+ > "$temp_noncodesigned"
+ if [ -e noncodesigned.SHA256SUMS ]; then
+ # The SHA256SUMS already exists, make sure it's exactly what we
+ # expect, error out if not
+ if diff -u noncodesigned.SHA256SUMS "$temp_noncodesigned"; then
+ echo "A noncodesigned.SHA256SUMS file already exists for '${VERSION}' and is up-to-date."
+ else
+ shasum_already_exists noncodesigned.SHA256SUMS
+ exit 1
+ fi
+ else
+ mv "$temp_noncodesigned" noncodesigned.SHA256SUMS
+ fi
+ else
+ echo "ERR: No noncodesigned outputs found for '${VERSION}', exiting..."
+ exit 1
+ fi
+
+ temp_codesigned="$(mktemp)"
+ trap 'rm -rf -- "$temp_codesigned"' EXIT
+
+ if (( ${#codesigned_fragments[@]} )); then
+ # Note: all.SHA256SUMS attests to all of $sha256sum_fragments, but is
+ # not needed if there are no $codesigned_fragments
+ cat "${sha256sum_fragments[@]}" \
+ | sort -u \
+ | sort -k2 \
+ > "$temp_codesigned"
+ if [ -e codesigned.SHA256SUMS ]; then
+ # The SHA256SUMS already exists, make sure it's exactly what we
+ # expect, error out if not
+ if diff -u all.SHA256SUMS "$temp_codesigned"; then
+ echo "An all.SHA256SUMS file already exists for '${VERSION}' and is up-to-date."
+ else
+ shasum_already_exists all.SHA256SUMS
+ exit 1
+ fi
+ else
+ mv "$temp_codesigned" codesigned.SHA256SUMS
+ fi
+ else
+ # It is fine to have the codesigned outputs be missing (perhaps the
+ # detached codesigs have not been published yet), just print a log
+ # message instead of erroring out
+ echo "INFO: No codesigned outputs found for '${VERSION}', skipping..."
+ fi
+
+ if [ -z "$NO_SIGN" ]; then
+ echo "Signing SHA256SUMS to produce SHA256SUMS.asc"
+ for i in *.SHA256SUMS; do
+ if [ ! -e "$i".asc ]; then
+ gpg --detach-sign \
+ --local-user "$gpg_key_name" \
+ --armor \
+ --output "$i".asc "$i"
+ else
+ echo "Signature already there"
+ fi
+ done
+ else
+ echo "Not signing SHA256SUMS as \$NO_SIGN is not empty"
+ fi
+ echo ""
+)
diff --git a/contrib/guix/guix-build.sh b/contrib/guix/guix-build
index 7af132b240..29d6701b25 100755
--- a/contrib/guix/guix-build.sh
+++ b/contrib/guix/guix-build
@@ -2,22 +2,26 @@
export LC_ALL=C
set -e -o pipefail
+# Source the common prelude, which:
+# 1. Checks if we're at the top directory of the Bitcoin Core repository
+# 2. Defines a few common functions and variables
+#
+# shellcheck source=libexec/prelude.bash
+source "$(dirname "${BASH_SOURCE[0]}")/libexec/prelude.bash"
+
+
###################
-## Sanity Checks ##
+## SANITY CHECKS ##
###################
################
-# Check 1: Make sure that we can invoke required tools
+# Required non-builtin commands should be invocable
################
-for cmd in git make guix cat mkdir; do
- if ! command -v "$cmd" > /dev/null 2>&1; then
- echo "ERR: This script requires that '$cmd' is installed and available in your \$PATH"
- exit 1
- fi
-done
+
+check_tools cat mkdir make git guix
################
-# Check 2: Make sure GUIX_BUILD_OPTIONS is empty
+# GUIX_BUILD_OPTIONS should be empty
################
#
# GUIX_BUILD_OPTIONS is an environment variable recognized by guix commands that
@@ -45,8 +49,9 @@ exit 1
fi
################
-# Check 3: Make sure that we're not in a dirty worktree
+# The git worktree should not be dirty
################
+
if ! git diff-index --quiet HEAD -- && [ -z "$FORCE_DIRTY_WORKTREE" ]; then
cat << EOF
ERR: The current git worktree is dirty, which may lead to broken builds.
@@ -60,12 +65,12 @@ Hint: To make your git worktree clean, You may want to:
using a dirty worktree
EOF
exit 1
-else
- GIT_COMMIT=$(git rev-parse --short=12 HEAD)
fi
+mkdir -p "$VERSION_BASE"
+
################
-# Check 4: Make sure that build directories do not exist
+# Build directories should not exist
################
# Default to building for all supported HOSTs (overridable by environment)
@@ -73,14 +78,12 @@ export HOSTS="${HOSTS:-x86_64-linux-gnu arm-linux-gnueabihf aarch64-linux-gnu ri
x86_64-w64-mingw32
x86_64-apple-darwin18}"
-DISTSRC_BASE="${DISTSRC_BASE:-${PWD}}"
-
# Usage: distsrc_for_host HOST
#
# HOST: The current platform triple we're building for
#
distsrc_for_host() {
- echo "${DISTSRC_BASE}/distsrc-${GIT_COMMIT}-${1}"
+ echo "${DISTSRC_BASE}/distsrc-${VERSION}-${1}"
}
# Accumulate a list of build directories that already exist...
@@ -100,24 +103,31 @@ ERR: Build directories for this commit already exist for the following platform
Aborting...
+Hint: To blow everything away, you may want to use:
+
+ $ ./contrib/guix/guix-clean
+
+Specifically, this will remove all files without an entry in the index,
+excluding the SDK directory, the depends download cache, the depends built
+packages cache, the garbage collector roots for Guix environments, and the
+output directory.
EOF
for host in $hosts_distsrc_exists; do
echo " ${host} '$(distsrc_for_host "$host")'"
done
exit 1
else
-
mkdir -p "$DISTSRC_BASE"
fi
################
-# Check 5: When building for darwin, make sure that the macOS SDK exists
+# When building for darwin, the macOS SDK should exists
################
for host in $HOSTS; do
case "$host" in
*darwin*)
- OSX_SDK="$(make -C "${PWD}/depends" --no-print-directory HOST="$host" print-OSX_SDK | sed 's@^[^=]\+=[[:space:]]\+@@g')"
+ OSX_SDK="$(make -C "${PWD}/depends" --no-print-directory HOST="$host" print-OSX_SDK | sed 's@^[^=]\+=@@g')"
if [ -e "$OSX_SDK" ]; then
echo "Found macOS SDK at '${OSX_SDK}', using..."
else
@@ -128,13 +138,62 @@ for host in $HOSTS; do
esac
done
+################
+# VERSION_BASE should have enough space
+################
+
+avail_KiB="$(df -Pk "$VERSION_BASE" | sed 1d | tr -s ' ' | cut -d' ' -f4)"
+total_required_KiB=0
+for host in $HOSTS; do
+ case "$host" in
+ *darwin*) required_KiB=440000 ;;
+ *mingw*) required_KiB=7600000 ;;
+ *) required_KiB=6400000 ;;
+ esac
+ total_required_KiB=$((total_required_KiB+required_KiB))
+done
+
+if (( total_required_KiB > avail_KiB )); then
+ total_required_GiB=$((total_required_KiB / 1048576))
+ avail_GiB=$((avail_KiB / 1048576))
+ echo "Performing a Bitcoin Core Guix build for the selected HOSTS requires ${total_required_GiB} GiB, however, only ${avail_GiB} GiB is available. Please free up some disk space before performing the build."
+ exit 1
+fi
+
+################
+# Check that we can connect to the guix-daemon
+################
+
+cat << EOF
+Checking that we can connect to the guix-daemon...
+
+Hint: If this hangs, you may want to try turning your guix-daemon off and on
+ again.
+
+EOF
+if ! guix gc --list-failures > /dev/null; then
+cat << EOF
+
+ERR: Failed to connect to the guix-daemon, please ensure that one is running and
+ reachable.
+EOF
+exit 1
+fi
+
+# Developer note: we could use `guix repl` for this check and run:
+#
+# (import (guix store)) (close-connection (open-connection))
+#
+# However, the internal API is likely to change more than the CLI invocation
+
+
#########
-# Setup #
+# SETUP #
#########
# Determine the maximum number of jobs to run simultaneously (overridable by
# environment)
-MAX_JOBS="${MAX_JOBS:-$(nproc)}"
+JOBS="${JOBS:-$(nproc)}"
# Usage: host_to_commonname HOST
#
@@ -149,12 +208,6 @@ host_to_commonname() {
esac
}
-# Download the depends sources now as we won't have internet access in the build
-# container
-for host in $HOSTS; do
- make -C "${PWD}/depends" -j"$MAX_JOBS" download-"$(host_to_commonname "$host")" ${V:+V=1} ${SOURCES_PATH:+SOURCES_PATH="$SOURCES_PATH"}
-done
-
# Determine the reference time used for determinism (overridable by environment)
SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-$(git log --format=%at -1)}"
@@ -163,20 +216,98 @@ SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-$(git log --format=%at -1)}"
time-machine() {
# shellcheck disable=SC2086
guix time-machine --url=https://github.com/dongcarl/guix.git \
- --commit=6c9d16db962a6f7155571b36eced681fd2889e23 \
- --max-jobs="$MAX_JOBS" \
+ --commit=490e39ff303f4f6873a04bfb8253755bdae1b29c \
+ --cores="$JOBS" \
--keep-failed \
+ --fallback \
${SUBSTITUTE_URLS:+--substitute-urls="$SUBSTITUTE_URLS"} \
${ADDITIONAL_GUIX_COMMON_FLAGS} ${ADDITIONAL_GUIX_TIMEMACHINE_FLAGS} \
-- "$@"
}
+
+# Precious directories are those which should not be cleaned between successive
+# guix builds
+depends_precious_dir_names='SOURCES_PATH BASE_CACHE SDK_PATH'
+precious_dir_names="${depends_precious_dir_names} OUTDIR_BASE PROFILES_BASE"
+
+# Usage: contains IFS-SEPARATED-LIST ITEM
+contains() {
+ for i in ${1}; do
+ if [ "$i" = "${2}" ]; then
+ return 0 # Found!
+ fi
+ done
+ return 1
+}
+
+# If the user explicitly specified a precious directory, create it so we
+# can map it into the container
+for precious_dir_name in $precious_dir_names; do
+ precious_dir_path="${!precious_dir_name}"
+ if [ -n "$precious_dir_path" ]; then
+ if [ ! -e "$precious_dir_path" ]; then
+ mkdir -p "$precious_dir_path"
+ elif [ -L "$precious_dir_path" ]; then
+ echo "ERR: ${precious_dir_name} cannot be a symbolic link"
+ exit 1
+ elif [ ! -d "$precious_dir_path" ]; then
+ echo "ERR: ${precious_dir_name} must be a directory"
+ exit 1
+ fi
+ fi
+done
+
+mkdir -p "$VAR_BASE"
+
+# Record the _effective_ values of precious directories such that guix-clean can
+# avoid clobbering them if appropriate.
+#
+# shellcheck disable=SC2046,SC2086
+{
+ # Get depends precious dir definitions from depends
+ make -C "${PWD}/depends" \
+ --no-print-directory \
+ -- $(printf "print-%s\n" $depends_precious_dir_names)
+
+ # Get remaining precious dir definitions from the environment
+ for precious_dir_name in $precious_dir_names; do
+ precious_dir_path="${!precious_dir_name}"
+ if ! contains "$depends_precious_dir_names" "$precious_dir_name"; then
+ echo "${precious_dir_name}=${precious_dir_path}"
+ fi
+ done
+} > "${VAR_BASE}/precious_dirs"
+
# Make sure an output directory exists for our builds
-OUTDIR="${OUTDIR:-${PWD}/output}"
-[ -e "$OUTDIR" ] || mkdir -p "$OUTDIR"
+OUTDIR_BASE="${OUTDIR_BASE:-${VERSION_BASE}/output}"
+mkdir -p "$OUTDIR_BASE"
+
+# Download the depends sources now as we won't have internet access in the build
+# container
+for host in $HOSTS; do
+ make -C "${PWD}/depends" -j"$JOBS" download-"$(host_to_commonname "$host")" ${V:+V=1} ${SOURCES_PATH:+SOURCES_PATH="$SOURCES_PATH"}
+done
+
+# Usage: outdir_for_host HOST SUFFIX
+#
+# HOST: The current platform triple we're building for
+#
+outdir_for_host() {
+ echo "${OUTDIR_BASE}/${1}${2:+-${2}}"
+}
+
+# Usage: profiledir_for_host HOST SUFFIX
+#
+# HOST: The current platform triple we're building for
+#
+profiledir_for_host() {
+ echo "${PROFILES_BASE}/${1}${2:+-${2}}"
+}
+
#########
-# Build #
+# BUILD #
#########
# Function to be called when building for host ${1} and the user interrupts the
@@ -184,23 +315,19 @@ OUTDIR="${OUTDIR:-${PWD}/output}"
int_trap() {
cat << EOF
** INT received while building ${1}, you may want to clean up the relevant
- output, deploy, and distsrc-* directories before rebuilding
+ work directories (e.g. distsrc-*) before rebuilding
Hint: To blow everything away, you may want to use:
- $ git clean -xdff --exclude='/depends/SDKs/*'
+ $ ./contrib/guix/guix-clean
Specifically, this will remove all files without an entry in the index,
-excluding the SDK directory. Practically speaking, this means that all ignored
-and untracked files and directories will be wiped, allowing you to start anew.
+excluding the SDK directory, the depends download cache, the depends built
+packages cache, the garbage collector roots for Guix environments, and the
+output directory.
EOF
}
-# Create SOURCES_PATH and BASE_CACHE if they are non-empty so that we can map
-# them into the container
-[ -z "$SOURCES_PATH" ] || mkdir -p "$SOURCES_PATH"
-[ -z "$BASE_CACHE" ] || mkdir -p "$BASE_CACHE"
-
# Deterministically build Bitcoin Core
# shellcheck disable=SC2153
for host in $HOSTS; do
@@ -215,15 +342,15 @@ for host in $HOSTS; do
# shellcheck disable=SC2030
cat << EOF
-INFO: Building commit ${GIT_COMMIT:?not set} for platform triple ${HOST:?not set}:
+INFO: Building ${VERSION:?not set} for platform triple ${HOST:?not set}:
...using reference timestamp: ${SOURCE_DATE_EPOCH:?not set}
- ...running at most ${MAX_JOBS:?not set} jobs
+ ...running at most ${JOBS:?not set} jobs
...from worktree directory: '${PWD}'
...bind-mounted in container to: '/bitcoin'
...in build directory: '$(distsrc_for_host "$HOST")'
...bind-mounted in container to: '$(DISTSRC_BASE=/distsrc-base && distsrc_for_host "$HOST")'
- ...outputting in: '${OUTDIR:?not set}'
- ...bind-mounted in container to: '/outdir'
+ ...outputting in: '$(outdir_for_host "$HOST")'
+ ...bind-mounted in container to: '$(OUTDIR_BASE=/outdir-base && outdir_for_host "$HOST")'
EOF
# Run the build script 'contrib/guix/libexec/build.sh' in the build
@@ -298,22 +425,29 @@ EOF
--no-cwd \
--share="$PWD"=/bitcoin \
--share="$DISTSRC_BASE"=/distsrc-base \
- --share="$OUTDIR"=/outdir \
+ --share="$OUTDIR_BASE"=/outdir-base \
--expose="$(git rev-parse --git-common-dir)" \
${SOURCES_PATH:+--share="$SOURCES_PATH"} \
${BASE_CACHE:+--share="$BASE_CACHE"} \
- --max-jobs="$MAX_JOBS" \
+ ${SDK_PATH:+--share="$SDK_PATH"} \
+ --cores="$JOBS" \
--keep-failed \
+ --fallback \
+ --link-profile \
+ --root="$(profiledir_for_host "${HOST}")" \
${SUBSTITUTE_URLS:+--substitute-urls="$SUBSTITUTE_URLS"} \
${ADDITIONAL_GUIX_COMMON_FLAGS} ${ADDITIONAL_GUIX_ENVIRONMENT_FLAGS} \
-- env HOST="$host" \
- MAX_JOBS="$MAX_JOBS" \
+ DISTNAME="$DISTNAME" \
+ JOBS="$JOBS" \
SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:?unable to determine value}" \
${V:+V=1} \
${SOURCES_PATH:+SOURCES_PATH="$SOURCES_PATH"} \
${BASE_CACHE:+BASE_CACHE="$BASE_CACHE"} \
+ ${SDK_PATH:+SDK_PATH="$SDK_PATH"} \
DISTSRC="$(DISTSRC_BASE=/distsrc-base && distsrc_for_host "$HOST")" \
- OUTDIR=/outdir \
+ OUTDIR="$(OUTDIR_BASE=/outdir-base && outdir_for_host "$HOST")" \
+ DIST_ARCHIVE_BASE=/outdir-base/dist-archive \
bash -c "cd /bitcoin && bash contrib/guix/libexec/build.sh"
)
diff --git a/contrib/guix/guix-clean b/contrib/guix/guix-clean
new file mode 100755
index 0000000000..9fa17191e8
--- /dev/null
+++ b/contrib/guix/guix-clean
@@ -0,0 +1,83 @@
+#!/usr/bin/env bash
+export LC_ALL=C
+set -e -o pipefail
+
+# Source the common prelude, which:
+# 1. Checks if we're at the top directory of the Bitcoin Core repository
+# 2. Defines a few common functions and variables
+#
+# shellcheck source=libexec/prelude.bash
+source "$(dirname "${BASH_SOURCE[0]}")/libexec/prelude.bash"
+
+
+###################
+## Sanity Checks ##
+###################
+
+################
+# Required non-builtin commands should be invokable
+################
+
+check_tools cat mkdir make git guix
+
+
+#############
+## Clean ##
+#############
+
+# Usage: under_dir MAYBE_PARENT MAYBE_CHILD
+#
+# If MAYBE_CHILD is a subdirectory of MAYBE_PARENT, print the relative path
+# from MAYBE_PARENT to MAYBE_CHILD. Otherwise, return 1 as the error code.
+#
+# NOTE: This does not perform any symlink-resolving or path canonicalization.
+#
+under_dir() {
+ local path_residue
+ path_residue="${2##${1}}"
+ if [ -z "$path_residue" ] || [ "$path_residue" = "$2" ]; then
+ return 1
+ else
+ echo "$path_residue"
+ fi
+}
+
+# Usage: dir_under_git_root MAYBE_CHILD
+#
+# If MAYBE_CHILD is under the current git repository and exists, print the
+# relative path from the git repository's top-level directory to MAYBE_CHILD,
+# otherwise, exit with an error code.
+#
+dir_under_git_root() {
+ local rv
+ rv="$(under_dir "$(git_root)" "$1")"
+ [ -n "$rv" ] && echo "$rv"
+}
+
+shopt -s nullglob
+found_precious_dirs_files=( "${version_base_prefix}"*/"${var_base_basename}/precious_dirs" ) # This expands to an array of directories...
+shopt -u nullglob
+
+exclude_flags=()
+
+for precious_dirs_file in "${found_precious_dirs_files[@]}"; do
+ # Make sure the precious directories (e.g. SOURCES_PATH, BASE_CACHE, SDK_PATH)
+ # are excluded from git-clean
+ echo "Found precious_dirs file: '${precious_dirs_file}'"
+
+ # Exclude the precious_dirs file itself
+ if dirs_file_exclude_fragment=$(dir_under_git_root "$(dirname "$precious_dirs_file")"); then
+ exclude_flags+=( --exclude="${dirs_file_exclude_fragment}/precious_dirs" )
+ fi
+
+ # Read each 'name=dir' pair from the precious_dirs file
+ while IFS='=' read -r name dir; do
+ # Add an exclusion flag if the precious directory is under the git root.
+ if under=$(dir_under_git_root "$dir"); then
+ echo "Avoiding ${name}: ${under}"
+ exclude_flags+=( --exclude="$under" )
+ fi
+ done < "$precious_dirs_file"
+done
+
+git clean -xdff "${exclude_flags[@]}"
diff --git a/contrib/guix/guix-codesign b/contrib/guix/guix-codesign
new file mode 100755
index 0000000000..62853dbf4d
--- /dev/null
+++ b/contrib/guix/guix-codesign
@@ -0,0 +1,392 @@
+#!/usr/bin/env bash
+export LC_ALL=C
+set -e -o pipefail
+
+# Source the common prelude, which:
+# 1. Checks if we're at the top directory of the Bitcoin Core repository
+# 2. Defines a few common functions and variables
+#
+# shellcheck source=libexec/prelude.bash
+source "$(dirname "${BASH_SOURCE[0]}")/libexec/prelude.bash"
+
+
+###################
+## SANITY CHECKS ##
+###################
+
+################
+# Required non-builtin commands should be invocable
+################
+
+check_tools cat mkdir git guix
+
+################
+# Required env vars should be non-empty
+################
+
+cmd_usage() {
+ cat <<EOF
+Synopsis:
+
+ env DETACHED_SIGS_REPO=<path/to/bitcoin-detached-sigs> \\
+ ./contrib/guix/guix-codesign
+
+EOF
+}
+
+if [ -z "$DETACHED_SIGS_REPO" ]; then
+ cmd_usage
+ exit 1
+fi
+
+################
+# GUIX_BUILD_OPTIONS should be empty
+################
+#
+# GUIX_BUILD_OPTIONS is an environment variable recognized by guix commands that
+# can perform builds. This seems like what we want instead of
+# ADDITIONAL_GUIX_COMMON_FLAGS, but the value of GUIX_BUILD_OPTIONS is actually
+# _appended_ to normal command-line options. Meaning that they will take
+# precedence over the command-specific ADDITIONAL_GUIX_<CMD>_FLAGS.
+#
+# This seems like a poor user experience. Thus we check for GUIX_BUILD_OPTIONS's
+# existence here and direct users of this script to use our (more flexible)
+# custom environment variables.
+if [ -n "$GUIX_BUILD_OPTIONS" ]; then
+cat << EOF
+Error: Environment variable GUIX_BUILD_OPTIONS is not empty:
+ '$GUIX_BUILD_OPTIONS'
+
+Unfortunately this script is incompatible with GUIX_BUILD_OPTIONS, please unset
+GUIX_BUILD_OPTIONS and use ADDITIONAL_GUIX_COMMON_FLAGS to set build options
+across guix commands or ADDITIONAL_GUIX_<CMD>_FLAGS to set build options for a
+specific guix command.
+
+See contrib/guix/README.md for more details.
+EOF
+exit 1
+fi
+
+################
+# The codesignature git worktree should not be dirty
+################
+
+if ! git -C "$DETACHED_SIGS_REPO" diff-index --quiet HEAD -- && [ -z "$FORCE_DIRTY_WORKTREE" ]; then
+ cat << EOF
+ERR: The DETACHED CODESIGNATURE git worktree is dirty, which may lead to broken builds.
+
+ Aborting...
+
+Hint: To make your git worktree clean, You may want to:
+ 1. Commit your changes,
+ 2. Stash your changes, or
+ 3. Set the 'FORCE_DIRTY_WORKTREE' environment variable if you insist on
+ using a dirty worktree
+EOF
+ exit 1
+fi
+
+################
+# Build directories should not exist
+################
+
+# Default to building for all supported HOSTs (overridable by environment)
+export HOSTS="${HOSTS:-x86_64-w64-mingw32 x86_64-apple-darwin18}"
+
+# Usage: distsrc_for_host HOST
+#
+# HOST: The current platform triple we're building for
+#
+distsrc_for_host() {
+ echo "${DISTSRC_BASE}/distsrc-${VERSION}-${1}-codesigned"
+}
+
+# Accumulate a list of build directories that already exist...
+hosts_distsrc_exists=""
+for host in $HOSTS; do
+ if [ -e "$(distsrc_for_host "$host")" ]; then
+ hosts_distsrc_exists+=" ${host}"
+ fi
+done
+
+if [ -n "$hosts_distsrc_exists" ]; then
+# ...so that we can print them out nicely in an error message
+cat << EOF
+ERR: Build directories for this commit already exist for the following platform
+ triples you're attempting to build, probably because of previous builds.
+ Please remove, or otherwise deal with them prior to starting another build.
+
+ Aborting...
+
+Hint: To blow everything away, you may want to use:
+
+ $ ./contrib/guix/guix-clean
+
+Specifically, this will remove all files without an entry in the index,
+excluding the SDK directory, the depends download cache, the depends built
+packages cache, the garbage collector roots for Guix environments, and the
+output directory.
+EOF
+for host in $hosts_distsrc_exists; do
+ echo " ${host} '$(distsrc_for_host "$host")'"
+done
+exit 1
+else
+ mkdir -p "$DISTSRC_BASE"
+fi
+
+
+################
+# Unsigned tarballs SHOULD exist
+################
+
+# Usage: outdir_for_host HOST SUFFIX
+#
+# HOST: The current platform triple we're building for
+#
+outdir_for_host() {
+ echo "${OUTDIR_BASE}/${1}${2:+-${2}}"
+}
+
+
+unsigned_tarball_for_host() {
+ case "$1" in
+ *mingw*)
+ echo "$(outdir_for_host "$1")/${DISTNAME}-win-unsigned.tar.gz"
+ ;;
+ *darwin*)
+ echo "$(outdir_for_host "$1")/${DISTNAME}-osx-unsigned.tar.gz"
+ ;;
+ *)
+ exit 1
+ ;;
+ esac
+}
+
+# Accumulate a list of build directories that already exist...
+hosts_unsigned_tarball_missing=""
+for host in $HOSTS; do
+ if [ ! -e "$(unsigned_tarball_for_host "$host")" ]; then
+ hosts_unsigned_tarball_missing+=" ${host}"
+ fi
+done
+
+if [ -n "$hosts_unsigned_tarball_missing" ]; then
+ # ...so that we can print them out nicely in an error message
+ cat << EOF
+ERR: Unsigned tarballs do not exist
+...
+
+EOF
+for host in $hosts_unsigned_tarball_missing; do
+ echo " ${host} '$(unsigned_tarball_for_host "$host")'"
+done
+exit 1
+fi
+
+################
+# Check that we can connect to the guix-daemon
+################
+
+cat << EOF
+Checking that we can connect to the guix-daemon...
+
+Hint: If this hangs, you may want to try turning your guix-daemon off and on
+ again.
+
+EOF
+if ! guix gc --list-failures > /dev/null; then
+ cat << EOF
+
+ERR: Failed to connect to the guix-daemon, please ensure that one is running and
+ reachable.
+EOF
+ exit 1
+fi
+
+# Developer note: we could use `guix repl` for this check and run:
+#
+# (import (guix store)) (close-connection (open-connection))
+#
+# However, the internal API is likely to change more than the CLI invocation
+
+
+#########
+# SETUP #
+#########
+
+# Determine the maximum number of jobs to run simultaneously (overridable by
+# environment)
+JOBS="${JOBS:-$(nproc)}"
+
+# Determine the reference time used for determinism (overridable by environment)
+SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-$(git log --format=%at -1)}"
+
+# Execute "$@" in a pinned, possibly older version of Guix, for reproducibility
+# across time.
+time-machine() {
+ # shellcheck disable=SC2086
+ guix time-machine --url=https://github.com/dongcarl/guix.git \
+ --commit=490e39ff303f4f6873a04bfb8253755bdae1b29c \
+ --cores="$JOBS" \
+ --keep-failed \
+ --fallback \
+ ${SUBSTITUTE_URLS:+--substitute-urls="$SUBSTITUTE_URLS"} \
+ ${ADDITIONAL_GUIX_COMMON_FLAGS} ${ADDITIONAL_GUIX_TIMEMACHINE_FLAGS} \
+ -- "$@"
+}
+
+# Make sure an output directory exists for our builds
+OUTDIR_BASE="${OUTDIR_BASE:-${VERSION_BASE}/output}"
+mkdir -p "$OUTDIR_BASE"
+
+# Usage: profiledir_for_host HOST SUFFIX
+#
+# HOST: The current platform triple we're building for
+#
+profiledir_for_host() {
+ echo "${PROFILES_BASE}/${1}${2:+-${2}}"
+}
+
+#########
+# BUILD #
+#########
+
+# Function to be called when codesigning for host ${1} and the user interrupts
+# the codesign
+int_trap() {
+cat << EOF
+** INT received while codesigning ${1}, you may want to clean up the relevant
+ work directories (e.g. distsrc-*) before recodesigning
+
+Hint: To blow everything away, you may want to use:
+
+ $ ./contrib/guix/guix-clean
+
+Specifically, this will remove all files without an entry in the index,
+excluding the SDK directory, the depends download cache, the depends built
+packages cache, the garbage collector roots for Guix environments, and the
+output directory.
+EOF
+}
+
+# Deterministically build Bitcoin Core
+# shellcheck disable=SC2153
+for host in $HOSTS; do
+
+ # Display proper warning when the user interrupts the build
+ trap 'int_trap ${host}' INT
+
+ (
+ # Required for 'contrib/guix/manifest.scm' to output the right manifest
+ # for the particular $HOST we're building for
+ export HOST="$host"
+
+ # shellcheck disable=SC2030
+cat << EOF
+INFO: Codesigning ${VERSION:?not set} for platform triple ${HOST:?not set}:
+ ...using reference timestamp: ${SOURCE_DATE_EPOCH:?not set}
+ ...from worktree directory: '${PWD}'
+ ...bind-mounted in container to: '/bitcoin'
+ ...in build directory: '$(distsrc_for_host "$HOST")'
+ ...bind-mounted in container to: '$(DISTSRC_BASE=/distsrc-base && distsrc_for_host "$HOST")'
+ ...outputting in: '$(outdir_for_host "$HOST" codesigned)'
+ ...bind-mounted in container to: '$(OUTDIR_BASE=/outdir-base && outdir_for_host "$HOST" codesigned)'
+ ...using detached signatures in: '${DETACHED_SIGS_REPO:?not set}'
+ ...bind-mounted in container to: '/detached-sigs'
+EOF
+
+
+ # Run the build script 'contrib/guix/libexec/build.sh' in the build
+ # container specified by 'contrib/guix/manifest.scm'.
+ #
+ # Explanation of `guix environment` flags:
+ #
+ # --container run command within an isolated container
+ #
+ # Running in an isolated container minimizes build-time differences
+ # between machines and improves reproducibility
+ #
+ # --pure unset existing environment variables
+ #
+ # Same rationale as --container
+ #
+ # --no-cwd do not share current working directory with an
+ # isolated container
+ #
+ # When --container is specified, the default behavior is to share
+ # the current working directory with the isolated container at the
+ # same exact path (e.g. mapping '/home/satoshi/bitcoin/' to
+ # '/home/satoshi/bitcoin/'). This means that the $PWD inside the
+ # container becomes a source of irreproducibility. --no-cwd disables
+ # this behaviour.
+ #
+ # --share=SPEC for containers, share writable host file system
+ # according to SPEC
+ #
+ # --share="$PWD"=/bitcoin
+ #
+ # maps our current working directory to /bitcoin
+ # inside the isolated container, which we later cd
+ # into.
+ #
+ # While we don't want to map our current working directory to the
+ # same exact path (as this introduces irreproducibility), we do want
+ # it to be at a _fixed_ path _somewhere_ inside the isolated
+ # container so that we have something to build. '/bitcoin' was
+ # chosen arbitrarily.
+ #
+ # ${SOURCES_PATH:+--share="$SOURCES_PATH"}
+ #
+ # make the downloaded depends sources path available
+ # inside the isolated container
+ #
+ # The isolated container has no network access as it's in a
+ # different network namespace from the main machine, so we have to
+ # make the downloaded depends sources available to it. The sources
+ # should have been downloaded prior to this invocation.
+ #
+ # ${SUBSTITUTE_URLS:+--substitute-urls="$SUBSTITUTE_URLS"}
+ #
+ # fetch substitute from SUBSTITUTE_URLS if they are
+ # authorized
+ #
+ # Depending on the user's security model, it may be desirable to use
+ # substitutes (pre-built packages) from servers that the user trusts.
+ # Please read the README.md in the same directory as this file for
+ # more information.
+ #
+ # shellcheck disable=SC2086,SC2031
+ time-machine environment --manifest="${PWD}/contrib/guix/manifest.scm" \
+ --container \
+ --pure \
+ --no-cwd \
+ --share="$PWD"=/bitcoin \
+ --share="$DISTSRC_BASE"=/distsrc-base \
+ --share="$OUTDIR_BASE"=/outdir-base \
+ --share="$DETACHED_SIGS_REPO"=/detached-sigs \
+ --expose="$(git rev-parse --git-common-dir)" \
+ --expose="$(git -C "$DETACHED_SIGS_REPO" rev-parse --git-common-dir)" \
+ ${SOURCES_PATH:+--share="$SOURCES_PATH"} \
+ --cores="$JOBS" \
+ --keep-failed \
+ --fallback \
+ --link-profile \
+ --root="$(profiledir_for_host "${HOST}" codesigned)" \
+ ${SUBSTITUTE_URLS:+--substitute-urls="$SUBSTITUTE_URLS"} \
+ ${ADDITIONAL_GUIX_COMMON_FLAGS} ${ADDITIONAL_GUIX_ENVIRONMENT_FLAGS} \
+ -- env HOST="$host" \
+ DISTNAME="$DISTNAME" \
+ JOBS="$JOBS" \
+ SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:?unable to determine value}" \
+ ${V:+V=1} \
+ ${SOURCES_PATH:+SOURCES_PATH="$SOURCES_PATH"} \
+ DISTSRC="$(DISTSRC_BASE=/distsrc-base && distsrc_for_host "$HOST")" \
+ OUTDIR="$(OUTDIR_BASE=/outdir-base && outdir_for_host "$HOST" codesigned)" \
+ DIST_ARCHIVE_BASE=/outdir-base/dist-archive \
+ DETACHED_SIGS_REPO=/detached-sigs \
+ UNSIGNED_TARBALL="$(OUTDIR_BASE=/outdir-base && unsigned_tarball_for_host "$HOST")" \
+ bash -c "cd /bitcoin && bash contrib/guix/libexec/codesign.sh"
+ )
+
+done
diff --git a/contrib/guix/guix-verify b/contrib/guix/guix-verify
new file mode 100755
index 0000000000..a6e2c4065e
--- /dev/null
+++ b/contrib/guix/guix-verify
@@ -0,0 +1,142 @@
+#!/usr/bin/env bash
+export LC_ALL=C
+set -e -o pipefail
+
+# Source the common prelude, which:
+# 1. Checks if we're at the top directory of the Bitcoin Core repository
+# 2. Defines a few common functions and variables
+#
+# shellcheck source=libexec/prelude.bash
+source "$(dirname "${BASH_SOURCE[0]}")/libexec/prelude.bash"
+
+
+###################
+## Sanity Checks ##
+###################
+
+################
+# Required non-builtin commands should be invokable
+################
+
+check_tools cat diff gpg
+
+################
+# Required env vars should be non-empty
+################
+
+cmd_usage() {
+cat <<EOF
+Synopsis:
+
+ env GUIX_SIGS_REPO=<path/to/guix.sigs> ./contrib/guix/guix-verify
+
+EOF
+}
+
+if [ -z "$GUIX_SIGS_REPO" ]; then
+ cmd_usage
+ exit 1
+fi
+
+################
+# GUIX_SIGS_REPO should exist as a directory
+################
+
+if [ ! -d "$GUIX_SIGS_REPO" ]; then
+cat << EOF
+ERR: The specified GUIX_SIGS_REPO is not an existent directory:
+
+ '$GUIX_SIGS_REPO'
+
+Hint: Please clone the guix.sigs repository and point to it with the
+ GUIX_SIGS_REPO environment variable.
+
+EOF
+cmd_usage
+exit 1
+fi
+
+##############
+## Verify ##
+##############
+
+OUTSIGDIR_BASE="${GUIX_SIGS_REPO}/${VERSION}"
+echo "Looking for signature directories in '${OUTSIGDIR_BASE}'"
+echo ""
+
+# Usage: verify compare_manifest current_manifest
+verify() {
+ local compare_manifest="$1"
+ local current_manifest="$2"
+ if ! gpg --quiet --batch --verify "$current_manifest".asc "$current_manifest" 1>&2; then
+ echo "ERR: Failed to verify GPG signature in '${current_manifest}'"
+ echo ""
+ echo "Hint: Either the signature is invalid or the public key is missing"
+ echo ""
+ elif ! diff --report-identical "$compare_manifest" "$current_manifest" 1>&2; then
+ echo "ERR: The SHA256SUMS attestation in these two directories differ:"
+ echo " '${compare_manifest}'"
+ echo " '${current_manifest}'"
+ echo ""
+ else
+ echo "Verified: '${current_manifest}'"
+ echo ""
+ fi
+}
+
+shopt -s nullglob
+all_noncodesigned=( "$OUTSIGDIR_BASE"/*/noncodesigned.SHA256SUMS )
+shopt -u nullglob
+
+echo "--------------------"
+echo ""
+if (( ${#all_noncodesigned[@]} )); then
+ compare_noncodesigned="${all_noncodesigned[0]}"
+
+ for current_manifest in "${all_noncodesigned[@]}"; do
+ verify "$compare_noncodesigned" "$current_manifest"
+ done
+
+ echo "DONE: Checking output signatures for noncodesigned.SHA256SUMS"
+ echo ""
+else
+ echo "WARN: No signature directories with noncodesigned.SHA256SUMS found"
+ echo ""
+fi
+
+shopt -s nullglob
+all_all=( "$OUTSIGDIR_BASE"/*/all.SHA256SUMS )
+shopt -u nullglob
+
+echo "--------------------"
+echo ""
+if (( ${#all_all[@]} )); then
+ compare_all="${all_all[0]}"
+
+ for current_manifest in "${all_all[@]}"; do
+ verify "$compare_all" "$current_manifest"
+ done
+
+ # Sanity check: there should be no entries that exist in
+ # noncodesigned.SHA256SUMS that doesn't exist in all.SHA256SUMS
+ if [[ "$(comm -23 <(sort "$compare_noncodesigned") <(sort "$compare_all") | wc -c)" -ne 0 ]]; then
+ echo "ERR: There are unique lines in noncodesigned.SHA256SUMS which"
+ echo " do not exist in all.SHA256SUMS, something went very wrong."
+ exit 1
+ fi
+
+ echo "DONE: Checking output signatures for all.SHA256SUMS"
+ echo ""
+else
+ echo "WARN: No signature directories with all.SHA256SUMS found"
+ echo ""
+fi
+
+echo "===================="
+echo ""
+if (( ${#all_noncodesigned[@]} + ${#all_all[@]} == 0 )); then
+ echo "ERR: Unable to perform any verifications as no signature directories"
+ echo " were found"
+ echo ""
+ exit 1
+fi
diff --git a/contrib/guix/libexec/build.sh b/contrib/guix/libexec/build.sh
index 119fe04c75..0b96949a6b 100644..100755
--- a/contrib/guix/libexec/build.sh
+++ b/contrib/guix/libexec/build.sh
@@ -3,7 +3,7 @@ export LC_ALL=C
set -e -o pipefail
export TZ=UTC
-# Althought Guix _does_ set umask when building its own packages (in our case,
+# Although Guix _does_ set umask when building its own packages (in our case,
# this is all packages in manifest.scm), it does not set it for `guix
# environment`. It does make sense for at least `guix environment --container`
# to set umask, so if that change gets merged upstream and we bump the
@@ -24,13 +24,18 @@ fi
# Check that required environment variables are set
cat << EOF
Required environment variables as seen inside the container:
+ DIST_ARCHIVE_BASE: ${DIST_ARCHIVE_BASE:?not set}
+ DISTNAME: ${DISTNAME:?not set}
HOST: ${HOST:?not set}
SOURCE_DATE_EPOCH: ${SOURCE_DATE_EPOCH:?not set}
- MAX_JOBS: ${MAX_JOBS:?not set}
+ JOBS: ${JOBS:?not set}
DISTSRC: ${DISTSRC:?not set}
OUTDIR: ${OUTDIR:?not set}
EOF
+ACTUAL_OUTDIR="${OUTDIR}"
+OUTDIR="${DISTSRC}/output"
+
#####################
# Environment Setup #
#####################
@@ -52,23 +57,36 @@ store_path() {
# Set environment variables to point the NATIVE toolchain to the right
# includes/libs
NATIVE_GCC="$(store_path gcc-toolchain)"
-export LIBRARY_PATH="${NATIVE_GCC}/lib:${NATIVE_GCC}/lib64"
-export CPATH="${NATIVE_GCC}/include"
+NATIVE_GCC_STATIC="$(store_path gcc-toolchain static)"
+
+unset LIBRARY_PATH
+unset CPATH
unset C_INCLUDE_PATH
unset CPLUS_INCLUDE_PATH
+unset OBJC_INCLUDE_PATH
+unset OBJCPLUS_INCLUDE_PATH
+
+export LIBRARY_PATH="${NATIVE_GCC}/lib:${NATIVE_GCC}/lib64:${NATIVE_GCC_STATIC}/lib:${NATIVE_GCC_STATIC}/lib64"
+export C_INCLUDE_PATH="${NATIVE_GCC}/include"
+export CPLUS_INCLUDE_PATH="${NATIVE_GCC}/include/c++:${NATIVE_GCC}/include"
+export OBJC_INCLUDE_PATH="${NATIVE_GCC}/include"
+export OBJCPLUS_INCLUDE_PATH="${NATIVE_GCC}/include/c++:${NATIVE_GCC}/include"
+
+prepend_to_search_env_var() {
+ export "${1}=${2}${!1:+:}${!1}"
+}
+
case "$HOST" in
*darwin*)
- # When targeting darwin, some native tools built by depends require
- # native packages not incorporated in depends
- #
- # libcap required by native_cdrkit/wodim
- # zlib, bzip2 required by native_cdrkit/genisoimage
- for native_pkg in libcap zlib bzip2; do
- native_pkg_store_path=$(store_path "$native_pkg")
- export LIBRARY_PATH="${native_pkg_store_path}/lib:${LIBRARY_PATH}"
- export CPATH="${native_pkg_store_path}/include:${CPATH}"
- done
- ;;
+ # When targeting darwin, zlib is required by native_libdmg-hfsplus.
+ zlib_store_path=$(store_path "zlib")
+ zlib_static_store_path=$(store_path "zlib" static)
+
+ prepend_to_search_env_var LIBRARY_PATH "${zlib_static_store_path}/lib:${zlib_store_path}/lib"
+ prepend_to_search_env_var C_INCLUDE_PATH "${zlib_store_path}/include"
+ prepend_to_search_env_var CPLUS_INCLUDE_PATH "${zlib_store_path}/include"
+ prepend_to_search_env_var OBJC_INCLUDE_PATH "${zlib_store_path}/include"
+ prepend_to_search_env_var OBJCPLUS_INCLUDE_PATH "${zlib_store_path}/include"
esac
# Set environment variables to point the CROSS toolchain to the right
@@ -160,8 +178,6 @@ case "$HOST" in
esac
# Environment variables for determinism
-export QT_RCC_TEST=1
-export QT_RCC_SOURCE_DATE_OVERRIDE=1
export TAR_OPTIONS="--owner=0 --group=0 --numeric-owner --mtime='@${SOURCE_DATE_EPOCH}' --sort=name"
export TZ="UTC"
case "$HOST" in
@@ -180,10 +196,11 @@ esac
####################
# Build the depends tree, overriding variables that assume multilib gcc
-make -C depends --jobs="$MAX_JOBS" HOST="$HOST" \
+make -C depends --jobs="$JOBS" HOST="$HOST" \
${V:+V=1} \
${SOURCES_PATH+SOURCES_PATH="$SOURCES_PATH"} \
${BASE_CACHE+BASE_CACHE="$BASE_CACHE"} \
+ ${SDK_PATH+SDK_PATH="$SDK_PATH"} \
i686_linux_CC=i686-linux-gnu-gcc \
i686_linux_CXX=i686-linux-gnu-g++ \
i686_linux_AR=i686-linux-gnu-ar \
@@ -197,6 +214,7 @@ make -C depends --jobs="$MAX_JOBS" HOST="$HOST" \
x86_64_linux_NM=x86_64-linux-gnu-nm \
x86_64_linux_STRIP=x86_64-linux-gnu-strip \
qt_config_opts_i686_linux='-platform linux-g++ -xplatform bitcoin-linux-g++' \
+ qt_config_opts_x86_64_linux='-platform linux-g++ -xplatform bitcoin-linux-g++' \
FORCE_USE_SYSTEM_CLANG=1
@@ -204,18 +222,17 @@ make -C depends --jobs="$MAX_JOBS" HOST="$HOST" \
# Source Tarball Building #
###########################
-# Define DISTNAME variable.
-# shellcheck source=contrib/gitian-descriptors/assign_DISTNAME
-source contrib/gitian-descriptors/assign_DISTNAME
-
-GIT_ARCHIVE="${OUTDIR}/src/${DISTNAME}.tar.gz"
+GIT_ARCHIVE="${DIST_ARCHIVE_BASE}/${DISTNAME}.tar.gz"
# Create the source tarball if not already there
if [ ! -e "$GIT_ARCHIVE" ]; then
mkdir -p "$(dirname "$GIT_ARCHIVE")"
+ touch "${DIST_ARCHIVE_BASE}"/SKIPATTEST.TAG
git archive --prefix="${DISTNAME}/" --output="$GIT_ARCHIVE" HEAD
fi
+mkdir -p "$OUTDIR"
+
###########################
# Binary Tarball Building #
###########################
@@ -223,7 +240,7 @@ fi
# CONFIGFLAGS
CONFIGFLAGS="--enable-reduce-exports --disable-bench --disable-gui-tests --disable-fuzz-binary"
case "$HOST" in
- *linux*) CONFIGFLAGS+=" --enable-glibc-back-compat" ;;
+ *linux*) CONFIGFLAGS+=" --disable-threadlocal" ;;
esac
# CFLAGS
@@ -243,8 +260,15 @@ case "$HOST" in
*mingw*) HOST_LDFLAGS="-Wl,--no-insert-timestamp" ;;
esac
+# Using --no-tls-get-addr-optimize retains compatibility with glibc 2.17, by
+# avoiding a PowerPC64 optimisation available in glibc 2.22 and later.
+# https://sourceware.org/binutils/docs-2.35/ld/PowerPC64-ELF64.html
+case "$HOST" in
+ *powerpc64*) HOST_LDFLAGS="${HOST_LDFLAGS} -Wl,--no-tls-get-addr-optimize" ;;
+esac
+
case "$HOST" in
- powerpc64-linux-*) HOST_LDFLAGS="${HOST_LDFLAGS} -Wl,-z,noexecstack" ;;
+ powerpc64-linux-*|riscv64-linux-*) HOST_LDFLAGS="${HOST_LDFLAGS} -Wl,-z,noexecstack" ;;
esac
# Make $HOST-specific native binaries from depends available in $PATH
@@ -273,14 +297,17 @@ mkdir -p "$DISTSRC"
sed -i.old 's/-lstdc++ //g' config.status libtool src/univalue/config.status src/univalue/libtool
# Build Bitcoin Core
- make --jobs="$MAX_JOBS" ${V:+V=1}
+ make --jobs="$JOBS" ${V:+V=1}
- # Perform basic ELF security checks on a series of executables.
+ # Check that symbol/security checks tools are sane.
+ make test-security-check ${V:+V=1}
+ # Perform basic security checks on a series of executables.
make -C src --jobs=1 check-security ${V:+V=1}
- # Check that executables only contain allowed gcc, glibc and libstdc++
- # version symbols for Linux distro back-compatibility.
+ # Check that executables only contain allowed version symbols.
make -C src --jobs=1 check-symbols ${V:+V=1}
+ mkdir -p "$OUTDIR"
+
# Make the os-specific installers
case "$HOST" in
*mingw*)
@@ -312,9 +339,6 @@ mkdir -p "$DISTSRC"
osx_volname \
contrib/macdeploy/detached-sig-{apply,create}.sh \
"${BASEPREFIX}/${HOST}"/native/bin/dmg
- for util in codesign_allocate pagestuff; do
- cp --no-target-directory {"${BASEPREFIX}/${HOST}/native/bin/${HOST}-","unsigned-app-${HOST}/"}"$util"
- done
mv --target-directory="unsigned-app-${HOST}" dist
(
cd "unsigned-app-${HOST}"
@@ -350,7 +374,7 @@ mkdir -p "$DISTSRC"
{
find "${DISTNAME}/bin" -type f -executable -print0
find "${DISTNAME}/lib" -type f -print0
- } | xargs -0 -n1 -P"$MAX_JOBS" -I{} "${DISTSRC}/contrib/devtools/split-debug.sh" {} {} {}.dbg
+ } | xargs -0 -n1 -P"$JOBS" -I{} "${DISTSRC}/contrib/devtools/split-debug.sh" {} {} {}.dbg
;;
esac
@@ -400,21 +424,36 @@ mkdir -p "$DISTSRC"
|| ( rm -f "${OUTDIR}/${DISTNAME}-${HOST//x86_64-apple-darwin18/osx64}.tar.gz" && exit 1 )
;;
esac
- )
-)
+ ) # $DISTSRC/installed
-case "$HOST" in
- *mingw*)
- cp -rf --target-directory=. contrib/windeploy
- (
- cd ./windeploy
- mkdir unsigned
- cp --target-directory=unsigned/ "${OUTDIR}/${DISTNAME}-win64-setup-unsigned.exe"
- find . -print0 \
- | sort --zero-terminated \
- | tar --create --no-recursion --mode='u+rw,go+r-w,a+X' --null --files-from=- \
- | gzip -9n > "${OUTDIR}/${DISTNAME}-win-unsigned.tar.gz" \
- || ( rm -f "${OUTDIR}/${DISTNAME}-win-unsigned.tar.gz" && exit 1 )
- )
- ;;
-esac
+ case "$HOST" in
+ *mingw*)
+ cp -rf --target-directory=. contrib/windeploy
+ (
+ cd ./windeploy
+ mkdir -p unsigned
+ cp --target-directory=unsigned/ "${OUTDIR}/${DISTNAME}-win64-setup-unsigned.exe"
+ find . -print0 \
+ | sort --zero-terminated \
+ | tar --create --no-recursion --mode='u+rw,go+r-w,a+X' --null --files-from=- \
+ | gzip -9n > "${OUTDIR}/${DISTNAME}-win-unsigned.tar.gz" \
+ || ( rm -f "${OUTDIR}/${DISTNAME}-win-unsigned.tar.gz" && exit 1 )
+ )
+ ;;
+ esac
+) # $DISTSRC
+
+rm -rf "$ACTUAL_OUTDIR"
+mv --no-target-directory "$OUTDIR" "$ACTUAL_OUTDIR" \
+ || ( rm -rf "$ACTUAL_OUTDIR" && exit 1 )
+
+(
+ cd /outdir-base
+ {
+ echo "$GIT_ARCHIVE"
+ find "$ACTUAL_OUTDIR" -type f
+ } | xargs realpath --relative-base="$PWD" \
+ | xargs sha256sum \
+ | sort -k2 \
+ | sponge "$ACTUAL_OUTDIR"/SHA256SUMS.part
+)
diff --git a/contrib/guix/libexec/codesign.sh b/contrib/guix/libexec/codesign.sh
new file mode 100755
index 0000000000..f484ac5774
--- /dev/null
+++ b/contrib/guix/libexec/codesign.sh
@@ -0,0 +1,113 @@
+#!/usr/bin/env bash
+export LC_ALL=C
+set -e -o pipefail
+export TZ=UTC
+
+# Although Guix _does_ set umask when building its own packages (in our case,
+# this is all packages in manifest.scm), it does not set it for `guix
+# environment`. It does make sense for at least `guix environment --container`
+# to set umask, so if that change gets merged upstream and we bump the
+# time-machine to a commit which includes the aforementioned change, we can
+# remove this line.
+#
+# This line should be placed before any commands which creates files.
+umask 0022
+
+if [ -n "$V" ]; then
+ # Print both unexpanded (-v) and expanded (-x) forms of commands as they are
+ # read from this file.
+ set -vx
+ # Set VERBOSE for CMake-based builds
+ export VERBOSE="$V"
+fi
+
+# Check that required environment variables are set
+cat << EOF
+Required environment variables as seen inside the container:
+ UNSIGNED_TARBALL: ${UNSIGNED_TARBALL:?not set}
+ DETACHED_SIGS_REPO: ${DETACHED_SIGS_REPO:?not set}
+ DIST_ARCHIVE_BASE: ${DIST_ARCHIVE_BASE:?not set}
+ DISTNAME: ${DISTNAME:?not set}
+ HOST: ${HOST:?not set}
+ SOURCE_DATE_EPOCH: ${SOURCE_DATE_EPOCH:?not set}
+ DISTSRC: ${DISTSRC:?not set}
+ OUTDIR: ${OUTDIR:?not set}
+EOF
+
+ACTUAL_OUTDIR="${OUTDIR}"
+OUTDIR="${DISTSRC}/output"
+
+git_head_version() {
+ local recent_tag
+ if recent_tag="$(git -C "$1" describe --exact-match HEAD 2> /dev/null)"; then
+ echo "${recent_tag#v}"
+ else
+ git -C "$1" rev-parse --short=12 HEAD
+ fi
+}
+
+CODESIGNATURE_GIT_ARCHIVE="${DIST_ARCHIVE_BASE}/${DISTNAME}-codesignatures-$(git_head_version "$DETACHED_SIGS_REPO").tar.gz"
+
+# Create the codesignature tarball if not already there
+if [ ! -e "$CODESIGNATURE_GIT_ARCHIVE" ]; then
+ mkdir -p "$(dirname "$CODESIGNATURE_GIT_ARCHIVE")"
+ git -C "$DETACHED_SIGS_REPO" archive --output="$CODESIGNATURE_GIT_ARCHIVE" HEAD
+fi
+
+mkdir -p "$OUTDIR"
+
+mkdir -p "$DISTSRC"
+(
+ cd "$DISTSRC"
+
+ tar -xf "$UNSIGNED_TARBALL"
+
+ mkdir -p codesignatures
+ tar -C codesignatures -xf "$CODESIGNATURE_GIT_ARCHIVE"
+
+ case "$HOST" in
+ *mingw*)
+ find "$PWD" -name "*-unsigned.exe" | while read -r infile; do
+ infile_base="$(basename "$infile")"
+
+ # Codesigned *-unsigned.exe and output to OUTDIR
+ osslsigncode attach-signature \
+ -in "$infile" \
+ -out "${OUTDIR}/${infile_base/-unsigned}" \
+ -sigin codesignatures/win/"$infile_base".pem
+ done
+ ;;
+ *darwin*)
+ # Apply detached codesignatures to dist/ (in-place)
+ signapple apply dist/Bitcoin-Qt.app codesignatures/osx/dist
+
+ # Make an uncompressed DMG from dist/
+ xorrisofs -D -l -V "$(< osx_volname)" -no-pad -r -dir-mode 0755 \
+ -o uncompressed.dmg \
+ dist \
+ -- -volume_date all_file_dates ="$SOURCE_DATE_EPOCH"
+
+ # Compress uncompressed.dmg and output to OUTDIR
+ ./dmg dmg uncompressed.dmg "${OUTDIR}/${DISTNAME}-osx-signed.dmg"
+ ;;
+ *)
+ exit 1
+ ;;
+ esac
+) # $DISTSRC
+
+rm -rf "$ACTUAL_OUTDIR"
+mv --no-target-directory "$OUTDIR" "$ACTUAL_OUTDIR" \
+ || ( rm -rf "$ACTUAL_OUTDIR" && exit 1 )
+
+(
+ cd /outdir-base
+ {
+ echo "$UNSIGNED_TARBALL"
+ echo "$CODESIGNATURE_GIT_ARCHIVE"
+ find "$ACTUAL_OUTDIR" -type f
+ } | xargs realpath --relative-base="$PWD" \
+ | xargs sha256sum \
+ | sort -k2 \
+ | sponge "$ACTUAL_OUTDIR"/SHA256SUMS.part
+)
diff --git a/contrib/guix/libexec/prelude.bash b/contrib/guix/libexec/prelude.bash
new file mode 100644
index 0000000000..9705607119
--- /dev/null
+++ b/contrib/guix/libexec/prelude.bash
@@ -0,0 +1,66 @@
+#!/usr/bin/env bash
+export LC_ALL=C
+set -e -o pipefail
+
+# shellcheck source=../../shell/realpath.bash
+source contrib/shell/realpath.bash
+
+# shellcheck source=../../shell/git-utils.bash
+source contrib/shell/git-utils.bash
+
+################
+# Required non-builtin commands should be invocable
+################
+
+check_tools() {
+ for cmd in "$@"; do
+ if ! command -v "$cmd" > /dev/null 2>&1; then
+ echo "ERR: This script requires that '$cmd' is installed and available in your \$PATH"
+ exit 1
+ fi
+ done
+}
+
+check_tools cat env readlink dirname basename git
+
+################
+# We should be at the top directory of the repository
+################
+
+same_dir() {
+ local resolved1 resolved2
+ resolved1="$(bash_realpath "${1}")"
+ resolved2="$(bash_realpath "${2}")"
+ [ "$resolved1" = "$resolved2" ]
+}
+
+if ! same_dir "${PWD}" "$(git_root)"; then
+cat << EOF
+ERR: This script must be invoked from the top level of the git repository
+
+Hint: This may look something like:
+ env FOO=BAR ./contrib/guix/guix-<blah>
+
+EOF
+exit 1
+fi
+
+################
+# Set common variables
+################
+
+VERSION="${VERSION:-$(git_head_version)}"
+DISTNAME="${DISTNAME:-bitcoin-${VERSION}}"
+
+version_base_prefix="${PWD}/guix-build-"
+VERSION_BASE="${version_base_prefix}${VERSION}" # TOP
+
+DISTSRC_BASE="${DISTSRC_BASE:-${VERSION_BASE}}"
+
+OUTDIR_BASE="${OUTDIR_BASE:-${VERSION_BASE}/output}"
+
+var_base_basename="var"
+VAR_BASE="${VAR_BASE:-${VERSION_BASE}/${var_base_basename}}"
+
+profiles_base_basename="profiles"
+PROFILES_BASE="${PROFILES_BASE:-${VAR_BASE}/${profiles_base_basename}}"
diff --git a/contrib/guix/manifest.scm b/contrib/guix/manifest.scm
index fb585b7f25..e71cf52533 100644
--- a/contrib/guix/manifest.scm
+++ b/contrib/guix/manifest.scm
@@ -3,12 +3,15 @@
(gnu packages autotools)
(gnu packages base)
(gnu packages bash)
+ (gnu packages bison)
+ (gnu packages certs)
(gnu packages cdrom)
(gnu packages check)
(gnu packages cmake)
(gnu packages commencement)
(gnu packages compression)
(gnu packages cross-base)
+ (gnu packages curl)
(gnu packages file)
(gnu packages gawk)
(gnu packages gcc)
@@ -19,16 +22,21 @@
(gnu packages linux)
(gnu packages llvm)
(gnu packages mingw)
+ (gnu packages moreutils)
(gnu packages perl)
(gnu packages pkg-config)
(gnu packages python)
+ (gnu packages python-web)
(gnu packages shells)
+ (gnu packages tls)
(gnu packages version-control)
(guix build-system font)
(guix build-system gnu)
+ (guix build-system python)
(guix build-system trivial)
(guix download)
(guix gexp)
+ (guix git-download)
((guix licenses) #:prefix license:)
(guix packages)
(guix profiles)
@@ -49,28 +57,32 @@ we link against libssp.so, and thus will ensure that this works properly.
Taken from:
http://www.linuxfromscratch.org/hlfs/view/development/chapter05/gcc-pass1.html"
(package
- (inherit xgcc)
- (arguments
- (substitute-keyword-arguments (package-arguments xgcc)
- ((#:make-flags flags)
- `(cons "gcc_cv_libc_provides_ssp=yes" ,flags))))))
+ (inherit xgcc)
+ (arguments
+ (substitute-keyword-arguments (package-arguments xgcc)
+ ((#:make-flags flags)
+ `(cons "gcc_cv_libc_provides_ssp=yes" ,flags))))))
(define (make-gcc-rpath-link xgcc)
"Given a XGCC package, return a modified package that replace each instance of
-rpath in the default system spec that's inserted by Guix with -rpath-link"
(package
- (inherit xgcc)
- (arguments
- (substitute-keyword-arguments (package-arguments xgcc)
- ((#:phases phases)
- `(modify-phases ,phases
- (add-after 'pre-configure 'replace-rpath-with-rpath-link
- (lambda _
- (substitute* (cons "gcc/config/rs6000/sysv4.h"
- (find-files "gcc/config"
- "^gnu-user.*\\.h$"))
- (("-rpath=") "-rpath-link="))
- #t))))))))
+ (inherit xgcc)
+ (arguments
+ (substitute-keyword-arguments (package-arguments xgcc)
+ ((#:phases phases)
+ `(modify-phases ,phases
+ (add-after 'pre-configure 'replace-rpath-with-rpath-link
+ (lambda _
+ (substitute* (cons "gcc/config/rs6000/sysv4.h"
+ (find-files "gcc/config"
+ "^gnu-user.*\\.h$"))
+ (("-rpath=") "-rpath-link="))
+ #t))))))))
+
+(define (make-binutils-with-mingw-w64-disable-flags xbinutils)
+ (package-with-extra-patches xbinutils
+ (search-our-patches "binutils-mingw-w64-disable-flags.patch")))
(define (make-cross-toolchain target
base-gcc-for-libc
@@ -123,30 +135,48 @@ chain for " target " development."))
(home-page (package-home-page xgcc))
(license (package-license xgcc)))))
+(define base-gcc
+ (package-with-extra-patches gcc-8
+ (search-our-patches "gcc-8-sort-libtool-find-output.patch")))
+
+;; Building glibc with stack smashing protector first landed in glibc 2.25, use
+;; this function to disable for older glibcs
+;;
+;; From glibc 2.25 changelog:
+;;
+;; * Most of glibc can now be built with the stack smashing protector enabled.
+;; It is recommended to build glibc with --enable-stack-protector=strong.
+;; Implemented by Nick Alcock (Oracle).
+(define (make-glibc-without-ssp xglibc)
+ (package-with-extra-configure-variable
+ (package-with-extra-configure-variable
+ xglibc "libc_cv_ssp" "no")
+ "libc_cv_ssp_strong" "no"))
+
(define* (make-bitcoin-cross-toolchain target
- #:key
- (base-gcc-for-libc gcc-5)
- (base-kernel-headers linux-libre-headers-4.19)
- (base-libc glibc-2.27)
- (base-gcc (make-gcc-rpath-link gcc-9)))
+ #:key
+ (base-gcc-for-libc gcc-7)
+ (base-kernel-headers linux-libre-headers-5.4)
+ (base-libc (make-glibc-without-ssp glibc-2.24))
+ (base-gcc (make-gcc-rpath-link base-gcc)))
"Convenience wrapper around MAKE-CROSS-TOOLCHAIN with default values
desirable for building Bitcoin Core release binaries."
(make-cross-toolchain target
- base-gcc-for-libc
- base-kernel-headers
- base-libc
- base-gcc))
+ base-gcc-for-libc
+ base-kernel-headers
+ base-libc
+ base-gcc))
(define (make-gcc-with-pthreads gcc)
(package-with-extra-configure-variable gcc "--enable-threads" "posix"))
(define (make-mingw-pthreads-cross-toolchain target)
"Create a cross-compilation toolchain package for TARGET"
- (let* ((xbinutils (cross-binutils target))
+ (let* ((xbinutils (make-binutils-with-mingw-w64-disable-flags (cross-binutils target)))
(pthreads-xlibc mingw-w64-x86_64-winpthreads)
(pthreads-xgcc (make-gcc-with-pthreads
(cross-gcc target
- #:xgcc (make-ssp-fixed-gcc gcc-9)
+ #:xgcc (make-ssp-fixed-gcc base-gcc)
#:xbinutils xbinutils
#:libc pthreads-xlibc))))
;; Define a meta-package that propagates the resulting XBINUTILS, XLIBC, and
@@ -174,22 +204,398 @@ chain for " target " development."))
(define-public font-tuffy
(package
- (name "font-tuffy")
- (version "20120614")
+ (name "font-tuffy")
+ (version "20120614")
+ (source
+ (origin
+ (method url-fetch)
+ (uri (string-append "http://tulrich.com/fonts/tuffy-" version ".tar.gz"))
+ (file-name (string-append name "-" version ".tar.gz"))
+ (sha256
+ (base32
+ "02vf72bgrp30vrbfhxjw82s115z27dwfgnmmzfb0n9wfhxxfpyf6"))))
+ (build-system font-build-system)
+ (home-page "http://tulrich.com/fonts/")
+ (synopsis "The Tuffy Truetype Font Family")
+ (description
+ "Thatcher Ulrich's first outline font design. He started with the goal of producing a neutral, readable sans-serif text font. There are lots of \"expressive\" fonts out there, but he wanted to start with something very plain and clean, something he might want to actually use. ")
+ (license license:public-domain)))
+
+(define-public lief
+ (package
+ (name "python-lief")
+ (version "0.11.5")
(source
(origin
- (method url-fetch)
- (uri (string-append "http://tulrich.com/fonts/tuffy-" version ".tar.gz"))
- (file-name (string-append name "-" version ".tar.gz"))
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/lief-project/LIEF.git")
+ (commit version)))
+ (file-name (git-file-name name version))
(sha256
(base32
- "02vf72bgrp30vrbfhxjw82s115z27dwfgnmmzfb0n9wfhxxfpyf6"))))
- (build-system font-build-system)
- (home-page "http://tulrich.com/fonts/")
- (synopsis "The Tuffy Truetype Font Family")
- (description
- "Thatcher Ulrich's first outline font design. He started with the goal of producing a neutral, readable sans-serif text font. There are lots of \"expressive\" fonts out there, but he wanted to start with something very plain and clean, something he might want to actually use. ")
- (license license:public-domain)))
+ "0qahjfg1n0x76ps2mbyljvws1l3qhkqvmxqbahps4qgywl2hbdkj"))))
+ (build-system python-build-system)
+ (native-inputs
+ `(("cmake" ,cmake)))
+ (home-page "https://github.com/lief-project/LIEF")
+ (synopsis "Library to Instrument Executable Formats")
+ (description "Python library to to provide a cross platform library which can
+parse, modify and abstract ELF, PE and MachO formats.")
+ (license license:asl2.0)))
+
+(define osslsigncode
+ (package
+ (name "osslsigncode")
+ (version "2.0")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "https://github.com/mtrojnar/"
+ name "/archive/" version ".tar.gz"))
+ (sha256
+ (base32
+ "0byri6xny770wwb2nciq44j5071122l14bvv65axdd70nfjf0q2s"))))
+ (build-system gnu-build-system)
+ (native-inputs
+ `(("pkg-config" ,pkg-config)
+ ("autoconf" ,autoconf)
+ ("automake" ,automake)
+ ("libtool" ,libtool)))
+ (inputs
+ `(("openssl" ,openssl)))
+ (arguments
+ `(#:configure-flags
+ `("--without-gsf"
+ "--without-curl"
+ "--disable-dependency-tracking")))
+ (home-page "https://github.com/mtrojnar/osslsigncode")
+ (synopsis "Authenticode signing and timestamping tool")
+ (description "osslsigncode is a small tool that implements part of the
+functionality of the Microsoft tool signtool.exe - more exactly the Authenticode
+signing and timestamping. But osslsigncode is based on OpenSSL and cURL, and
+thus should be able to compile on most platforms where these exist.")
+ (license license:gpl3+))) ; license is with openssl exception
+
+(define-public python-asn1crypto
+ (package
+ (name "python-asn1crypto")
+ (version "1.4.0")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/wbond/asn1crypto")
+ (commit version)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "19abibn6jw20mzi1ln4n9jjvpdka8ygm4m439hplyrdfqbvgm01r"))))
+ (build-system python-build-system)
+ (arguments
+ '(#:phases
+ (modify-phases %standard-phases
+ (replace 'check
+ (lambda _
+ (invoke "python" "run.py" "tests"))))))
+ (home-page "https://github.com/wbond/asn1crypto")
+ (synopsis "ASN.1 parser and serializer in Python")
+ (description "asn1crypto is an ASN.1 parser and serializer with definitions
+for private keys, public keys, certificates, CRL, OCSP, CMS, PKCS#3, PKCS#7,
+PKCS#8, PKCS#12, PKCS#5, X.509 and TSP.")
+ (license license:expat)))
+
+(define-public python-elfesteem
+ (let ((commit "87bbd79ab7e361004c98cc8601d4e5f029fd8bd5"))
+ (package
+ (name "python-elfesteem")
+ (version (git-version "0.1" "1" commit))
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/LRGH/elfesteem")
+ (commit commit)))
+ (file-name (git-file-name name commit))
+ (sha256
+ (base32
+ "1nyvjisvyxyxnd0023xjf5846xd03lwawp5pfzr8vrky7wwm5maz"))))
+ (build-system python-build-system)
+ ;; There are no tests, but attempting to run python setup.py test leads to
+ ;; PYTHONPATH problems, just disable the test
+ (arguments '(#:tests? #f))
+ (home-page "https://github.com/LRGH/elfesteem")
+ (synopsis "ELF/PE/Mach-O parsing library")
+ (description "elfesteem parses ELF, PE and Mach-O files.")
+ (license license:lgpl2.1))))
+
+(define-public python-oscrypto
+ (package
+ (name "python-oscrypto")
+ (version "1.2.1")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/wbond/oscrypto")
+ (commit version)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "1d4d8s4z340qhvb3g5m5v3436y3a71yc26wk4749q64m09kxqc3l"))
+ (patches (search-our-patches "oscrypto-hard-code-openssl.patch"))))
+ (build-system python-build-system)
+ (native-search-paths
+ (list (search-path-specification
+ (variable "SSL_CERT_FILE")
+ (file-type 'regular)
+ (separator #f) ;single entry
+ (files '("etc/ssl/certs/ca-certificates.crt")))))
+
+ (propagated-inputs
+ `(("python-asn1crypto" ,python-asn1crypto)
+ ("openssl" ,openssl)))
+ (arguments
+ `(#:phases
+ (modify-phases %standard-phases
+ (add-after 'unpack 'hard-code-path-to-libscrypt
+ (lambda* (#:key inputs #:allow-other-keys)
+ (let ((openssl (assoc-ref inputs "openssl")))
+ (substitute* "oscrypto/__init__.py"
+ (("@GUIX_OSCRYPTO_USE_OPENSSL@")
+ (string-append openssl "/lib/libcrypto.so" "," openssl "/lib/libssl.so")))
+ #t)))
+ (add-after 'unpack 'disable-broken-tests
+ (lambda _
+ ;; This test is broken as there is no keyboard interrupt.
+ (substitute* "tests/test_trust_list.py"
+ (("^(.*)class TrustListTests" line indent)
+ (string-append indent
+ "@unittest.skip(\"Disabled by Guix\")\n"
+ line)))
+ (substitute* "tests/test_tls.py"
+ (("^(.*)class TLSTests" line indent)
+ (string-append indent
+ "@unittest.skip(\"Disabled by Guix\")\n"
+ line)))
+ #t))
+ (replace 'check
+ (lambda _
+ (invoke "python" "run.py" "tests")
+ #t)))))
+ (home-page "https://github.com/wbond/oscrypto")
+ (synopsis "Compiler-free Python crypto library backed by the OS")
+ (description "oscrypto is a compilation-free, always up-to-date encryption library for Python.")
+ (license license:expat)))
+
+(define-public python-oscryptotests
+ (package (inherit python-oscrypto)
+ (name "python-oscryptotests")
+ (arguments
+ `(#:tests? #f
+ #:phases
+ (modify-phases %standard-phases
+ (add-after 'unpack 'hard-code-path-to-libscrypt
+ (lambda* (#:key inputs #:allow-other-keys)
+ (chdir "tests")
+ #t)))))))
+
+(define-public python-certvalidator
+ (let ((commit "e5bdb4bfcaa09fa0af355eb8867d00dfeecba08c"))
+ (package
+ (name "python-certvalidator")
+ (version (git-version "0.1" "1" commit))
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/achow101/certvalidator")
+ (commit commit)))
+ (file-name (git-file-name name commit))
+ (sha256
+ (base32
+ "18pvxkvpkfkzgvfylv0kx65pmxfcv1hpsg03cip93krfvrrl4c75"))))
+ (build-system python-build-system)
+ (propagated-inputs
+ `(("python-asn1crypto" ,python-asn1crypto)
+ ("python-oscrypto" ,python-oscrypto)
+ ("python-oscryptotests", python-oscryptotests))) ;; certvalidator tests import oscryptotests
+ (arguments
+ `(#:phases
+ (modify-phases %standard-phases
+ (add-after 'unpack 'disable-broken-tests
+ (lambda _
+ (substitute* "tests/test_certificate_validator.py"
+ (("^(.*)class CertificateValidatorTests" line indent)
+ (string-append indent
+ "@unittest.skip(\"Disabled by Guix\")\n"
+ line)))
+ (substitute* "tests/test_crl_client.py"
+ (("^(.*)def test_fetch_crl" line indent)
+ (string-append indent
+ "@unittest.skip(\"Disabled by Guix\")\n"
+ line)))
+ (substitute* "tests/test_ocsp_client.py"
+ (("^(.*)def test_fetch_ocsp" line indent)
+ (string-append indent
+ "@unittest.skip(\"Disabled by Guix\")\n"
+ line)))
+ (substitute* "tests/test_registry.py"
+ (("^(.*)def test_build_paths" line indent)
+ (string-append indent
+ "@unittest.skip(\"Disabled by Guix\")\n"
+ line)))
+ (substitute* "tests/test_validate.py"
+ (("^(.*)def test_revocation_mode_hard" line indent)
+ (string-append indent
+ "@unittest.skip(\"Disabled by Guix\")\n"
+ line)))
+ #t))
+ (replace 'check
+ (lambda _
+ (invoke "python" "run.py" "tests")
+ #t)))))
+ (home-page "https://github.com/wbond/certvalidator")
+ (synopsis "Python library for validating X.509 certificates and paths")
+ (description "certvalidator is a Python library for validating X.509
+certificates or paths. Supports various options, including: validation at a
+specific moment in time, whitelisting and revocation checks.")
+ (license license:expat))))
+
+(define-public python-requests-2.25.1
+ (package (inherit python-requests)
+ (version "2.25.1")
+ (source (origin
+ (method url-fetch)
+ (uri (pypi-uri "requests" version))
+ (sha256
+ (base32
+ "015qflyqsgsz09gnar69s6ga74ivq5kch69s4qxz3904m7a3v5r7"))))))
+
+(define-public python-altgraph
+ (package
+ (name "python-altgraph")
+ (version "0.17")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/ronaldoussoren/altgraph")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "09sm4srvvkw458pn48ga9q7ykr4xlz7q8gh1h9w7nxpf001qgpwb"))))
+ (build-system python-build-system)
+ (home-page "https://github.com/ronaldoussoren/altgraph")
+ (synopsis "Python graph (network) package")
+ (description "altgraph is a fork of graphlib: a graph (network) package for
+constructing graphs, BFS and DFS traversals, topological sort, shortest paths,
+etc. with graphviz output.")
+ (license license:expat)))
+
+
+(define-public python-macholib
+ (package
+ (name "python-macholib")
+ (version "1.14")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/ronaldoussoren/macholib")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "0aislnnfsza9wl4f0vp45ivzlc0pzhp9d4r08700slrypn5flg42"))))
+ (build-system python-build-system)
+ (propagated-inputs
+ `(("python-altgraph" ,python-altgraph)))
+ (arguments
+ '(#:phases
+ (modify-phases %standard-phases
+ (add-after 'unpack 'disable-broken-tests
+ (lambda _
+ ;; This test is broken as there is no keyboard interrupt.
+ (substitute* "macholib_tests/test_command_line.py"
+ (("^(.*)class TestCmdLine" line indent)
+ (string-append indent
+ "@unittest.skip(\"Disabled by Guix\")\n"
+ line)))
+ (substitute* "macholib_tests/test_dyld.py"
+ (("^(.*)def test_\\S+_find" line indent)
+ (string-append indent
+ "@unittest.skip(\"Disabled by Guix\")\n"
+ line))
+ (("^(.*)def testBasic" line indent)
+ (string-append indent
+ "@unittest.skip(\"Disabled by Guix\")\n"
+ line))
+ )
+ #t)))))
+ (home-page "https://github.com/ronaldoussoren/macholib")
+ (synopsis "Python library for analyzing and editing Mach-O headers")
+ (description "macholib is a Macho-O header analyzer and editor. It's
+typically used as a dependency analysis tool, and also to rewrite dylib
+references in Mach-O headers to be @executable_path relative. Though this tool
+targets a platform specific file format, it is pure python code that is platform
+and endian independent.")
+ (license license:expat)))
+
+(define-public python-signapple
+ (let ((commit "b084cbbf44d5330448ffce0c7d118f75781b64bd"))
+ (package
+ (name "python-signapple")
+ (version (git-version "0.1" "1" commit))
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/achow101/signapple")
+ (commit commit)))
+ (file-name (git-file-name name commit))
+ (sha256
+ (base32
+ "0k7inccl2mzac3wq4asbr0kl8s4cghm8982z54kfascqg45shv01"))))
+ (build-system python-build-system)
+ (propagated-inputs
+ `(("python-asn1crypto" ,python-asn1crypto)
+ ("python-oscrypto" ,python-oscrypto)
+ ("python-certvalidator" ,python-certvalidator)
+ ("python-elfesteem" ,python-elfesteem)
+ ("python-requests" ,python-requests-2.25.1)
+ ("python-macholib" ,python-macholib)
+ ("libcrypto" ,openssl)))
+ ;; There are no tests, but attempting to run python setup.py test leads to
+ ;; problems, just disable the test
+ (arguments '(#:tests? #f))
+ (home-page "https://github.com/achow101/signapple")
+ (synopsis "Mach-O binary signature tool")
+ (description "signapple is a Python tool for creating, verifying, and
+inspecting signatures in Mach-O binaries.")
+ (license license:expat))))
+
+(define-public glibc-2.24
+ (package
+ (inherit glibc)
+ (version "2.24")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://sourceware.org/git/glibc.git")
+ (commit "0d7f1ed30969886c8dde62fbf7d2c79967d4bace")))
+ (file-name (git-file-name "glibc" "0d7f1ed30969886c8dde62fbf7d2c79967d4bace"))
+ (sha256
+ (base32
+ "0g5hryia5v1k0qx97qffgwzrz4lr4jw3s5kj04yllhswsxyjbic3"))
+ (patches (search-our-patches "glibc-ldd-x86_64.patch"
+ "glibc-versioned-locpath.patch"
+ "glibc-2.24-elfm-loadaddr-dynamic-rewrite.patch"
+ "glibc-2.24-no-build-time-cxx-header-run.patch"))))))
+
+(define glibc-2.27/bitcoin-patched
+ (package-with-extra-patches glibc-2.27
+ (search-our-patches "glibc-2.27-riscv64-Use-__has_include__-to-include-asm-syscalls.h.patch")))
(packages->manifest
(append
@@ -207,39 +613,43 @@ chain for " target " development."))
patch
gawk
sed
+ moreutils
;; Compression and archiving
tar
bzip2
gzip
xz
zlib
+ (list zlib "static")
;; Build tools
gnu-make
libtool
autoconf
automake
pkg-config
+ bison
;; Scripting
perl
python-3
;; Git
git
+ ;; Tests
+ lief
;; Native gcc 7 toolchain
- gcc-toolchain-7)
+ gcc-toolchain-7
+ (list gcc-toolchain-7 "static"))
(let ((target (getenv "HOST")))
(cond ((string-suffix? "-mingw32" target)
;; Windows
(list zip
(make-mingw-pthreads-cross-toolchain "x86_64-w64-mingw32")
- (make-nsis-with-sde-support nsis-x86_64)))
- ((string-contains target "riscv64-linux-")
- (list (make-bitcoin-cross-toolchain target
- #:base-gcc-for-libc gcc-7)))
- ((string-contains target "powerpc64le-linux-")
- (list (make-bitcoin-cross-toolchain target
- #:base-gcc-for-libc gcc-7)))
+ (make-nsis-with-sde-support nsis-x86_64)
+ osslsigncode))
((string-contains target "-linux-")
- (list (make-bitcoin-cross-toolchain target)))
+ (list (cond ((string-contains target "riscv64-")
+ (make-bitcoin-cross-toolchain target #:base-libc glibc-2.27/bitcoin-patched))
+ (else
+ (make-bitcoin-cross-toolchain target)))))
((string-contains target "darwin")
- (list clang-8 libcap binutils imagemagick libtiff librsvg font-tuffy cmake xorriso))
+ (list clang-toolchain-10 binutils imagemagick libtiff librsvg font-tuffy cmake xorriso python-signapple))
(else '())))))
diff --git a/contrib/guix/patches/binutils-mingw-w64-disable-flags.patch b/contrib/guix/patches/binutils-mingw-w64-disable-flags.patch
new file mode 100644
index 0000000000..8f88eb9dfd
--- /dev/null
+++ b/contrib/guix/patches/binutils-mingw-w64-disable-flags.patch
@@ -0,0 +1,171 @@
+Description: Add disable opposites to the security-related flags
+Author: Stephen Kitt <skitt@debian.org>
+
+This patch adds "no-" variants to disable the various security flags:
+"no-dynamicbase", "no-nxcompat", "no-high-entropy-va", "disable-reloc-section".
+
+--- a/ld/emultempl/pe.em
++++ b/ld/emultempl/pe.em
+@@ -259,9 +261,11 @@
+ (OPTION_ENABLE_LONG_SECTION_NAMES + 1)
+ /* DLLCharacteristics flags. */
+ #define OPTION_DYNAMIC_BASE (OPTION_DISABLE_LONG_SECTION_NAMES + 1)
+-#define OPTION_FORCE_INTEGRITY (OPTION_DYNAMIC_BASE + 1)
++#define OPTION_NO_DYNAMIC_BASE (OPTION_DYNAMIC_BASE + 1)
++#define OPTION_FORCE_INTEGRITY (OPTION_NO_DYNAMIC_BASE + 1)
+ #define OPTION_NX_COMPAT (OPTION_FORCE_INTEGRITY + 1)
+-#define OPTION_NO_ISOLATION (OPTION_NX_COMPAT + 1)
++#define OPTION_NO_NX_COMPAT (OPTION_NX_COMPAT + 1)
++#define OPTION_NO_ISOLATION (OPTION_NO_NX_COMPAT + 1)
+ #define OPTION_NO_SEH (OPTION_NO_ISOLATION + 1)
+ #define OPTION_NO_BIND (OPTION_NO_SEH + 1)
+ #define OPTION_WDM_DRIVER (OPTION_NO_BIND + 1)
+@@ -271,6 +275,7 @@
+ #define OPTION_NO_INSERT_TIMESTAMP (OPTION_INSERT_TIMESTAMP + 1)
+ #define OPTION_BUILD_ID (OPTION_NO_INSERT_TIMESTAMP + 1)
+ #define OPTION_ENABLE_RELOC_SECTION (OPTION_BUILD_ID + 1)
++#define OPTION_DISABLE_RELOC_SECTION (OPTION_ENABLE_RELOC_SECTION + 1)
+
+ static void
+ gld${EMULATION_NAME}_add_options
+@@ -342,8 +347,10 @@
+ {"enable-long-section-names", no_argument, NULL, OPTION_ENABLE_LONG_SECTION_NAMES},
+ {"disable-long-section-names", no_argument, NULL, OPTION_DISABLE_LONG_SECTION_NAMES},
+ {"dynamicbase",no_argument, NULL, OPTION_DYNAMIC_BASE},
++ {"no-dynamicbase", no_argument, NULL, OPTION_NO_DYNAMIC_BASE},
+ {"forceinteg", no_argument, NULL, OPTION_FORCE_INTEGRITY},
+ {"nxcompat", no_argument, NULL, OPTION_NX_COMPAT},
++ {"no-nxcompat", no_argument, NULL, OPTION_NO_NX_COMPAT},
+ {"no-isolation", no_argument, NULL, OPTION_NO_ISOLATION},
+ {"no-seh", no_argument, NULL, OPTION_NO_SEH},
+ {"no-bind", no_argument, NULL, OPTION_NO_BIND},
+@@ -351,6 +358,7 @@
+ {"tsaware", no_argument, NULL, OPTION_TERMINAL_SERVER_AWARE},
+ {"build-id", optional_argument, NULL, OPTION_BUILD_ID},
+ {"enable-reloc-section", no_argument, NULL, OPTION_ENABLE_RELOC_SECTION},
++ {"disable-reloc-section", no_argument, NULL, OPTION_DISABLE_RELOC_SECTION},
+ {NULL, no_argument, NULL, 0}
+ };
+
+@@ -485,9 +494,12 @@
+ in object files\n"));
+ fprintf (file, _(" --dynamicbase Image base address may be relocated using\n\
+ address space layout randomization (ASLR)\n"));
++ fprintf (file, _(" --no-dynamicbase Image base address may not be relocated\n"));
+ fprintf (file, _(" --enable-reloc-section Create the base relocation table\n"));
++ fprintf (file, _(" --disable-reloc-section Disable the base relocation table\n"));
+ fprintf (file, _(" --forceinteg Code integrity checks are enforced\n"));
+ fprintf (file, _(" --nxcompat Image is compatible with data execution prevention\n"));
++ fprintf (file, _(" --no-nxcompat Image is not compatible with data execution prevention\n"));
+ fprintf (file, _(" --no-isolation Image understands isolation but do not isolate the image\n"));
+ fprintf (file, _(" --no-seh Image does not use SEH. No SE handler may\n\
+ be called in this image\n"));
+@@ -862,12 +874,21 @@
+ case OPTION_ENABLE_RELOC_SECTION:
+ pe_dll_enable_reloc_section = 1;
+ break;
++ case OPTION_DISABLE_RELOC_SECTION:
++ pe_dll_enable_reloc_section = 0;
++ /* fall through */
++ case OPTION_NO_DYNAMIC_BASE:
++ pe_dll_characteristics &= ~IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE;
++ break;
+ case OPTION_FORCE_INTEGRITY:
+ pe_dll_characteristics |= IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY;
+ break;
+ case OPTION_NX_COMPAT:
+ pe_dll_characteristics |= IMAGE_DLL_CHARACTERISTICS_NX_COMPAT;
+ break;
++ case OPTION_NO_NX_COMPAT:
++ pe_dll_characteristics &= ~IMAGE_DLL_CHARACTERISTICS_NX_COMPAT;
++ break;
+ case OPTION_NO_ISOLATION:
+ pe_dll_characteristics |= IMAGE_DLLCHARACTERISTICS_NO_ISOLATION;
+ break;
+--- a/ld/emultempl/pep.em
++++ b/ld/emultempl/pep.em
+@@ -237,9 +240,12 @@
+ OPTION_ENABLE_LONG_SECTION_NAMES,
+ OPTION_DISABLE_LONG_SECTION_NAMES,
+ OPTION_HIGH_ENTROPY_VA,
++ OPTION_NO_HIGH_ENTROPY_VA,
+ OPTION_DYNAMIC_BASE,
++ OPTION_NO_DYNAMIC_BASE,
+ OPTION_FORCE_INTEGRITY,
+ OPTION_NX_COMPAT,
++ OPTION_NO_NX_COMPAT,
+ OPTION_NO_ISOLATION,
+ OPTION_NO_SEH,
+ OPTION_NO_BIND,
+@@ -248,7 +254,8 @@
+ OPTION_NO_INSERT_TIMESTAMP,
+ OPTION_TERMINAL_SERVER_AWARE,
+ OPTION_BUILD_ID,
+- OPTION_ENABLE_RELOC_SECTION
++ OPTION_ENABLE_RELOC_SECTION,
++ OPTION_DISABLE_RELOC_SECTION
+ };
+
+ static void
+@@ -315,9 +322,12 @@
+ {"enable-long-section-names", no_argument, NULL, OPTION_ENABLE_LONG_SECTION_NAMES},
+ {"disable-long-section-names", no_argument, NULL, OPTION_DISABLE_LONG_SECTION_NAMES},
+ {"high-entropy-va", no_argument, NULL, OPTION_HIGH_ENTROPY_VA},
++ {"no-high-entropy-va", no_argument, NULL, OPTION_NO_HIGH_ENTROPY_VA},
+ {"dynamicbase",no_argument, NULL, OPTION_DYNAMIC_BASE},
++ {"no-dynamicbase", no_argument, NULL, OPTION_NO_DYNAMIC_BASE},
+ {"forceinteg", no_argument, NULL, OPTION_FORCE_INTEGRITY},
+ {"nxcompat", no_argument, NULL, OPTION_NX_COMPAT},
++ {"no-nxcompat", no_argument, NULL, OPTION_NO_NX_COMPAT},
+ {"no-isolation", no_argument, NULL, OPTION_NO_ISOLATION},
+ {"no-seh", no_argument, NULL, OPTION_NO_SEH},
+ {"no-bind", no_argument, NULL, OPTION_NO_BIND},
+@@ -327,6 +337,7 @@
+ {"no-insert-timestamp", no_argument, NULL, OPTION_NO_INSERT_TIMESTAMP},
+ {"build-id", optional_argument, NULL, OPTION_BUILD_ID},
+ {"enable-reloc-section", no_argument, NULL, OPTION_ENABLE_RELOC_SECTION},
++ {"disable-reloc-section", no_argument, NULL, OPTION_DISABLE_RELOC_SECTION},
+ {NULL, no_argument, NULL, 0}
+ };
+
+@@ -448,11 +461,15 @@
+ in object files\n"));
+ fprintf (file, _(" --high-entropy-va Image is compatible with 64-bit address space\n\
+ layout randomization (ASLR)\n"));
++ fprintf (file, _(" --no-high-entropy-va Image is not compatible with 64-bit ASLR\n"));
+ fprintf (file, _(" --dynamicbase Image base address may be relocated using\n\
+ address space layout randomization (ASLR)\n"));
++ fprintf (file, _(" --no-dynamicbase Image base address may not be relocated\n"));
+ fprintf (file, _(" --enable-reloc-section Create the base relocation table\n"));
++ fprintf (file, _(" --disable-reloc-section Disable the base relocation table\n"));
+ fprintf (file, _(" --forceinteg Code integrity checks are enforced\n"));
+ fprintf (file, _(" --nxcompat Image is compatible with data execution prevention\n"));
++ fprintf (file, _(" --no-nxcompat Image is not compatible with data execution prevention\n"));
+ fprintf (file, _(" --no-isolation Image understands isolation but do not isolate the image\n"));
+ fprintf (file, _(" --no-seh Image does not use SEH; no SE handler may\n\
+ be called in this image\n"));
+@@ -809,12 +826,24 @@
+ case OPTION_ENABLE_RELOC_SECTION:
+ pep_dll_enable_reloc_section = 1;
+ break;
++ case OPTION_DISABLE_RELOC_SECTION:
++ pep_dll_enable_reloc_section = 0;
++ /* fall through */
++ case OPTION_NO_DYNAMIC_BASE:
++ pe_dll_characteristics &= ~IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE;
++ /* fall through */
++ case OPTION_NO_HIGH_ENTROPY_VA:
++ pe_dll_characteristics &= ~IMAGE_DLL_CHARACTERISTICS_HIGH_ENTROPY_VA;
++ break;
+ case OPTION_FORCE_INTEGRITY:
+ pe_dll_characteristics |= IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY;
+ break;
+ case OPTION_NX_COMPAT:
+ pe_dll_characteristics |= IMAGE_DLL_CHARACTERISTICS_NX_COMPAT;
+ break;
++ case OPTION_NO_NX_COMPAT:
++ pe_dll_characteristics &= ~IMAGE_DLL_CHARACTERISTICS_NX_COMPAT;
++ break;
+ case OPTION_NO_ISOLATION:
+ pe_dll_characteristics |= IMAGE_DLLCHARACTERISTICS_NO_ISOLATION;
+ break;
diff --git a/contrib/guix/patches/gcc-8-sort-libtool-find-output.patch b/contrib/guix/patches/gcc-8-sort-libtool-find-output.patch
new file mode 100644
index 0000000000..f327c464f3
--- /dev/null
+++ b/contrib/guix/patches/gcc-8-sort-libtool-find-output.patch
@@ -0,0 +1,400 @@
+guix: repro: Sort find output in libtool for gcc-8
+
+Otherwise the resulting .a static libraries (e.g. libstdc++.a) will not
+be reproducible and end up making the Bitcoin binaries non-reproducible
+as well.
+
+See: https://reproducible-builds.org/docs/archives/#gnu-libtool
+
+diff --git a/gcc/configure b/gcc/configure
+index 97ba7d7d69c..e37a96f0c0c 100755
+--- a/gcc/configure
++++ b/gcc/configure
+@@ -19720,20 +19720,20 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+ prelink_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~
+- compile_command="$compile_command `find $tpldir -name \*.o | $NL2SP`"'
++ compile_command="$compile_command `find $tpldir -name \*.o | sort | $NL2SP`"'
+ old_archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~
+- $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | $NL2SP`~
++ $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | sort | $NL2SP`~
+ $RANLIB $oldlib'
+ archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+ archive_expsym_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+ ;;
+ *) # Version 6 and above use weak symbols
+ archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+diff --git a/libcc1/configure b/libcc1/configure
+index f53a121611c..5740ca90cab 100755
+--- a/libcc1/configure
++++ b/libcc1/configure
+@@ -12221,20 +12221,20 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+ prelink_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~
+- compile_command="$compile_command `find $tpldir -name \*.o | $NL2SP`"'
++ compile_command="$compile_command `find $tpldir -name \*.o | sort | $NL2SP`"'
+ old_archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~
+- $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | $NL2SP`~
++ $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | sort | $NL2SP`~
+ $RANLIB $oldlib'
+ archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+ archive_expsym_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+ ;;
+ *) # Version 6 and above use weak symbols
+ archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+diff --git a/libffi/configure b/libffi/configure
+index 790a291011f..54b1ac18306 100755
+--- a/libffi/configure
++++ b/libffi/configure
+@@ -12661,20 +12661,20 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+ prelink_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~
+- compile_command="$compile_command `find $tpldir -name \*.o | $NL2SP`"'
++ compile_command="$compile_command `find $tpldir -name \*.o | sort | $NL2SP`"'
+ old_archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~
+- $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | $NL2SP`~
++ $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | sort | $NL2SP`~
+ $RANLIB $oldlib'
+ archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+ archive_expsym_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+ ;;
+ *) # Version 6 and above use weak symbols
+ archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+diff --git a/libgo/config/libtool.m4 b/libgo/config/libtool.m4
+index f7005947454..8a84417b828 100644
+--- a/libgo/config/libtool.m4
++++ b/libgo/config/libtool.m4
+@@ -6010,20 +6010,20 @@ if test "$_lt_caught_CXX_error" != yes; then
+ _LT_TAGVAR(prelink_cmds, $1)='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~
+- compile_command="$compile_command `find $tpldir -name \*.o | $NL2SP`"'
++ compile_command="$compile_command `find $tpldir -name \*.o | sort | $NL2SP`"'
+ _LT_TAGVAR(old_archive_cmds, $1)='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~
+- $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | $NL2SP`~
++ $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | sort | $NL2SP`~
+ $RANLIB $oldlib'
+ _LT_TAGVAR(archive_cmds, $1)='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+ _LT_TAGVAR(archive_expsym_cmds, $1)='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+ ;;
+ *) # Version 6 and above use weak symbols
+ _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+diff --git a/libgo/config/ltmain.sh b/libgo/config/ltmain.sh
+index ce66b44906a..0f81c401407 100644
+--- a/libgo/config/ltmain.sh
++++ b/libgo/config/ltmain.sh
+@@ -2917,7 +2917,7 @@ func_extract_archives ()
+ darwin_file=
+ darwin_files=
+ for darwin_file in $darwin_filelist; do
+- darwin_files=`find unfat-$$ -name $darwin_file -print | $NL2SP`
++ darwin_files=`find unfat-$$ -name $darwin_file -print | sort | $NL2SP`
+ $LIPO -create -output "$darwin_file" $darwin_files
+ done # $darwin_filelist
+ $RM -rf unfat-$$
+@@ -2932,7 +2932,7 @@ func_extract_archives ()
+ func_extract_an_archive "$my_xdir" "$my_xabs"
+ ;;
+ esac
+- my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | $NL2SP`
++ my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | sort | $NL2SP`
+ done
+
+ func_extract_archives_result="$my_oldobjs"
+diff --git a/libhsail-rt/configure b/libhsail-rt/configure
+index a4fcc10c1f9..8e671229fcd 100755
+--- a/libhsail-rt/configure
++++ b/libhsail-rt/configure
+@@ -12244,20 +12244,20 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+ prelink_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~
+- compile_command="$compile_command `find $tpldir -name \*.o | $NL2SP`"'
++ compile_command="$compile_command `find $tpldir -name \*.o | sort | $NL2SP`"'
+ old_archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~
+- $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | $NL2SP`~
++ $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | sort | $NL2SP`~
+ $RANLIB $oldlib'
+ archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+ archive_expsym_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+ ;;
+ *) # Version 6 and above use weak symbols
+ archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+diff --git a/libitm/configure b/libitm/configure
+index dbf386db434..29d4f10611f 100644
+--- a/libitm/configure
++++ b/libitm/configure
+@@ -13067,20 +13067,20 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+ prelink_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~
+- compile_command="$compile_command `find $tpldir -name \*.o | $NL2SP`"'
++ compile_command="$compile_command `find $tpldir -name \*.o | sort | $NL2SP`"'
+ old_archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~
+- $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | $NL2SP`~
++ $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | sort | $NL2SP`~
+ $RANLIB $oldlib'
+ archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+ archive_expsym_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+ ;;
+ *) # Version 6 and above use weak symbols
+ archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+diff --git a/liboffloadmic/configure b/liboffloadmic/configure
+index f873716991b..7aa9186b10e 100644
+--- a/liboffloadmic/configure
++++ b/liboffloadmic/configure
+@@ -12379,20 +12379,20 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+ prelink_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~
+- compile_command="$compile_command `find $tpldir -name \*.o | $NL2SP`"'
++ compile_command="$compile_command `find $tpldir -name \*.o | sort | $NL2SP`"'
+ old_archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~
+- $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | $NL2SP`~
++ $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | sort | $NL2SP`~
+ $RANLIB $oldlib'
+ archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+ archive_expsym_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+ ;;
+ *) # Version 6 and above use weak symbols
+ archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+diff --git a/liboffloadmic/plugin/configure b/liboffloadmic/plugin/configure
+index c031eb3e7fa..67fc7368f21 100644
+--- a/liboffloadmic/plugin/configure
++++ b/liboffloadmic/plugin/configure
+@@ -12086,20 +12086,20 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+ prelink_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~
+- compile_command="$compile_command `find $tpldir -name \*.o | $NL2SP`"'
++ compile_command="$compile_command `find $tpldir -name \*.o | sort | $NL2SP`"'
+ old_archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~
+- $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | $NL2SP`~
++ $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | sort | $NL2SP`~
+ $RANLIB $oldlib'
+ archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+ archive_expsym_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+ ;;
+ *) # Version 6 and above use weak symbols
+ archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+diff --git a/libsanitizer/configure b/libsanitizer/configure
+index 4695bc7d4f7..cb7d25c07e6 100755
+--- a/libsanitizer/configure
++++ b/libsanitizer/configure
+@@ -13308,20 +13308,20 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+ prelink_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~
+- compile_command="$compile_command `find $tpldir -name \*.o | $NL2SP`"'
++ compile_command="$compile_command `find $tpldir -name \*.o | sort | $NL2SP`"'
+ old_archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~
+- $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | $NL2SP`~
++ $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | sort | $NL2SP`~
+ $RANLIB $oldlib'
+ archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+ archive_expsym_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+ ;;
+ *) # Version 6 and above use weak symbols
+ archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+diff --git a/libstdc++-v3/configure b/libstdc++-v3/configure
+index 61457e940ec..21ef1f61e41 100755
+--- a/libstdc++-v3/configure
++++ b/libstdc++-v3/configure
+@@ -13087,20 +13087,20 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+ prelink_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~
+- compile_command="$compile_command `find $tpldir -name \*.o | $NL2SP`"'
++ compile_command="$compile_command `find $tpldir -name \*.o | sort | $NL2SP`"'
+ old_archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~
+- $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | $NL2SP`~
++ $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | sort | $NL2SP`~
+ $RANLIB $oldlib'
+ archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+ archive_expsym_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+ ;;
+ *) # Version 6 and above use weak symbols
+ archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+diff --git a/libtool.m4 b/libtool.m4
+index 24d13f34409..940faaa161d 100644
+--- a/libtool.m4
++++ b/libtool.m4
+@@ -6005,20 +6005,20 @@ if test "$_lt_caught_CXX_error" != yes; then
+ _LT_TAGVAR(prelink_cmds, $1)='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~
+- compile_command="$compile_command `find $tpldir -name \*.o | $NL2SP`"'
++ compile_command="$compile_command `find $tpldir -name \*.o | sort | $NL2SP`"'
+ _LT_TAGVAR(old_archive_cmds, $1)='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~
+- $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | $NL2SP`~
++ $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | sort | $NL2SP`~
+ $RANLIB $oldlib'
+ _LT_TAGVAR(archive_cmds, $1)='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+ _LT_TAGVAR(archive_expsym_cmds, $1)='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+ ;;
+ *) # Version 6 and above use weak symbols
+ _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+diff --git a/libvtv/configure b/libvtv/configure
+index a197f750453..31ab3a0637b 100755
+--- a/libvtv/configure
++++ b/libvtv/configure
+@@ -13339,20 +13339,20 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+ prelink_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~
+- compile_command="$compile_command `find $tpldir -name \*.o | $NL2SP`"'
++ compile_command="$compile_command `find $tpldir -name \*.o | sort | $NL2SP`"'
+ old_archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~
+- $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | $NL2SP`~
++ $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | sort | $NL2SP`~
+ $RANLIB $oldlib'
+ archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+ archive_expsym_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+ ;;
+ *) # Version 6 and above use weak symbols
+ archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+diff --git a/ltmain.sh b/ltmain.sh
+index 9503ec85d70..79f9ba89af5 100644
+--- a/ltmain.sh
++++ b/ltmain.sh
+@@ -2917,7 +2917,7 @@ func_extract_archives ()
+ darwin_file=
+ darwin_files=
+ for darwin_file in $darwin_filelist; do
+- darwin_files=`find unfat-$$ -name $darwin_file -print | $NL2SP`
++ darwin_files=`find unfat-$$ -name $darwin_file -print | sort | $NL2SP`
+ $LIPO -create -output "$darwin_file" $darwin_files
+ done # $darwin_filelist
+ $RM -rf unfat-$$
+@@ -2932,7 +2932,7 @@ func_extract_archives ()
+ func_extract_an_archive "$my_xdir" "$my_xabs"
+ ;;
+ esac
+- my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | $NL2SP`
++ my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | sort | $NL2SP`
+ done
+
+ func_extract_archives_result="$my_oldobjs"
diff --git a/contrib/guix/patches/glibc-2.24-elfm-loadaddr-dynamic-rewrite.patch b/contrib/guix/patches/glibc-2.24-elfm-loadaddr-dynamic-rewrite.patch
new file mode 100644
index 0000000000..5c4d0c6ebe
--- /dev/null
+++ b/contrib/guix/patches/glibc-2.24-elfm-loadaddr-dynamic-rewrite.patch
@@ -0,0 +1,62 @@
+https://sourceware.org/git/?p=glibc.git;a=commit;h=a68ba2f3cd3cbe32c1f31e13c20ed13487727b32
+
+commit 6b02af31e9a721bb15a11380cd22d53b621711f8
+Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
+Date: Wed Oct 18 17:26:23 2017 +0100
+
+ [AARCH64] Rewrite elf_machine_load_address using _DYNAMIC symbol
+
+ This patch rewrites aarch64 elf_machine_load_address to use special _DYNAMIC
+ symbol instead of _dl_start.
+
+ The static address of _DYNAMIC symbol is stored in the first GOT entry.
+ Here is the change which makes this solution work (part of binutils 2.24):
+ https://sourceware.org/ml/binutils/2013-06/msg00248.html
+
+ i386, x86_64 targets use the same method to do this as well.
+
+ The original implementation relies on a trick that R_AARCH64_ABS32 relocation
+ being resolved at link time and the static address fits in the 32bits.
+ However, in LP64, normally, the address is defined to be 64 bit.
+
+ Here is the C version one which should be portable in all cases.
+
+ * sysdeps/aarch64/dl-machine.h (elf_machine_load_address): Use
+ _DYNAMIC symbol to calculate load address.
+
+diff --git a/sysdeps/aarch64/dl-machine.h b/sysdeps/aarch64/dl-machine.h
+index e86d8b5b63..5a5b8a5de5 100644
+--- a/sysdeps/aarch64/dl-machine.h
++++ b/sysdeps/aarch64/dl-machine.h
+@@ -49,26 +49,11 @@ elf_machine_load_address (void)
+ /* To figure out the load address we use the definition that for any symbol:
+ dynamic_addr(symbol) = static_addr(symbol) + load_addr
+
+- The choice of symbol is arbitrary. The static address we obtain
+- by constructing a non GOT reference to the symbol, the dynamic
+- address of the symbol we compute using adrp/add to compute the
+- symbol's address relative to the PC.
+- This depends on 32bit relocations being resolved at link time
+- and that the static address fits in the 32bits. */
+-
+- ElfW(Addr) static_addr;
+- ElfW(Addr) dynamic_addr;
+-
+- asm (" \n"
+-" adrp %1, _dl_start; \n"
+-" add %1, %1, #:lo12:_dl_start \n"
+-" ldr %w0, 1f \n"
+-" b 2f \n"
+-"1: \n"
+-" .word _dl_start \n"
+-"2: \n"
+- : "=r" (static_addr), "=r" (dynamic_addr));
+- return dynamic_addr - static_addr;
++ _DYNAMIC sysmbol is used here as its link-time address stored in
++ the special unrelocated first GOT entry. */
++
++ extern ElfW(Dyn) _DYNAMIC[] attribute_hidden;
++ return (ElfW(Addr)) &_DYNAMIC - elf_machine_dynamic ();
+ }
+
+ /* Set up the loaded object described by L so its unrelocated PLT
diff --git a/contrib/guix/patches/glibc-2.24-no-build-time-cxx-header-run.patch b/contrib/guix/patches/glibc-2.24-no-build-time-cxx-header-run.patch
new file mode 100644
index 0000000000..11fe7fdc99
--- /dev/null
+++ b/contrib/guix/patches/glibc-2.24-no-build-time-cxx-header-run.patch
@@ -0,0 +1,100 @@
+https://sourceware.org/git/?p=glibc.git;a=commit;h=fc3e1337be1c6935ab58bd13520f97a535cf70cc
+
+commit dc23a45db566095e83ff0b7a57afc87fb5ca89a1
+Author: Florian Weimer <fweimer@redhat.com>
+Date: Wed Sep 21 10:45:32 2016 +0200
+
+ Avoid running $(CXX) during build to obtain header file paths
+
+ This reduces the build time somewhat and is particularly noticeable
+ during rebuilds with few code changes.
+
+diff --git a/Makerules b/Makerules
+index 7e4077ee50..c338850de5 100644
+--- a/Makerules
++++ b/Makerules
+@@ -121,14 +121,10 @@ ifneq (,$(CXX))
+ # will be used instead of /usr/include/stdlib.h and /usr/include/math.h.
+ before-compile := $(common-objpfx)cstdlib $(common-objpfx)cmath \
+ $(before-compile)
+-cstdlib=$(shell echo "\#include <cstdlib>" | $(CXX) -M -MP -x c++ - \
+- | sed -n "/cstdlib:/{s/:$$//;p}")
+-$(common-objpfx)cstdlib: $(cstdlib)
++$(common-objpfx)cstdlib: $(c++-cstdlib-header)
+ $(INSTALL_DATA) $< $@T
+ $(move-if-change) $@T $@
+-cmath=$(shell echo "\#include <cmath>" | $(CXX) -M -MP -x c++ - \
+- | sed -n "/cmath:/{s/:$$//;p}")
+-$(common-objpfx)cmath: $(cmath)
++$(common-objpfx)cmath: $(c++-cmath-header)
+ $(INSTALL_DATA) $< $@T
+ $(move-if-change) $@T $@
+ endif
+diff --git a/config.make.in b/config.make.in
+index 95c6f36876..04a8b3ed7f 100644
+--- a/config.make.in
++++ b/config.make.in
+@@ -45,6 +45,8 @@ defines = @DEFINES@
+ sysheaders = @sysheaders@
+ sysincludes = @SYSINCLUDES@
+ c++-sysincludes = @CXX_SYSINCLUDES@
++c++-cstdlib-header = @CXX_CSTDLIB_HEADER@
++c++-cmath-header = @CXX_CMATH_HEADER@
+ all-warnings = @all_warnings@
+ enable-werror = @enable_werror@
+
+diff --git a/configure b/configure
+index 17625e1041..6ff252744b 100755
+--- a/configure
++++ b/configure
+@@ -635,6 +635,8 @@ BISON
+ INSTALL_INFO
+ PERL
+ BASH_SHELL
++CXX_CMATH_HEADER
++CXX_CSTDLIB_HEADER
+ CXX_SYSINCLUDES
+ SYSINCLUDES
+ AUTOCONF
+@@ -5054,6 +5056,18 @@ fi
+
+
+
++# Obtain some C++ header file paths. This is used to make a local
++# copy of those headers in Makerules.
++if test -n "$CXX"; then
++ find_cxx_header () {
++ echo "#include <$1>" | $CXX -M -MP -x c++ - | sed -n "/$1:/{s/:\$//;p}"
++ }
++ CXX_CSTDLIB_HEADER="$(find_cxx_header cstdlib)"
++ CXX_CMATH_HEADER="$(find_cxx_header cmath)"
++fi
++
++
++
+ # Test if LD_LIBRARY_PATH contains the notation for the current directory
+ # since this would lead to problems installing/building glibc.
+ # LD_LIBRARY_PATH contains the current directory if one of the following
+diff --git a/configure.ac b/configure.ac
+index 33bcd62180..9938ab0dc2 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1039,6 +1039,18 @@ fi
+ AC_SUBST(SYSINCLUDES)
+ AC_SUBST(CXX_SYSINCLUDES)
+
++# Obtain some C++ header file paths. This is used to make a local
++# copy of those headers in Makerules.
++if test -n "$CXX"; then
++ find_cxx_header () {
++ echo "#include <$1>" | $CXX -M -MP -x c++ - | sed -n "/$1:/{s/:\$//;p}"
++ }
++ CXX_CSTDLIB_HEADER="$(find_cxx_header cstdlib)"
++ CXX_CMATH_HEADER="$(find_cxx_header cmath)"
++fi
++AC_SUBST(CXX_CSTDLIB_HEADER)
++AC_SUBST(CXX_CMATH_HEADER)
++
+ # Test if LD_LIBRARY_PATH contains the notation for the current directory
+ # since this would lead to problems installing/building glibc.
+ # LD_LIBRARY_PATH contains the current directory if one of the following
diff --git a/contrib/guix/patches/glibc-2.27-riscv64-Use-__has_include__-to-include-asm-syscalls.h.patch b/contrib/guix/patches/glibc-2.27-riscv64-Use-__has_include__-to-include-asm-syscalls.h.patch
new file mode 100644
index 0000000000..d6217157ee
--- /dev/null
+++ b/contrib/guix/patches/glibc-2.27-riscv64-Use-__has_include__-to-include-asm-syscalls.h.patch
@@ -0,0 +1,72 @@
+https://sourceware.org/git/?p=glibc.git;a=commit;h=0b9c84906f653978fb8768c7ebd0ee14a47e662e
+
+From 562c52cc81a4e456a62e6455feb32732049e9070 Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Mon, 31 Dec 2018 09:26:42 -0800
+Subject: [PATCH] riscv: Use __has_include__ to include <asm/syscalls.h> [BZ
+ #24022]
+
+<asm/syscalls.h> has been removed by
+
+commit 27f8899d6002e11a6e2d995e29b8deab5aa9cc25
+Author: David Abdurachmanov <david.abdurachmanov@gmail.com>
+Date: Thu Nov 8 20:02:39 2018 +0100
+
+ riscv: add asm/unistd.h UAPI header
+
+ Marcin Juszkiewicz reported issues while generating syscall table for riscv
+ using 4.20-rc1. The patch refactors our unistd.h files to match some other
+ architectures.
+
+ - Add asm/unistd.h UAPI header, which has __ARCH_WANT_NEW_STAT only for 64-bit
+ - Remove asm/syscalls.h UAPI header and merge to asm/unistd.h
+ - Adjust kernel asm/unistd.h
+
+ So now asm/unistd.h UAPI header should show all syscalls for riscv.
+
+<asm/syscalls.h> may be restored by
+
+Subject: [PATCH] riscv: restore asm/syscalls.h UAPI header
+Date: Tue, 11 Dec 2018 09:09:35 +0100
+
+UAPI header asm/syscalls.h was merged into UAPI asm/unistd.h header,
+which did resolve issue with missing syscalls macros resulting in
+glibc (2.28) build failure. It also broke glibc in a different way:
+asm/syscalls.h is being used by glibc. I noticed this while doing
+Fedora 30/Rawhide mass rebuild.
+
+The patch returns asm/syscalls.h header and incl. it into asm/unistd.h.
+I plan to send a patch to glibc to use asm/unistd.h instead of
+asm/syscalls.h
+
+In the meantime, we use __has_include__, which was added to GCC 5, to
+check if <asm/syscalls.h> exists before including it. Tested with
+build-many-glibcs.py for riscv against kernel 4.19.12 and 4.20-rc7.
+
+ [BZ #24022]
+ * sysdeps/unix/sysv/linux/riscv/flush-icache.c: Check if
+ <asm/syscalls.h> exists with __has_include__ before including it.
+---
+ sysdeps/unix/sysv/linux/riscv/flush-icache.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/sysdeps/unix/sysv/linux/riscv/flush-icache.c b/sysdeps/unix/sysv/linux/riscv/flush-icache.c
+index d612ef4c6c..0b2042620b 100644
+--- a/sysdeps/unix/sysv/linux/riscv/flush-icache.c
++++ b/sysdeps/unix/sysv/linux/riscv/flush-icache.c
+@@ -21,7 +21,11 @@
+ #include <stdlib.h>
+ #include <atomic.h>
+ #include <sys/cachectl.h>
+-#include <asm/syscalls.h>
++#if __has_include__ (<asm/syscalls.h>)
++# include <asm/syscalls.h>
++#else
++# include <asm/unistd.h>
++#endif
+
+ typedef int (*func_type) (void *, void *, unsigned long int);
+
+--
+2.31.1
+
diff --git a/contrib/guix/patches/glibc-ldd-x86_64.patch b/contrib/guix/patches/glibc-ldd-x86_64.patch
new file mode 100644
index 0000000000..b1b6d5a548
--- /dev/null
+++ b/contrib/guix/patches/glibc-ldd-x86_64.patch
@@ -0,0 +1,10 @@
+By default, 'RTDLLIST' in 'ldd' refers to 'lib64/ld-linux-x86-64.so', whereas
+it's in 'lib/' for us. This patch fixes that.
+
+--- glibc-2.17/sysdeps/unix/sysv/linux/x86_64/ldd-rewrite.sed 2012-12-25 04:02:13.000000000 +0100
++++ glibc-2.17/sysdeps/unix/sysv/linux/x86_64/ldd-rewrite.sed 2013-09-15 23:08:03.000000000 +0200
+@@ -1,3 +1,3 @@
+ /LD_TRACE_LOADED_OBJECTS=1/a\
+ add_env="$add_env LD_LIBRARY_VERSION=\\$verify_out"
+-s_^\(RTLDLIST=\)\(.*lib\)\(\|64\|x32\)\(/[^/]*\)\(-x86-64\|-x32\)\(\.so\.[0-9.]*\)[ ]*$_\1"\2\4\6 \264\4-x86-64\6 \2x32\4-x32\6"_
++s_^\(RTLDLIST=\)\(.*lib\)\(\|64\|x32\)\(/[^/]*\)\(-x86-64\|-x32\)\(\.so\.[0-9.]*\)[ ]*$_\1"\2\4\6 \2\4-x86-64\6 \2x32\4-x32\6"_
diff --git a/contrib/guix/patches/glibc-versioned-locpath.patch b/contrib/guix/patches/glibc-versioned-locpath.patch
new file mode 100644
index 0000000000..bc7652127f
--- /dev/null
+++ b/contrib/guix/patches/glibc-versioned-locpath.patch
@@ -0,0 +1,240 @@
+The format of locale data can be incompatible between libc versions, and
+loading incompatible data can lead to 'setlocale' returning EINVAL at best
+or triggering an assertion failure at worst. See
+https://lists.gnu.org/archive/html/guix-devel/2015-09/msg00717.html
+for background information.
+
+To address that, this patch changes libc to honor a new 'GUIX_LOCPATH'
+variable, and to look for locale data in version-specific sub-directories of
+that variable. So, if GUIX_LOCPATH=/foo:/bar, locale data is searched for in
+/foo/X.Y and /bar/X.Y, where X.Y is the libc version number.
+
+That way, a single 'GUIX_LOCPATH' setting can work even if different libc
+versions coexist on the system.
+
+--- a/locale/newlocale.c
++++ b/locale/newlocale.c
+@@ -30,6 +30,7 @@
+ /* Lock for protecting global data. */
+ __libc_rwlock_define (extern , __libc_setlocale_lock attribute_hidden)
+
++extern error_t compute_locale_search_path (char **, size_t *);
+
+ /* Use this when we come along an error. */
+ #define ERROR_RETURN \
+@@ -48,7 +49,6 @@ __newlocale (int category_mask, const char *locale, __locale_t base)
+ __locale_t result_ptr;
+ char *locale_path;
+ size_t locale_path_len;
+- const char *locpath_var;
+ int cnt;
+ size_t names_len;
+
+@@ -102,17 +102,8 @@ __newlocale (int category_mask, const char *locale, __locale_t base)
+ locale_path = NULL;
+ locale_path_len = 0;
+
+- locpath_var = getenv ("LOCPATH");
+- if (locpath_var != NULL && locpath_var[0] != '\0')
+- {
+- if (__argz_create_sep (locpath_var, ':',
+- &locale_path, &locale_path_len) != 0)
+- return NULL;
+-
+- if (__argz_add_sep (&locale_path, &locale_path_len,
+- _nl_default_locale_path, ':') != 0)
+- return NULL;
+- }
++ if (compute_locale_search_path (&locale_path, &locale_path_len) != 0)
++ return NULL;
+
+ /* Get the names for the locales we are interested in. We either
+ allow a composite name or a single name. */
+diff --git a/locale/setlocale.c b/locale/setlocale.c
+index ead030d..0c0e314 100644
+--- a/locale/setlocale.c
++++ b/locale/setlocale.c
+@@ -215,12 +215,65 @@ setdata (int category, struct __locale_data *data)
+ }
+ }
+
++/* Return in *LOCALE_PATH and *LOCALE_PATH_LEN the locale data search path as
++ a colon-separated list. Return ENOMEN on error, zero otherwise. */
++error_t
++compute_locale_search_path (char **locale_path, size_t *locale_path_len)
++{
++ char* guix_locpath_var = getenv ("GUIX_LOCPATH");
++ char *locpath_var = getenv ("LOCPATH");
++
++ if (guix_locpath_var != NULL && guix_locpath_var[0] != '\0')
++ {
++ /* Entries in 'GUIX_LOCPATH' take precedence over 'LOCPATH'. These
++ entries are systematically prefixed with "/X.Y" where "X.Y" is the
++ libc version. */
++ if (__argz_create_sep (guix_locpath_var, ':',
++ locale_path, locale_path_len) != 0
++ || __argz_suffix_entries (locale_path, locale_path_len,
++ "/" VERSION) != 0)
++ goto bail_out;
++ }
++
++ if (locpath_var != NULL && locpath_var[0] != '\0')
++ {
++ char *reg_locale_path = NULL;
++ size_t reg_locale_path_len = 0;
++
++ if (__argz_create_sep (locpath_var, ':',
++ &reg_locale_path, &reg_locale_path_len) != 0)
++ goto bail_out;
++
++ if (__argz_append (locale_path, locale_path_len,
++ reg_locale_path, reg_locale_path_len) != 0)
++ goto bail_out;
++
++ free (reg_locale_path);
++ }
++
++ if (*locale_path != NULL)
++ {
++ /* Append the system default locale directory. */
++ if (__argz_add_sep (locale_path, locale_path_len,
++ _nl_default_locale_path, ':') != 0)
++ goto bail_out;
++ }
++
++ return 0;
++
++ bail_out:
++ free (*locale_path);
++ *locale_path = NULL;
++ *locale_path_len = 0;
++
++ return ENOMEM;
++}
++
+ char *
+ setlocale (int category, const char *locale)
+ {
+ char *locale_path;
+ size_t locale_path_len;
+- const char *locpath_var;
+ char *composite;
+
+ /* Sanity check for CATEGORY argument. */
+@@ -251,17 +304,10 @@ setlocale (int category, const char *locale)
+ locale_path = NULL;
+ locale_path_len = 0;
+
+- locpath_var = getenv ("LOCPATH");
+- if (locpath_var != NULL && locpath_var[0] != '\0')
++ if (compute_locale_search_path (&locale_path, &locale_path_len) != 0)
+ {
+- if (__argz_create_sep (locpath_var, ':',
+- &locale_path, &locale_path_len) != 0
+- || __argz_add_sep (&locale_path, &locale_path_len,
+- _nl_default_locale_path, ':') != 0)
+- {
+- __libc_rwlock_unlock (__libc_setlocale_lock);
+- return NULL;
+- }
++ __libc_rwlock_unlock (__libc_setlocale_lock);
++ return NULL;
+ }
+
+ if (category == LC_ALL)
+diff --git a/string/Makefile b/string/Makefile
+index 8424a61..f925503 100644
+--- a/string/Makefile
++++ b/string/Makefile
+@@ -38,7 +38,7 @@ routines := strcat strchr strcmp strcoll strcpy strcspn \
+ swab strfry memfrob memmem rawmemchr strchrnul \
+ $(addprefix argz-,append count create ctsep next \
+ delete extract insert stringify \
+- addsep replace) \
++ addsep replace suffix) \
+ envz basename \
+ strcoll_l strxfrm_l string-inlines memrchr \
+ xpg-strerror strerror_l
+diff --git a/string/argz-suffix.c b/string/argz-suffix.c
+new file mode 100644
+index 0000000..505b0f2
+--- /dev/null
++++ b/string/argz-suffix.c
+@@ -0,0 +1,56 @@
++/* Copyright (C) 2015 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++ Contributed by Ludovic Courtès <ludo@gnu.org>.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
++#include <argz.h>
++#include <errno.h>
++#include <stdlib.h>
++#include <string.h>
++
++
++error_t
++__argz_suffix_entries (char **argz, size_t *argz_len, const char *suffix)
++
++{
++ size_t suffix_len = strlen (suffix);
++ size_t count = __argz_count (*argz, *argz_len);
++ size_t new_argz_len = *argz_len + count * suffix_len;
++ char *new_argz = malloc (new_argz_len);
++
++ if (new_argz)
++ {
++ char *p = new_argz, *entry;
++
++ for (entry = *argz;
++ entry != NULL;
++ entry = argz_next (*argz, *argz_len, entry))
++ {
++ p = stpcpy (p, entry);
++ p = stpcpy (p, suffix);
++ p++;
++ }
++
++ free (*argz);
++ *argz = new_argz;
++ *argz_len = new_argz_len;
++
++ return 0;
++ }
++ else
++ return ENOMEM;
++}
++weak_alias (__argz_suffix_entries, argz_suffix_entries)
+diff --git a/string/argz.h b/string/argz.h
+index bb62a31..d276a35 100644
+--- a/string/argz.h
++++ b/string/argz.h
+@@ -134,6 +134,16 @@ extern error_t argz_replace (char **__restrict __argz,
+ const char *__restrict __str,
+ const char *__restrict __with,
+ unsigned int *__restrict __replace_count);
++
++/* Suffix each entry of ARGZ & ARGZ_LEN with SUFFIX. Return 0 on success,
++ and ENOMEN if memory cannot be allocated. */
++extern error_t __argz_suffix_entries (char **__restrict __argz,
++ size_t *__restrict __argz_len,
++ const char *__restrict __suffix);
++extern error_t argz_suffix_entries (char **__restrict __argz,
++ size_t *__restrict __argz_len,
++ const char *__restrict __suffix);
++
+
+ /* Returns the next entry in ARGZ & ARGZ_LEN after ENTRY, or NULL if there
+ are no more. If entry is NULL, then the first entry is returned. This
diff --git a/contrib/guix/patches/nsis-SConstruct-sde-support.patch b/contrib/guix/patches/nsis-SConstruct-sde-support.patch
index 5edf1b7c8e..f58406a7a0 100644
--- a/contrib/guix/patches/nsis-SConstruct-sde-support.patch
+++ b/contrib/guix/patches/nsis-SConstruct-sde-support.patch
@@ -1,3 +1,6 @@
+https://github.com/kichik/nsis/pull/13
+https://sourceforge.net/p/nsis/code/7248/
+
diff --git a/SConstruct b/SConstruct
index e8252c9..41786f2 100755
--- a/SConstruct
diff --git a/contrib/guix/patches/oscrypto-hard-code-openssl.patch b/contrib/guix/patches/oscrypto-hard-code-openssl.patch
new file mode 100644
index 0000000000..32027f2d09
--- /dev/null
+++ b/contrib/guix/patches/oscrypto-hard-code-openssl.patch
@@ -0,0 +1,13 @@
+diff --git a/oscrypto/__init__.py b/oscrypto/__init__.py
+index eb27313..371ab24 100644
+--- a/oscrypto/__init__.py
++++ b/oscrypto/__init__.py
+@@ -302,3 +302,8 @@ def load_order():
+ 'oscrypto._win.tls',
+ 'oscrypto.tls',
+ ]
++
++
++paths = '@GUIX_OSCRYPTO_USE_OPENSSL@'.split(',')
++assert len(paths) == 2, 'Value for OSCRYPTO_USE_OPENSSL env var must be two paths separated by a comma'
++use_openssl(*paths)
diff --git a/contrib/init/bitcoind.openrc b/contrib/init/bitcoind.openrc
index 86222295db..013a1a6070 100644
--- a/contrib/init/bitcoind.openrc
+++ b/contrib/init/bitcoind.openrc
@@ -60,16 +60,17 @@ start_pre() {
"${BITCOIND_PIDDIR}"
checkpath -f \
- -o ${BITCOIND_USER}:${BITCOIND_GROUP} \
+ -o "${BITCOIND_USER}:${BITCOIND_GROUP}" \
-m 0660 \
- ${BITCOIND_CONFIGFILE}
+ "${BITCOIND_CONFIGFILE}"
checkconfig || return 1
}
checkconfig()
{
- if ! grep -qs '^rpcpassword=' "${BITCOIND_CONFIGFILE}" ; then
+ if grep -qs '^rpcuser=' "${BITCOIND_CONFIGFILE}" && \
+ ! grep -qs '^rpcpassword=' "${BITCOIND_CONFIGFILE}" ; then
eerror ""
eerror "ERROR: You must set a secure rpcpassword to run bitcoind."
eerror "The setting must appear in ${BITCOIND_CONFIGFILE}"
diff --git a/contrib/init/bitcoind.service b/contrib/init/bitcoind.service
index 5999928aa4..93de353bb4 100644
--- a/contrib/init/bitcoind.service
+++ b/contrib/init/bitcoind.service
@@ -18,7 +18,7 @@ After=network-online.target
Wants=network-online.target
[Service]
-ExecStart=/usr/bin/bitcoind -daemon \
+ExecStart=/usr/bin/bitcoind -daemonwait \
-pid=/run/bitcoind/bitcoind.pid \
-conf=/etc/bitcoin/bitcoin.conf \
-datadir=/var/lib/bitcoind
@@ -33,6 +33,7 @@ ExecStartPre=/bin/chgrp bitcoin /etc/bitcoin
Type=forking
PIDFile=/run/bitcoind/bitcoind.pid
Restart=on-failure
+TimeoutStartSec=infinity
TimeoutStopSec=600
# Directory creation and permissions
diff --git a/contrib/macdeploy/README.md b/contrib/macdeploy/README.md
index 2d9a4a2153..21f6ba2eb3 100644
--- a/contrib/macdeploy/README.md
+++ b/contrib/macdeploy/README.md
@@ -13,9 +13,9 @@ When complete, it will have produced `Bitcoin-Core.dmg`.
### Step 1: Obtaining `Xcode.app`
Our current macOS SDK
-(`Xcode-11.3.1-11C505-extracted-SDK-with-libcxx-headers.tar.gz`) can be
+(`Xcode-12.1-12A7403-extracted-SDK-with-libcxx-headers.tar.gz`) can be
extracted from
-[Xcode_11.3.1.xip](https://download.developer.apple.com/Developer_Tools/Xcode_11.3.1/Xcode_11.3.1.xip).
+[Xcode_12.1.xip](https://download.developer.apple.com/Developer_Tools/Xcode_12.1/Xcode_12.1.xip).
An Apple ID is needed to download this.
After Xcode version 7.x, Apple started shipping the `Xcode.app` in a `.xip`
@@ -27,25 +27,25 @@ approach (tested on Debian Buster) is outlined below:
apt install cpio
git clone https://github.com/bitcoin-core/apple-sdk-tools.git
-# Unpack Xcode_11.3.1.xip and place the resulting Xcode.app in your current
+# Unpack Xcode_12.1.xip and place the resulting Xcode.app in your current
# working directory
-python3 apple-sdk-tools/extract_xcode.py -f Xcode_11.3.1.xip | cpio -d -i
+python3 apple-sdk-tools/extract_xcode.py -f Xcode_12.1.xip | cpio -d -i
```
On macOS the process is more straightforward:
```bash
-xip -x Xcode_11.3.1.xip
+xip -x Xcode_12.1.xip
```
-### Step 2: Generating `Xcode-11.3.1-11C505-extracted-SDK-with-libcxx-headers.tar.gz` from `Xcode.app`
+### Step 2: Generating `Xcode-12.1-12A7403-extracted-SDK-with-libcxx-headers.tar.gz` from `Xcode.app`
-To generate `Xcode-11.3.1-11C505-extracted-SDK-with-libcxx-headers.tar.gz`, run
+To generate `Xcode-12.1-12A7403-extracted-SDK-with-libcxx-headers.tar.gz`, run
the script [`gen-sdk`](./gen-sdk) with the path to `Xcode.app` (extracted in the
previous stage) as the first argument.
```bash
-# Generate a Xcode-11.3.1-11C505-extracted-SDK-with-libcxx-headers.tar.gz from
+# Generate a Xcode-12.1-12A7403-extracted-SDK-with-libcxx-headers.tar.gz from
# the supplied Xcode.app
./contrib/macdeploy/gen-sdk '/path/to/Xcode.app'
```
@@ -56,7 +56,7 @@ Working macOS DMGs are created in Linux by combining a recent `clang`, the Apple
Apple uses `clang` extensively for development and has upstreamed the necessary
functionality so that a vanilla clang can take advantage. It supports the use of `-F`,
-`-target`, `-mmacosx-version-min`, and `--sysroot`, which are all necessary when
+`-target`, `-mmacosx-version-min`, and `-isysroot`, which are all necessary when
building for macOS.
Apple's version of `binutils` (called `cctools`) contains lots of functionality missing in the
diff --git a/contrib/qos/tc.sh b/contrib/qos/tc.sh
index 8408545a21..1cde19efd1 100644..100755
--- a/contrib/qos/tc.sh
+++ b/contrib/qos/tc.sh
@@ -16,7 +16,7 @@ LOCALNET_V4="192.168.0.0/16"
#defines the IPv6 address space for which you wish to disable rate limiting
LOCALNET_V6="fe80::/10"
-#delete existing rules
+#delete existing rules ('Error: Cannot delete qdisc with handle of zero.' means there weren't any.)
tc qdisc del dev ${IF} root
#add root class
diff --git a/contrib/seeds/generate-seeds.py b/contrib/seeds/generate-seeds.py
index 7630a7a4fa..dbecba7d1d 100755
--- a/contrib/seeds/generate-seeds.py
+++ b/contrib/seeds/generate-seeds.py
@@ -1,5 +1,5 @@
#!/usr/bin/env python3
-# Copyright (c) 2014-2017 Wladimir J. van der Laan
+# Copyright (c) 2014-2021 The Bitcoin Core developers
# Distributed under the MIT software license, see the accompanying
# file COPYING or http://www.opensource.org/licenses/mit-license.php.
'''
@@ -13,19 +13,14 @@ argument:
These files must consist of lines in the format
- <ip>
<ip>:<port>
- [<ipv6>]
[<ipv6>]:<port>
- <onion>.onion
- 0xDDBBCCAA (IPv4 little-endian old pnSeeds format)
+ <onion>.onion:<port>
+ <i2p>.b32.i2p:<port>
The output will be two data structures with the peers in binary format:
- static SeedSpec6 pnSeed6_main[]={
- ...
- }
- static SeedSpec6 pnSeed6_test[]={
+ static const uint8_t chainparams_seed_{main,test}[]={
...
}
@@ -33,24 +28,39 @@ These should be pasted into `src/chainparamsseeds.h`.
'''
from base64 import b32decode
-from binascii import a2b_hex
+from enum import Enum
+import struct
import sys
import os
import re
-# ipv4 in ipv6 prefix
-pchIPv4 = bytearray([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xff, 0xff])
-# tor-specific ipv6 prefix
-pchOnionCat = bytearray([0xFD,0x87,0xD8,0x7E,0xEB,0x43])
-
-def name_to_ipv6(addr):
- if len(addr)>6 and addr.endswith('.onion'):
+class BIP155Network(Enum):
+ IPV4 = 1
+ IPV6 = 2
+ TORV2 = 3 # no longer supported
+ TORV3 = 4
+ I2P = 5
+ CJDNS = 6
+
+def name_to_bip155(addr):
+ '''Convert address string to BIP155 (networkID, addr) tuple.'''
+ if addr.endswith('.onion'):
vchAddr = b32decode(addr[0:-6], True)
- if len(vchAddr) != 16-len(pchOnionCat):
+ if len(vchAddr) == 35:
+ assert vchAddr[34] == 3
+ return (BIP155Network.TORV3, vchAddr[:32])
+ elif len(vchAddr) == 10:
+ return (BIP155Network.TORV2, vchAddr)
+ else:
raise ValueError('Invalid onion %s' % vchAddr)
- return pchOnionCat + vchAddr
+ elif addr.endswith('.b32.i2p'):
+ vchAddr = b32decode(addr[0:-8] + '====', True)
+ if len(vchAddr) == 32:
+ return (BIP155Network.I2P, vchAddr)
+ else:
+ raise ValueError(f'Invalid I2P {vchAddr}')
elif '.' in addr: # IPv4
- return pchIPv4 + bytearray((int(x) for x in addr.split('.')))
+ return (BIP155Network.IPV4, bytes((int(x) for x in addr.split('.'))))
elif ':' in addr: # IPv6
sub = [[], []] # prefix, suffix
x = 0
@@ -67,13 +77,12 @@ def name_to_ipv6(addr):
sub[x].append(val & 0xff)
nullbytes = 16 - len(sub[0]) - len(sub[1])
assert((x == 0 and nullbytes == 0) or (x == 1 and nullbytes > 0))
- return bytearray(sub[0] + ([0] * nullbytes) + sub[1])
- elif addr.startswith('0x'): # IPv4-in-little-endian
- return pchIPv4 + bytearray(reversed(a2b_hex(addr[2:])))
+ return (BIP155Network.IPV6, bytes(sub[0] + ([0] * nullbytes) + sub[1]))
else:
raise ValueError('Could not parse address %s' % addr)
-def parse_spec(s, defaultport):
+def parse_spec(s):
+ '''Convert endpoint string to BIP155 (networkID, addr, port) tuple.'''
match = re.match(r'\[([0-9a-fA-F:]+)\](?::([0-9]+))?$', s)
if match: # ipv6
host = match.group(1)
@@ -85,17 +94,42 @@ def parse_spec(s, defaultport):
(host,_,port) = s.partition(':')
if not port:
- port = defaultport
+ port = 0
else:
port = int(port)
- host = name_to_ipv6(host)
-
- return (host,port)
+ host = name_to_bip155(host)
-def process_nodes(g, f, structname, defaultport):
- g.write('static SeedSpec6 %s[] = {\n' % structname)
- first = True
+ if host[0] == BIP155Network.TORV2:
+ return None # TORV2 is no longer supported, so we ignore it
+ else:
+ return host + (port, )
+
+def ser_compact_size(l):
+ r = b""
+ if l < 253:
+ r = struct.pack("B", l)
+ elif l < 0x10000:
+ r = struct.pack("<BH", 253, l)
+ elif l < 0x100000000:
+ r = struct.pack("<BI", 254, l)
+ else:
+ r = struct.pack("<BQ", 255, l)
+ return r
+
+def bip155_serialize(spec):
+ '''
+ Serialize (networkID, addr, port) tuple to BIP155 binary format.
+ '''
+ r = b""
+ r += struct.pack('B', spec[0].value)
+ r += ser_compact_size(len(spec[1]))
+ r += spec[1]
+ r += struct.pack('>H', spec[2])
+ return r
+
+def process_nodes(g, f, structname):
+ g.write('static const uint8_t %s[] = {\n' % structname)
for line in f:
comment = line.find('#')
if comment != -1:
@@ -103,14 +137,14 @@ def process_nodes(g, f, structname, defaultport):
line = line.strip()
if not line:
continue
- if not first:
- g.write(',\n')
- first = False
- (host,port) = parse_spec(line, defaultport)
- hoststr = ','.join(('0x%02x' % b) for b in host)
- g.write(' {{%s}, %i}' % (hoststr, port))
- g.write('\n};\n')
+ spec = parse_spec(line)
+ if spec is None: # ignore this entry (e.g. no longer supported addresses like TORV2)
+ continue
+ blob = bip155_serialize(spec)
+ hoststr = ','.join(('0x%02x' % b) for b in blob)
+ g.write(f' {hoststr},\n')
+ g.write('};\n')
def main():
if len(sys.argv)<2:
@@ -124,14 +158,13 @@ def main():
g.write(' * List of fixed seed nodes for the bitcoin network\n')
g.write(' * AUTOGENERATED by contrib/seeds/generate-seeds.py\n')
g.write(' *\n')
- g.write(' * Each line contains a 16-byte IPv6 address and a port.\n')
- g.write(' * IPv4 as well as onion addresses are wrapped inside an IPv6 address accordingly.\n')
+ g.write(' * Each line contains a BIP155 serialized (networkID, addr, port) tuple.\n')
g.write(' */\n')
with open(os.path.join(indir,'nodes_main.txt'), 'r', encoding="utf8") as f:
- process_nodes(g, f, 'pnSeed6_main', 8333)
+ process_nodes(g, f, 'chainparams_seed_main')
g.write('\n')
with open(os.path.join(indir,'nodes_test.txt'), 'r', encoding="utf8") as f:
- process_nodes(g, f, 'pnSeed6_test', 18333)
+ process_nodes(g, f, 'chainparams_seed_test')
g.write('#endif // BITCOIN_CHAINPARAMSSEEDS_H\n')
if __name__ == '__main__':
diff --git a/contrib/seeds/nodes_main.txt b/contrib/seeds/nodes_main.txt
index 7b97436013..f7bfb6eb0a 100644
--- a/contrib/seeds/nodes_main.txt
+++ b/contrib/seeds/nodes_main.txt
@@ -650,515 +650,39 @@
[2a0f:df00:0:254::46]:8333
[2c0f:f598:5:1:1001::1]:8333
[2c0f:fce8:0:400:b7c::1]:8333
-226eupdnaouu4h2v.onion:8333
-22h7b6f3caabqqsu.onion:8333
-23wdfqkzttmenvki.onion:8333
-23yi3frxymtwdgre.onion:8333
-2ajon3moyf4i2hbb.onion:8333
-2bfmlpk55hffpl6e.onion:8333
-2ckmbf6sglwydeth.onion:8333
-2hkusi5gcaautwqf.onion:8333
-2ivhmlbxbgnkcykl.onion:8333
-2mmxouhv6nebowkq.onion:8333
-2qsnv6exnuuiar7z.onion:8333
-2qudbhlnvqpli3sz.onion:8333
-2ujxdfovfyjpmdto.onion:8333
-2xdgeufrek3eumkw.onion:8333
-2xdzsruhsej4tsiw.onion:8333
-34ran2woq4easmss.onion:8333
-36q7khhej2lxd3wf.onion:8333
-373wjdspuo52utzq.onion:8333
-376klet5xqbrg2jv.onion:8333
-37kwd7fxop766l5k.onion:8333
-3e5t7hq4alt5tovx.onion:8333
-3gbxhebfhouuwgc3.onion:8333
-3hgbjze2nbwyuewf.onion:8333
-3iuuvrd2waha2cxo.onion:8333
-3jtxujdaiwh6iltu.onion:8333
-3l5eq2du7mvscj4a.onion:8333
-3nofngnqlqeehn7o.onion:8333
-3r44ddzjitznyahw.onion:8333
-3vtbuwmton7vq5qz.onion:8333
-46ohzttz4peki43g.onion:8333
-47fl3ivl4v56jstr.onion:8333
-47i6qrl2ijqcwlg6.onion:8333
-47uupgzcnrwahoto.onion:8333
-4c5cki37evofds6d.onion:8333
-4eq36jrx7xuytfpc.onion:8333
-4ewkdxvcg57adrni.onion:8333
-4flvgibnm2nld3na.onion:8333
-4iaontym47imawe4.onion:8333
-4jxz37oou5ag763c.onion:8333
-4mnkvj6ha73eqnbk.onion:8333
-4nnuyxm5k5tlyjq3.onion:8333
-4nz2yg4cnote3ej7.onion:8333
-4pozwh6564ygzddk.onion:8333
-4qgfb56rvpbmesx7.onion:8333
-4rsax23taqzwmimj.onion:8333
-4u5j5ay6rasowt4m.onion:8333
-4vorvtoyegh4zbvr.onion:8333
-52s4j5pldwlpzhtw.onion:8333
-5abpiiqfvekoejro.onion:8333
-5aydzxx6jyoz3nez.onion:8333
-5cxzdsrtok5dgo4a.onion:8333
-5eduikpudie3jyrf.onion:8333
-5epeafkmya4fv5d5.onion:8333
-5fyxlztic3t6notz.onion:8333
-5hd6eyew5ybnq6gb.onion:8333
-5jyfzhwksb6urrp2.onion:8333
-5nooqgct567ig57v.onion:8333
-5nsfm4nqqzzprjrp.onion:8333
-5oqstxspzhlgjef6.onion:8333
-5pzzmd4tfonrqzb2.onion:8333
-5sckmx4yucbnp4io.onion:8333
-5ue7worzbn6hon3e.onion:8333
-5wxhx2tozpovf6z3.onion:8333
-5xk3yun36e32e34i.onion:8333
-5zght2g7vcsapi65.onion:8333
-62dcdpvdolfzkdzl.onion:8333
-63bko2mhixnn2b7d.onion:8333
-67hjvfv6wictalm5.onion:8333
-6g6ko4klkf5atldi.onion:8333
-6k5zreexw4cadxi5.onion:8333
-6kf5ayhlpenywgas.onion:8333
-6maigxjvcet4pite.onion:8333
-6ressv4dvplb5ihh.onion:8333
-6rjex6gyuaui3c5e.onion:8333
-6skgnf43pphdvjua.onion:8333
-6stxaoduwisg5sqh.onion:8333
-6xqy4ts6bo6u5dgm.onion:8333
-7avnl3dqpgu23jva.onion:8333
-7ff4wk266no23txn.onion:8333
-7hipbuzfdcyzqkkg.onion:8333
-7sjmlzrthjlpfydk.onion:8333
-7tut3zt2akwrmw6x.onion:8333
-7uhsjzj6nx3dfnxt.onion:8333
-7wm4wso3wvatxnbt.onion:8333
-7ykmzuybwd2ptzg4.onion:8333
-a27bvhina4y23jxo.onion:8333
-a53vtdm7uiet5vdl.onion:8333
-a56572xjuofnt2dp.onion:8333
-abp25knifdsnc2rv.onion:8333
-aefx7ubzpal7clak.onion:8333
-ai5r2diozoe7rrdz.onion:8333
-aipupphit3enggpj.onion:8333
-algpjjygd3gtnmpp.onion:8333
-alihua7rhyc452hr.onion:8333
-am3gyyfynxzwyxhx.onion:8333
-ankozzfhl2r3uc6u.onion:8333
-at3twjlbtc2lqnq5.onion:8333
-avqobl72pmc64dyi.onion:8333
-awmdz2fs3b5h5ut5.onion:8333
-ayywpiy77butdjrj.onion:8333
-b2i3pj7c24cvprs7.onion:8333
-b4ilebyxcu6nttio.onion:8333
-b4vvkbqipcmkwp4v.onion:8333
-bddfqxps5ibd3ftw.onion:8333
-be5bgcpo4ooux5qy.onion:8333
-bgla4m6zetvtv7ls.onion:8333
-bh32gzw3nyckzqut.onion:8333
-bho4kodpehn7xr3x.onion:8333
-bitcoin4rlfa4wqx.onion:8333
-biw7s6jf6r2mf3cu.onion:8333
-bk7yp6epnmcllq72.onion:8333
-blcktrgve5vetjsk.onion:8333
-blwbp7gfdffdsx4g.onion:8333
-bnxn6qqc55gvn5op.onion:8333
-bp7o22lvcjawelvv.onion:8333
-bqqyqucgj4tchn64.onion:8333
-bvdzmutcqf7gzzn5.onion:8333
-c36zmegjkinftmtf.onion:8333
-c4fn62gnltlgrptv.onion:8333
-caael5yedviooqzk.onion:8333
-caq54ablfbrnumdd.onion:8333
-cernrmrk5zomzozn.onion:8333
-chri6itgjaagof4t.onion:8333
-cncwik3tnd2ejm5z.onion:8333
-cuyjqoziemcmwaxl.onion:8333
-cx7qa2gpqyp7pld5.onion:8333
-czp7wgaus4gvio72.onion:8333
-d2fn54rfyjdangi4.onion:8333
-d2sk45u6ca64yeqh.onion:8333
-d3aowmngvktsziae.onion:8333
-d5iu4aiz3y2kgcgj.onion:8333
-d6zbw2sxnxgj5sv3.onion:8333
-db5rd5e46t7mgini.onion:8333
-dci2gulorl44yj55.onion:8333
-ddpth2mwt3rsvoog.onion:8333
-dfrwza7fcecknnms.onion:8333
-djwhjfj4rh3oz3yj.onion:8333
-dkk5mmpe5jtjodk5.onion:8333
-doj3zgmsbzurmqgp.onion:8333
-dpce4f3rcqddzbx5.onion:8333
-drwo3vnxch5ozfbo.onion:8333
-duikkidxip3lyexn.onion:8333
-duqdliptc22i6hf5.onion:8333
-duyp4coh5d7nh3ud.onion:8333
-duz5two3z7c55lxj.onion:8333
-dvu6dlar6ezc6xen.onion:8333
-dy6zqs46ycleayyp.onion:8333
-dz2ydmj3yqrcm4r7.onion:8333
-e2b2a5suvdawzxud.onion:8333
-e33h57j2ewkkqsn5.onion:8333
-e5kjiay7pzj5qpzv.onion:8333
-e7iko42d2wzcmvy4.onion:8333
-ea6boh4kotq56ws5.onion:8333
-efdx6gc4s5ezyqeg.onion:8333
-efrpuuic6ukeyqcs.onion:8333
-egruc3bi3itru6gq.onion:8333
-erc6tjs2ucyadl23.onion:8333
-eue2n5sk5tktg5bv.onion:8333
-ezkr7stq4w7ohjrt.onion:8333
-f3nyyjba6kpxznhk.onion:8333
-faq73vj4pcs73thu.onion:8333
-fdvtlj3pscbxuh75.onion:8333
-fgdpxov4nzxvhcpv.onion:8333
-fisqq6vzk3m6t225.onion:8333
-fkgp3qwegacrd2bj.onion:8333
-fo3tdfwx27takqq5.onion:8333
-fqkxtchwypispkpv.onion:8333
-fqunuhlwvd7rq6d5.onion:8333
-frwt5mscpyhiuwpe.onion:8333
-fta4gfjiuv6f2le2.onion:8333
-fuoy2ipuqrqwe5cf.onion:8333
-fz6nsij6jiyuwlsc.onion:8333
-g3vlnaaaog5sgui5.onion:8333
-g44i6jwsutkwmspz.onion:8333
-g55t65d5ckjixcnw.onion:8333
-gajd6eyrl2qwkfmg.onion:8333
-gblue3hr53p4grx7.onion:8333
-gbpro5tzduiuff4v.onion:8333
-gc4l3tql32qhfgmi.onion:8333
-gcnlorvtpycuajc6.onion:8333
-gdsib2nk2eeoidgc.onion:8333
-ge5gm7c6w7yahpz7.onion:8333
-gegcteeep4cwftl5.onion:8333
-gfoyraudgv5qjdku.onion:8333
-ggpbuypmxgi26lc6.onion:8333
-ghqivye7cfckisnt.onion:8333
-girakxomne5fby64.onion:8333
-glz5gfk33tuug5ne.onion:8333
-gplatxoyg5nxl5rj.onion:8333
-gripl5xjwy2dcr6c.onion:8333
-gthhzlmqci22nxru.onion:8333
-gto2d64swosfmk6c.onion:8333
-guaciney52mgcbp2.onion:8333
-gwktgrmtwk6nv5sc.onion:8333
-gwoxnokdcwc7hy4p.onion:8333
-h333f4qnwe7mrymn.onion:8333
-h6a32n4blbwwyn4d.onion:8333
-hafwtrbooszoembm.onion:8333
-hbwhgsb3eeinnr6t.onion:8333
-hcv6foxh5mk7fhb5.onion:8333
-hd6hktcl6wamzlzm.onion:8333
-hda6msa4v4rt77gx.onion:8333
-hdgnxkuqsd6wjwwx.onion:8333
-hgh3azn3eesddvcg.onion:8333
-hhyxu6bwkjefejoz.onion:8333
-hizn6rmofsg3upmn.onion:8333
-hjqxxsy2osemfvev.onion:8333
-hkbp7mbgw6klls4s.onion:8333
-hlojuwiwbkoj4kdz.onion:8333
-hlzxsjr7ob3qzzqq.onion:8333
-hniuzplezebyhv7a.onion:8333
-hondewkj4s4rdcwf.onion:8333
-hql5nv6vhceid3bn.onion:8333
-hspjo7mqrre5gyxr.onion:8333
-hu64s2mdr3x7yxka.onion:8333
-hvwvq2swkqw3qvyo.onion:8333
-hwo2biyndrrvpl6f.onion:8333
-hzxj3dth3y2xt45o.onion:8333
-i3ufxuw3t7cxfdpq.onion:8333
-ia3n3q5u45gvpx7a.onion:8333
-icfgs3fctckd4yeo.onion:8333
-icpz6thqvdjcwlvb.onion:8333
-if32zo5u4mhdunfd.onion:8333
-ig4lguql6vxkbmmr.onion:8333
-ihhcr7fhczqdac4y.onion:8333
-ijm2tyxob7vkvazz.onion:8333
-ip3puuqghumfz5ww.onion:8333
-iq3ket72f3y2frpg.onion:8333
-iqagt5co4dt7h6hf.onion:8333
-iugw42ih6hprqr26.onion:8333
-ivf774v4t7k63i6d.onion:8333
-ivfacdf7cig2z2y2.onion:8333
-ivsxdwku5og2zj4l.onion:8333
-ixwgrhaklvu4g6o7.onion:8333
-iz56moo6mkp3g7xo.onion:8333
-j2cp5muw5j3lumcx.onion:8333
-j2lrkrwugldwewws.onion:8333
-j2qtmkd2dablssz4.onion:8333
-j5e2yuan57v2h5el.onion:8333
-j5jfrdthqt5g25xz.onion:8333
-j5lk2uv2bspfqxfk.onion:8333
-janvvzsmzcsj3fil.onion:8333
-jenn2tmyl3xxarmq.onion:8333
-jfoe5f2sczojfp32.onion:8333
-jgcgi6k2pxooi5q3.onion:8333
-jhana24s3dzkitzp.onion:8333
-jitgulb24mvfqrdg.onion:8333
-jjuvwbjfzljmn7t3.onion:8333
-jlcfomgr5xfexaif.onion:8333
-jlehs6ybb26qlnna.onion:8333
-jljzz4tmbqrxq3q5.onion:8333
-joc4oqceedkg77vf.onion:8333
-jr5y6njubcbv6g37.onion:8333
-jroaos6la4vieho4.onion:8333
-jsmphgkay7iihbkr.onion:8333
-jtksnokusbzms7wl.onion:8333
-ju5duo3r6p6diznc.onion:8333
-jw6zymxcnebahuuj.onion:8333
-jxalvhf7w7wevqzw.onion:8333
-jyzhe3ig44ickysb.onion:8333
-jze6ukn4idrh44eo.onion:8333
-k4glotlxnmttb6ct.onion:8333
-k7uy3iwmvguzygd2.onion:8333
-kl23ofag3ukb6hxl.onion:8333
-kokt2qr6d4pmyb2d.onion:8333
-kpalu3h5ydkoaivs.onion:8333
-krdpbdvtqw5c5lee.onion:8333
-kriw6kzjzarzgb3g.onion:8333
-krp2thcmwrpsoue6.onion:8333
-kvyvdwjwtae5mo77.onion:8333
-kyrxri5rbr6ipurs.onion:8333
-kz3oxg7745dxt62q.onion:8333
-l3w5fcki2wbro2qb.onion:8333
-l44bisuxhh7reb5q.onion:8333
-l565g523emjebusj.onion:8333
-l6w5kdeigwsgnf5t.onion:8333
-l7a4emryfxkjgmmb.onion:8333
-l7sloscjqqbifcsw.onion:8333
-laafjqvtog7djfl2.onion:8333
-lah676kxbgbgw3u2.onion:8333
-lbq2a7pnpmviw2qo.onion:8333
-lc4wnpql27vymi35.onion:8333
-ldoffbfpk3j6c7y7.onion:8333
-lehpmglkivobq2qo.onion:8333
-lgewpjz7ie7daqqr.onion:8333
-lgkvbvro67jomosw.onion:8333
-liw5z4ngic6b7vnv.onion:8333
-ljs7gwrmmza6q6ga.onion:8333
-lmvax3e6awaxvhqi.onion:8333
-lrz77dwf7yq4cgnt.onion:8333
-lva54pnbq2nsmjyr.onion:8333
-lxc2uphxyyxflhnf.onion:8333
-lyjybdr4hmj3bqab.onion:8333
-lz2zlnmyynwtgwf2.onion:8333
-m6hcnpikimyh37yp.onion:8333
-md635omjnrgheed3.onion:8333
-mdb3oupwf4f2qyjb.onion:8333
-me6d4esx7ohdnxne.onion:8333
-mecfkik5ci47wckj.onion:8333
-mfrvevn7w6rwsp4r.onion:8333
-mimuutlew5srtduk.onion:8333
-mnysk3izxvra3huv.onion:8333
-mqu6gqtrhm6xzwwh.onion:8333
-mwuc6vom4ngijtb3.onion:8333
-mxdtrjhe2yfsx3pg.onion:8333
-n4ibet4piscv22nj.onion:8333
-n6d46vbzx43bevlb.onion:8333
-n6t6kfgzlvozxhfm.onion:8333
-n7rrochwerf2qxze.onion:8333
-ncsdiqmnxhnnjbsz.onion:8333
-nitxw3ilffngpumv.onion:8333
-njlsvubildehluwr.onion:8333
-njslfsivyyhixbsp.onion:8333
-nkf5e6b7pl4jfd4a.onion:8333
-nkppsb3t3ducje6m.onion:8333
-nlfwyqksmeqe45zz.onion:8333
-nlyjmpcmpaz5b4aa.onion:8333
-nnmv7z65k65mcesr.onion:8333
-nrrfwdmrm3imuebn.onion:8333
-nrrmkgmulpgsbwlt.onion:8333
-nw4h7leckut7eapv.onion:8333
-nwky3wd3ihoidvb5.onion:8333
-ny4kkemmmqv4lptm.onion:8333
-o25wkcw7eorg2toi.onion:8333
-o2gumvbkw6pm45cf.onion:8333
-o4yjshdwlbshylqw.onion:8333
-ofx4qgw6lppnvtgv.onion:8333
-oketipl4gndqcaus.onion:8333
-oq5q4qrqijr2kpun.onion:8333
-oqw3mfoiobqcklxh.onion:8333
-orsy2v63ecrmdj55.onion:8333
-ot4tzmznyimmlszk.onion:8333
-owk6c2jfthwkyahe.onion:8333
-oy7ss3hm2okx4tun.onion:8333
-p2pc6wbaepvdi6ce.onion:8333
-p2x24gdhasmgcl5j.onion:8333
-p6couujr2ndhllv3.onion:8333
-pa7dw5bln5lqmu53.onion:8333
-pasmchtoooj2kchd.onion:8333
-pdapkkhk6pbcy2tj.onion:8333
-peh5ajouuw6mw4sr.onion:8333
-pkuuc5pwl5xygwhr.onion:8333
-pq4wjl7vg7tsfycc.onion:8333
-ptbwqhusps5qieql.onion:8333
-ptwpbwyj5lnyew2f.onion:8333
-pu7w3jfyrzp7sxsi.onion:8333
-pwylbyvfuc62hhvx.onion:8333
-q2fhnnyt5b2ayvce.onion:8333
-q3i3apuionbazmfe.onion:8333
-qd6fcpu3pvbf2y3x.onion:8333
-qfewv3y7a3p4i3bd.onion:8333
-qhytdttflhbc4rsh.onion:8333
-qkn35rb3x2gxbwq4.onion:8333
-qlvlexs7pwac2f4b.onion:8333
-qogcqirtuta6rlxg.onion:8333
-qrzqfxkhrmu5v5ro.onion:8333
-qsyjasq46b2syiys.onion:8333
-quu4b2zjbnr2ue4y.onion:8333
-quycfj2wenz6bfyd.onion:8333
-qvdy3cmocnlv5v7c.onion:8333
-qvwhpqygan2xky5h.onion:8333
-qyutwc26ullujafb.onion:8333
-r45qg2d6iwfdhqwl.onion:8333
-r4xudr6u4r5nyga4.onion:8333
-r6apa5ssujxbwd34.onion:8333
-r6z2gcsu37k3gaah.onion:8333
-rbrjgfcca6v5b7yo.onion:8333
-rcifxibawqt6rxzz.onion:8333
-rdo3xctk3zkzjvln.onion:8333
-rdvlepy6ghgpapzo.onion:8333
-recs3a27chv2lg65.onion:8333
-rfmbiy5vztvn6hyn.onion:8333
-rli5lbje4k77inzw.onion:8333
-roqwnmepcj453vfh.onion:8333
-rpbnx54qniivrmh3.onion:8333
-rsvvogqdlijp77hv.onion:8333
-rwm5d4hg3hc77kdt.onion:8333
-s3yelkvc5f5xeysw.onion:8333
-s6rx52hitmpp4lge.onion:8333
-sa6m3rvycipgemky.onion:8333
-savebeesmkivmfbo.onion:8333
-sbyjr5npk2mlmfw7.onion:8333
-serwj42jme5xhhmw.onion:8333
-sg4vmubv3djrzvuh.onion:8333
-shsgksluz6jkgp6g.onion:8333
-sjyzmwwu6diiit3r.onion:8333
-sk3en3reudg3sdg5.onion:8333
-skoifp4oj7l4osu5.onion:8333
-sle2caplkln33e7y.onion:8333
-smdd7q7gonajdmjq.onion:8333
-spmhuxjb2cd7leun.onion:8333
-srkgyv5edn2pa7il.onion:8333
-sslnjjhnmwllysv4.onion:8333
-su66ygras6rkdtnl.onion:8333
-sundvmbjrtgdfahx.onion:8333
-svd65k5jpal2p3lt.onion:8333
-svua5hiqluw7o2sw.onion:8333
-sxqjubmum4rmfgpu.onion:8333
-t245vi742ti3tnka.onion:8333
-t4fbovvgzpnimd2p.onion:8333
-t4l4wv3erkhpde2p.onion:8333
-t5qchwbr6u5v2agk.onion:8333
-t7jlaj6ggyx7s5vy.onion:8333
-ta6sjeqyb27f4n4a.onion:8333
-tav7utpw4pfy7j6k.onion:8333
-taxg5z2sxfm5c4d6.onion:8333
-tekwvnbodbzrlufs.onion:8333
-tg4uwrjmtr2jlbjy.onion:8333
-th4cjvffjtw6vomu.onion:8333
-th6fxymtwnfifqeu.onion:8333
-thtchhl25u26nglq.onion:8333
-tiiah7csuoklcvi6.onion:8333
-tk63x5fk3337z3ud.onion:8333
-tkgootat6cqn7vyy.onion:8333
-tnj565wwqz5wpjvs.onion:8333
-ts6qx37mmpu6nj5y.onion:8333
-ttjisvxydgbtp56f.onion:8333
-twn54v7ra2xjgd55.onion:8333
-txem5meug24g2ezd.onion:8333
-tyiunn36lmfcq5lr.onion:8333
-tyv56xs6g6ndzqux.onion:8333
-u47f3hxwq65sgs4o.onion:8333
-u4r7fnholrdwwlni.onion:8333
-u556ofb3myarafwn.onion:8333
-u5q3gbz4qpz4wvlr.onion:8333
-uakly3ydrevvpxwi.onion:8333
-ug6hapi4qtekzc7v.onion:8333
-ui553qotd6ron3rf.onion:8333
-uir7f3wltoka6bbb.onion:8333
-ukrjjhwodl44wmof.onion:8333
-ul5gm2ixy7kqdfwg.onion:8333
-undd7rsj4pen3wo4.onion:8333
-uorwpzfehtykrg43.onion:8333
-uovsp2yltnaojq6l.onion:8333
-usazmdcs32ny24dy.onion:8333
-usazs7glm7geyxkl.onion:8333
-uss2kedg7qkwgdr5.onion:8333
-utgyrvw75wv2nymi.onion:8333
-uzwacms7kyzhehbl.onion:8333
-v2kdcetvslmdfcwr.onion:8333
-v5lhnzzv6nngfg5d.onion:8333
-vc44gb4veppobrt3.onion:8333
-vfwyhju43wxhzvux.onion:8333
-vgujufk53lqyolio.onion:8333
-vheejqq2v5dkb4xr.onion:8333
-vj64edev4jnqfdsb.onion:8333
-vmai5uigezr2khkj.onion:8333
-vmuykd7sxbmi7w57.onion:8333
-vomeacttinx3mpml.onion:8333
-vpow2xofg3fwzsdq.onion:8333
-vsawli4l5ifxdzaw.onion:8333
-vunubqkfms7sifok.onion:8333
-vuombnevwul4bqsb.onion:8333
-vxcpvdng65aefz6t.onion:8333
-vyxoizdzavp3obau.onion:8333
-wbeon2ci7lfio6ay.onion:8333
-wbwevew62mgsrrdz.onion:8333
-wfaydlg6zyfzjcu5.onion:8333
-wfz56s5lyn5dysez.onion:8333
-wg3mq4ugyy2gx32b.onion:8333
-whky54bctkf2n4p3.onion:8333
-whmjanqoyzizzc4t.onion:8333
-wlhou2wxgqyi3x3f.onion:8333
-wlvkfrplfiioz22o.onion:8333
-x3ngb3va7dovuenw.onion:8333
-x57x62bmmnylvo7r.onion:8333
-xgvm57mhgv564dka.onion:8333
-xhs3glfwnwiumivn.onion:8333
-xje5fwvyfdue2u6k.onion:8333
-xlgubgyly2blvsg5.onion:8333
-xnlu3tvakngy7tkp.onion:8333
-xo5marilhuyo7but.onion:8333
-xsaaxihdygnwxrix.onion:8333
-xu5mlugdsmzfkvzh.onion:8333
-xvrxqcptqvieedb2.onion:8333
-xwzhrrygftq3q4w4.onion:8333
-y4swmsaxdcos2bnu.onion:8333
-y5tl4lqi365pplud.onion:8333
-y5wzeqyaets5na6t.onion:8333
-y73qk2mzkjkhoky7.onion:8333
-y7oz3ydnvib4xhbb.onion:8333
-yah7qgfqqrteoche.onion:8333
-yba4brm555denlt7.onion:8333
-ygeqkg4inplsace3.onion:8333
-yjhnfu75lazbi34h.onion:8333
-yjw7kqapxx5vggoj.onion:8333
-ym7inmovbrna4gco.onion:8333
-yq5cusnuokscy64z.onion:8333
-yrcaioqrqrdwokqt.onion:8333
-yrcr7pgjuazad254.onion:8333
-yrksvon3tmvoohdv.onion:8333
-ytpus4vx5w7j6wp2.onion:8333
-ytqcigk2hhdl45ho.onion:8333
-yxojl3xmjus3dik2.onion:8333
-yzdqdsqx4fdung6w.onion:8333
-z33nukt7ngik3cpe.onion:8333
-z3ywbadw46ndnxgh.onion:8333
-z6mbqq7llxlrn4kq.onion:8333
-zb3lrcksn4rzhzje.onion:8333
-ze7odp7pzarjplsr.onion:8333
-zgbmhtbja4fy2373.onion:8333
-zh7hvalcgvjpoaqm.onion:8333
-ziztvxehmj5mehpg.onion:8333
-zjii3yecdrmq73y3.onion:8333
-zkrwmgjuvsza6ye2.onion:8333
-zoz2aopwi3wfuqwg.onion:8333
-ztdcfnh46773bivu.onion:8333
-zuxhc6d3nwpgc4af.onion:8333
-zuytrfevzjcpizli.onion:8333
-zvq6dpt3i2ofdp3g.onion:8333
-zwwm6ga7u2hqe2sd.onion:8333
-zyqb4lenfspntj5m.onion:8333
+
+# manually added 2021-03 for minimal torv3 bootstrap support
+2g5qfdkn2vvcbqhzcyvyiitg4ceukybxklraxjnu7atlhd22gdwywaid.onion:8333
+2jmtxvyup3ijr7u6uvu7ijtnojx4g5wodvaedivbv74w4vzntxbrhvad.onion:8333
+37m62wn7dz3uqpathpc4qfmgrbupachj52nt3jbtbjugpbu54kbud7yd.onion:8333
+5g72ppm3krkorsfopcm2bi7wlv4ohhs4u4mlseymasn7g7zhdcyjpfid.onion:8333
+7cgwjuwi5ehvcay4tazy7ya6463bndjk6xzrttw5t3xbpq4p22q6fyid.onion:8333
+7pyrpvqdhmayxggpcyqn5l3m5vqkw3qubnmgwlpya2mdo6x7pih7r7id.onion:8333
+b64xcbleqmwgq2u46bh4hegnlrzzvxntyzbmucn3zt7cssm7y4ubv3id.onion:8333
+ejxefzf5fpst4mg2rib7grksvscl7p6fvjp6agzgfc2yglxnjtxc3aid.onion:8333
+fjdyxicpm4o42xmedlwl3uvk5gmqdfs5j37wir52327vncjzvtpfv7yd.onion:8333
+fpz6r5ppsakkwypjcglz6gcnwt7ytfhxskkfhzu62tnylcknh3eq6pad.onion:8333
+fzhn4uoxfbfss7h7d6ffbn266ca432ekbbzvqtsdd55ylgxn4jucm5qd.onion:8333
+gxo5anvfnffnftfy5frkgvplq3rpga2ie3tcblo2vl754fvnhgorn5yd.onion:8333
+ifdu5qvbofrt4ekui2iyb3kbcyzcsglazhx2hn4wfskkrx2v24qxriid.onion:8333
+itz3oxsihs62muvknc237xabl5f6w6rfznfhbpayrslv2j2ubels47yd.onion:8333
+lrjh6fywjqttmlifuemq3puhvmshxzzyhoqx7uoufali57eypuenzzid.onion:8333
+m7cbpjolo662uel7rpaid46as2otcj44vvwg3gccodnvaeuwbm3anbyd.onion:8333
+opnyfyeiibe5qo5a3wbxzbb4xdiagc32bbce46owmertdknta5mi7uyd.onion:8333
+owjsdxmzla6d7lrwkbmetywqym5cyswpihciesfl5qdv2vrmwsgy4uqd.onion:8333
+q7kgmd7n7h27ds4fg7wocgniuqb3oe2zxp4nfe4skd5da6wyipibqzqd.onion:8333
+rp7k2go3s5lyj3fnj6zn62ktarlrsft2ohlsxkyd7v3e3idqyptvread.onion:8333
+sys54sv4xv3hn3sdiv3oadmzqpgyhd4u4xphv4xqk64ckvaxzm57a7yd.onion:8333
+tddeij4qigtjr6jfnrmq6btnirmq5msgwcsdpcdjr7atftm7cxlqztid.onion:8333
+vi5bnbxkleeqi6hfccjochnn65lcxlfqs4uwgmhudph554zibiusqnad.onion:8333
+xqt25cobm5zqucac3634zfght72he6u3eagfyej5ellbhcdgos7t2had.onion:8333
+
+# manually added 2021-05 for minimal i2p bootstrap support
+72l3ucjkuscrbiiepoehuwqgknyzgo7zuix5ty4puwrkyhtmnsga.b32.i2p:0
+c4gfnttsuwqomiygupdqqqyy5y5emnk5c73hrfvatri67prd7vyq.b32.i2p:0
+gehtac45oaghz54ypyopim64mql7oad2bqclla74l6tfeolzmodq.b32.i2p:0
+h3r6bkn46qxftwja53pxiykntegfyfjqtnzbm6iv6r5mungmqgmq.b32.i2p:0
+hnbbyjpxx54623l555sta7pocy3se4sdgmuebi5k6reesz5rjp6q.b32.i2p:0
+pjs7or2ctvteeo5tu4bwyrtydeuhqhvdprtujn4daxr75jpebjxa.b32.i2p:0
+wwbw7nqr3ahkqv62cuqfwgtneekvvpnuc4i4f6yo7tpoqjswvcwa.b32.i2p:0
+zsxwyo6qcn3chqzwxnseusqgsnuw3maqnztkiypyfxtya4snkoka.b32.i2p:0
diff --git a/contrib/seeds/nodes_test.txt b/contrib/seeds/nodes_test.txt
index 98365ee505..118bec280e 100644
--- a/contrib/seeds/nodes_test.txt
+++ b/contrib/seeds/nodes_test.txt
@@ -1,11 +1,16 @@
# List of fixed seed nodes for testnet
# Onion nodes
-thfsmmn2jbitcoin.onion
-it2pj4f7657g3rhi.onion
-nkf5e6b7pl4jfd4a.onion
-4zhkir2ofl7orfom.onion
-t6xj6wilh4ytvcs7.onion
-i6y6ivorwakd7nw3.onion
-ubqj4rsu3nqtxmtp.onion
+35k2va6vyw4oo5ly2quvcszgdqr56kcnfgcqpnpcffut4jn3mhhwgbid.onion:18333
+blo2esfvk2rr7sr4jspmu3vt2vpgr5rigflsj645fnku7v4qmljurtid.onion:18333
+fuckcswupr5rmlvx2kqqrrosxvjyong4hatmuvxsvtcwe4dsh5rus7qd.onion:18333
+gblylyacjlitd2ywdmo2qqylwtdky7kgeqfvlhiw4zdag4x62tx54hyd.onion:18333
+gzwpduv33l7yze3bcdzj3inebiyjwddjnwvnjhh5wvnv4me76mjt2kad.onion:18333
+h3rphzofxzq52tb63mg5f6kc4my3fkcrgh3m5qryeatts43iljbawiid.onion:18333
+kf4qlhek34b3kgyxyodlmvgm4bxfrjsbjtgayyaiuyhr2eoyfgtm3bad.onion:18333
+mc7k47ndjvvhcgs54wmjzxvate4rtuybbjoryikdssjhcxlx27psbyqd.onion:18333
+mrhiniicugfo7mgrwv3wtolk3tptlcw2uq7ih6sq43fa4k4zbilut3yd.onion:18333
+uiudyws3qizgmepfoh7wwjmsoxoxut4qrmotjjhrn247xnjopr7sfcid.onion:18333
+zc2wvoqcezcrf64trji6jmhtss34a5ds5ntzdhqegzvex3ynrd7nxcad.onion:18333
+zd5m3dgdn46naj36pxvvcalfw2paecle6sdxq64ptwxtxjomkywpklqd.onion:18333
diff --git a/contrib/shell/git-utils.bash b/contrib/shell/git-utils.bash
new file mode 100644
index 0000000000..37bac1f38d
--- /dev/null
+++ b/contrib/shell/git-utils.bash
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+git_root() {
+ git rev-parse --show-toplevel 2> /dev/null
+}
+
+git_head_version() {
+ local recent_tag
+ if recent_tag="$(git describe --exact-match HEAD 2> /dev/null)"; then
+ echo "${recent_tag#v}"
+ else
+ git rev-parse --short=12 HEAD
+ fi
+}
diff --git a/contrib/shell/realpath.bash b/contrib/shell/realpath.bash
new file mode 100644
index 0000000000..389b77b562
--- /dev/null
+++ b/contrib/shell/realpath.bash
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+
+# Based on realpath.sh written by Michael Kropat
+# Found at: https://github.com/mkropat/sh-realpath/blob/65512368b8155b176b67122aa395ac580d9acc5b/realpath.sh
+
+bash_realpath() {
+ canonicalize_path "$(resolve_symlinks "$1")"
+}
+
+resolve_symlinks() {
+ _resolve_symlinks "$1"
+}
+
+_resolve_symlinks() {
+ _assert_no_path_cycles "$@" || return
+
+ local dir_context path
+ if path=$(readlink -- "$1"); then
+ dir_context=$(dirname -- "$1")
+ _resolve_symlinks "$(_prepend_dir_context_if_necessary "$dir_context" "$path")" "$@"
+ else
+ printf '%s\n' "$1"
+ fi
+}
+
+_prepend_dir_context_if_necessary() {
+ if [ "$1" = . ]; then
+ printf '%s\n' "$2"
+ else
+ _prepend_path_if_relative "$1" "$2"
+ fi
+}
+
+_prepend_path_if_relative() {
+ case "$2" in
+ /* ) printf '%s\n' "$2" ;;
+ * ) printf '%s\n' "$1/$2" ;;
+ esac
+}
+
+_assert_no_path_cycles() {
+ local target path
+
+ target=$1
+ shift
+
+ for path in "$@"; do
+ if [ "$path" = "$target" ]; then
+ return 1
+ fi
+ done
+}
+
+canonicalize_path() {
+ if [ -d "$1" ]; then
+ _canonicalize_dir_path "$1"
+ else
+ _canonicalize_file_path "$1"
+ fi
+}
+
+_canonicalize_dir_path() {
+ (cd "$1" 2>/dev/null && pwd -P)
+}
+
+_canonicalize_file_path() {
+ local dir file
+ dir=$(dirname -- "$1")
+ file=$(basename -- "$1")
+ (cd "$dir" 2>/dev/null && printf '%s/%s\n' "$(pwd -P)" "$file")
+}
diff --git a/contrib/signet/README.md b/contrib/signet/README.md
index 71dc2f9638..706b296c54 100644
--- a/contrib/signet/README.md
+++ b/contrib/signet/README.md
@@ -21,27 +21,28 @@ accept one claim per day. See `--password` above.
miner
=====
-To mine the first block in your custom chain, you can run:
+You will first need to pick a difficulty target. Since signet chains are primarily protected by a signature rather than proof of work, there is no need to spend as much energy as possible mining, however you may wish to choose to spend more time than the absolute minimum. The calibrate subcommand can be used to pick a target appropriate for your hardware, eg:
cd src/
- CLI="./bitcoin-cli -conf=mysignet.conf"
- MINER="..contrib/signet/miner"
+ MINER="../contrib/signet/miner"
GRIND="./bitcoin-util grind"
- ADDR=$($CLI -signet getnewaddress)
- $MINER --cli="$CLI" generate --grind-cmd="$GRIND" --address="$ADDR" --set-block-time=-1
-
-This will mine a block with the current timestamp. If you want to backdate the chain, you can give a different timestamp to --set-block-time.
-
-You will then need to pick a difficulty target. Since signet chains are primarily protected by a signature rather than proof of work, there is no need to spend as much energy as possible mining, however you may wish to choose to spend more time than the absolute minimum. The calibrate subcommand can be used to pick a target, eg:
-
$MINER calibrate --grind-cmd="$GRIND"
nbits=1e00f403 for 25s average mining time
It defaults to estimating an nbits value resulting in 25s average time to find a block, but the --seconds parameter can be used to pick a different target, or the --nbits parameter can be used to estimate how long it will take for a given difficulty.
-Using the --ongoing parameter will then cause the signet miner to create blocks indefinitely. It will pick the time between blocks so that difficulty is adjusted to match the provided --nbits value.
+To mine the first block in your custom chain, you can run:
- $MINER --cli="$CLI" generate --grind-cmd="$GRIND" --address="$ADDR" --nbits=1e00f403 --ongoing
+ CLI="./bitcoin-cli -conf=mysignet.conf"
+ ADDR=$($CLI -signet getnewaddress)
+ NBITS=1e00f403
+ $MINER --cli="$CLI" generate --grind-cmd="$GRIND" --address="$ADDR" --nbits=$NBITS
+
+This will mine a single block with a backdated timestamp designed to allow 100 blocks to be mined as quickly as possible, so that it is possible to do transactions.
+
+Adding the --ongoing parameter will then cause the signet miner to create blocks indefinitely. It will pick the time between blocks so that difficulty is adjusted to match the provided --nbits value.
+
+ $MINER --cli="$CLI" generate --grind-cmd="$GRIND" --address="$ADDR" --nbits=$NBITS --ongoing
Other options
-------------
@@ -50,9 +51,11 @@ The --debug and --quiet options are available to control how noisy the signet mi
Instead of specifying --ongoing, you can specify --max-blocks=N to mine N blocks and stop.
-Instead of using a single address, a ranged descriptor may be provided instead (via the --descriptor parameter), with the reward for the block at height H being sent to the H'th address generated from the descriptor.
+The --set-block-time option is available to manually move timestamps forward or backward (subject to the rules that blocktime must be greater than mediantime, and dates can't be more than two hours in the future). It can only be used when mining a single block (ie, not when using --ongoing or --max-blocks greater than 1).
+
+Instead of using a single address, a ranged descriptor may be provided via the --descriptor parameter, with the reward for the block at height H being sent to the H'th address generated from the descriptor.
-Instead of calculating a specific nbits value, --min-nbits can be specified instead, in which case the mininmum signet difficulty will be targeted.
+Instead of calculating a specific nbits value, --min-nbits can be specified instead, in which case the minimum signet difficulty will be targeted. Signet's minimum difficulty corresponds to --nbits=1e0377ae.
By default, the signet miner mines blocks at fixed intervals with minimal variation. If you want blocks to appear more randomly, as they do in mainnet, specify the --poisson option.
@@ -76,5 +79,5 @@ These steps can instead be done explicitly:
$MINER --cli="$CLI" solvepsbt --grind-cmd="$GRIND" |
$CLI -signet -stdin submitblock
-This is intended to allow you to replace part of the pipeline for further experimentation, if desired.
+This is intended to allow you to replace part of the pipeline for further experimentation (eg, to sign the block with a hardware wallet).
diff --git a/contrib/signet/miner b/contrib/signet/miner
index a3fba49d0e..78e1fa5ecd 100755
--- a/contrib/signet/miner
+++ b/contrib/signet/miner
@@ -23,7 +23,7 @@ PATH_BASE_TEST_FUNCTIONAL = os.path.abspath(os.path.join(PATH_BASE_CONTRIB_SIGNE
sys.path.insert(0, PATH_BASE_TEST_FUNCTIONAL)
from test_framework.blocktools import WITNESS_COMMITMENT_HEADER, script_BIP34_coinbase_height # noqa: E402
-from test_framework.messages import CBlock, CBlockHeader, COutPoint, CTransaction, CTxIn, CTxInWitness, CTxOut, FromHex, ToHex, deser_string, hash256, ser_compact_size, ser_string, ser_uint256, uint256_from_str # noqa: E402
+from test_framework.messages import CBlock, CBlockHeader, COutPoint, CTransaction, CTxIn, CTxInWitness, CTxOut, from_hex, deser_string, hash256, ser_compact_size, ser_string, ser_uint256, tx_from_hex, uint256_from_str # noqa: E402
from test_framework.script import CScriptOp # noqa: E402
logging.basicConfig(
@@ -37,7 +37,7 @@ RE_MULTIMINER = re.compile("^(\d+)(-(\d+))?/(\d+)$")
# #### some helpers that could go into test_framework
-# like FromHex, but without the hex part
+# like from_hex, but without the hex part
def FromBinary(cls, stream):
"""deserialize a binary stream (or bytes object) into an object"""
# handle bytes object by turning it into a stream
@@ -195,7 +195,7 @@ def finish_block(block, signet_solution, grind_cmd):
headhex = CBlockHeader.serialize(block).hex()
cmd = grind_cmd.split(" ") + [headhex]
newheadhex = subprocess.run(cmd, stdout=subprocess.PIPE, input=b"", check=True).stdout.strip()
- newhead = FromHex(CBlockHeader(), newheadhex.decode('utf8'))
+ newhead = from_hex(CBlockHeader(), newheadhex.decode('utf8'))
block.nNonce = newhead.nNonce
block.rehash()
return block
@@ -216,7 +216,7 @@ def generate_psbt(tmpl, reward_spk, *, blocktime=None):
block.nTime = tmpl["mintime"]
block.nBits = int(tmpl["bits"], 16)
block.nNonce = 0
- block.vtx = [cbtx] + [FromHex(CTransaction(), t["data"]) for t in tmpl["transactions"]]
+ block.vtx = [cbtx] + [tx_from_hex(t["data"]) for t in tmpl["transactions"]]
witnonce = 0
witroot = block.calc_witness_merkle_root()
@@ -274,7 +274,7 @@ def do_genpsbt(args):
def do_solvepsbt(args):
block, signet_solution = do_decode_psbt(sys.stdin.read())
block = finish_block(block, signet_solution, args.grind_cmd)
- print(ToHex(block))
+ print(block.serialize().hex())
def nbits_to_target(nbits):
shift = (nbits >> 24) & 0xff
@@ -428,10 +428,13 @@ def do_generate(args):
action_time = now
is_mine = True
elif bestheader["height"] == 0:
- logging.error("When mining first block in a new signet, must specify --set-block-time")
- return 1
+ time_delta = next_block_delta(int(bestheader["bits"], 16), bci["bestblockhash"], ultimate_target, args.poisson)
+ time_delta *= 100 # 100 blocks
+ logging.info("Backdating time for first block to %d minutes ago" % (time_delta/60))
+ mine_time = now - time_delta
+ action_time = now
+ is_mine = True
else:
-
time_delta = next_block_delta(int(bestheader["bits"], 16), bci["bestblockhash"], ultimate_target, args.poisson)
mine_time = bestheader["time"] + time_delta
@@ -500,7 +503,7 @@ def do_generate(args):
block = finish_block(block, signet_solution, args.grind_cmd)
# submit block
- r = args.bcli("-stdin", "submitblock", input=ToHex(block).encode('utf8'))
+ r = args.bcli("-stdin", "submitblock", input=block.serialize().hex().encode('utf8'))
# report
bstr = "block" if is_mine else "backup block"
@@ -520,12 +523,11 @@ def do_calibrate(args):
sys.stderr.write("Can only specify one of --nbits or --seconds\n")
return 1
if args.nbits is not None and len(args.nbits) != 8:
- sys.stderr.write("Must specify 8 hex digits for --nbits")
+ sys.stderr.write("Must specify 8 hex digits for --nbits\n")
return 1
TRIALS = 600 # gets variance down pretty low
TRIAL_BITS = 0x1e3ea75f # takes about 5m to do 600 trials
- #TRIAL_BITS = 0x1e7ea75f # XXX
header = CBlockHeader()
header.nBits = TRIAL_BITS
@@ -533,23 +535,14 @@ def do_calibrate(args):
start = time.time()
count = 0
- #CHECKS=[]
for i in range(TRIALS):
header.nTime = i
header.nNonce = 0
headhex = header.serialize().hex()
cmd = args.grind_cmd.split(" ") + [headhex]
newheadhex = subprocess.run(cmd, stdout=subprocess.PIPE, input=b"", check=True).stdout.strip()
- #newhead = FromHex(CBlockHeader(), newheadhex.decode('utf8'))
- #count += newhead.nNonce
- #if (i+1) % 100 == 0:
- # CHECKS.append((i+1, count, time.time()-start))
-
- #print("checks =", [c*1.0 / (b*targ*2**-256) for _,b,c in CHECKS])
avg = (time.time() - start) * 1.0 / TRIALS
- #exp_count = 2**256 / targ * TRIALS
- #print("avg =", avg, "count =", count, "exp_count =", exp_count)
if args.nbits is not None:
want_targ = nbits_to_target(int(args.nbits,16))
@@ -590,7 +583,6 @@ def main():
generate.add_argument("--nbits", default=None, type=str, help="Target nBits (specify difficulty)")
generate.add_argument("--min-nbits", action="store_true", help="Target minimum nBits (use min difficulty)")
generate.add_argument("--poisson", action="store_true", help="Simulate randomised block times")
- #generate.add_argument("--signcmd", default=None, type=str, help="Alternative signing command")
generate.add_argument("--multiminer", default=None, type=str, help="Specify which set of blocks to mine (eg: 1-40/100 for the first 40%%, 2/3 for the second 3rd)")
generate.add_argument("--backup-delay", default=300, type=int, help="Seconds to delay before mining blocks reserved for other miners (default=300)")
generate.add_argument("--standby-delay", default=0, type=int, help="Seconds to delay before mining blocks (default=0)")
@@ -605,7 +597,7 @@ def main():
sp.add_argument("--descriptor", default=None, type=str, help="Descriptor for block reward payment")
for sp in [solvepsbt, generate, calibrate]:
- sp.add_argument("--grind-cmd", default=None, type=str, help="Command to grind a block header for proof-of-work")
+ sp.add_argument("--grind-cmd", default=None, type=str, required=(sp==calibrate), help="Command to grind a block header for proof-of-work")
args = parser.parse_args(sys.argv[1:])
diff --git a/contrib/testgen/README.md b/contrib/testgen/README.md
index eaca473b40..fcc5a378e2 100644
--- a/contrib/testgen/README.md
+++ b/contrib/testgen/README.md
@@ -4,5 +4,5 @@ Utilities to generate test vectors for the data-driven Bitcoin tests.
Usage:
- PYTHONPATH=../../test/functional/test_framework ./gen_key_io_test_vectors.py valid 50 > ../../src/test/data/key_io_valid.json
- PYTHONPATH=../../test/functional/test_framework ./gen_key_io_test_vectors.py invalid 50 > ../../src/test/data/key_io_invalid.json
+ PYTHONPATH=../../test/functional/test_framework ./gen_key_io_test_vectors.py valid 70 > ../../src/test/data/key_io_valid.json
+ PYTHONPATH=../../test/functional/test_framework ./gen_key_io_test_vectors.py invalid 70 > ../../src/test/data/key_io_invalid.json
diff --git a/contrib/testgen/gen_key_io_test_vectors.py b/contrib/testgen/gen_key_io_test_vectors.py
index 8a3918da6b..74918cfb04 100755
--- a/contrib/testgen/gen_key_io_test_vectors.py
+++ b/contrib/testgen/gen_key_io_test_vectors.py
@@ -3,11 +3,11 @@
# Distributed under the MIT software license, see the accompanying
# file COPYING or http://www.opensource.org/licenses/mit-license.php.
'''
-Generate valid and invalid base58 address and private key test vectors.
+Generate valid and invalid base58/bech32(m) address and private key test vectors.
Usage:
- PYTHONPATH=../../test/functional/test_framework ./gen_key_io_test_vectors.py valid 50 > ../../src/test/data/key_io_valid.json
- PYTHONPATH=../../test/functional/test_framework ./gen_key_io_test_vectors.py invalid 50 > ../../src/test/data/key_io_invalid.json
+ PYTHONPATH=../../test/functional/test_framework ./gen_key_io_test_vectors.py valid 70 > ../../src/test/data/key_io_valid.json
+ PYTHONPATH=../../test/functional/test_framework ./gen_key_io_test_vectors.py invalid 70 > ../../src/test/data/key_io_invalid.json
'''
# 2012 Wladimir J. van der Laan
# Released under MIT License
@@ -15,7 +15,7 @@ import os
from itertools import islice
from base58 import b58encode_chk, b58decode_chk, b58chars
import random
-from segwit_addr import bech32_encode, decode_segwit_address, convertbits, CHARSET
+from segwit_addr import bech32_encode, decode_segwit_address, convertbits, CHARSET, Encoding
# key types
PUBKEY_ADDRESS = 0
@@ -32,6 +32,7 @@ PRIVKEY_REGTEST = 239
OP_0 = 0x00
OP_1 = 0x51
OP_2 = 0x52
+OP_3 = 0x53
OP_16 = 0x60
OP_DUP = 0x76
OP_EQUAL = 0x87
@@ -44,6 +45,7 @@ script_prefix = (OP_HASH160, 20)
script_suffix = (OP_EQUAL,)
p2wpkh_prefix = (OP_0, 20)
p2wsh_prefix = (OP_0, 32)
+p2tr_prefix = (OP_1, 32)
metadata_keys = ['isPrivkey', 'chain', 'isCompressed', 'tryCaseFlip']
# templates for valid sequences
@@ -54,40 +56,58 @@ templates = [
((SCRIPT_ADDRESS,), 20, (), (False, 'main', None, None), script_prefix, script_suffix),
((PUBKEY_ADDRESS_TEST,), 20, (), (False, 'test', None, None), pubkey_prefix, pubkey_suffix),
((SCRIPT_ADDRESS_TEST,), 20, (), (False, 'test', None, None), script_prefix, script_suffix),
+ ((PUBKEY_ADDRESS_TEST,), 20, (), (False, 'signet', None, None), pubkey_prefix, pubkey_suffix),
+ ((SCRIPT_ADDRESS_TEST,), 20, (), (False, 'signet', None, None), script_prefix, script_suffix),
((PUBKEY_ADDRESS_REGTEST,), 20, (), (False, 'regtest', None, None), pubkey_prefix, pubkey_suffix),
((SCRIPT_ADDRESS_REGTEST,), 20, (), (False, 'regtest', None, None), script_prefix, script_suffix),
((PRIVKEY,), 32, (), (True, 'main', False, None), (), ()),
((PRIVKEY,), 32, (1,), (True, 'main', True, None), (), ()),
((PRIVKEY_TEST,), 32, (), (True, 'test', False, None), (), ()),
((PRIVKEY_TEST,), 32, (1,), (True, 'test', True, None), (), ()),
+ ((PRIVKEY_TEST,), 32, (), (True, 'signet', False, None), (), ()),
+ ((PRIVKEY_TEST,), 32, (1,), (True, 'signet', True, None), (), ()),
((PRIVKEY_REGTEST,), 32, (), (True, 'regtest', False, None), (), ()),
((PRIVKEY_REGTEST,), 32, (1,), (True, 'regtest', True, None), (), ())
]
# templates for valid bech32 sequences
bech32_templates = [
- # hrp, version, witprog_size, metadata, output_prefix
- ('bc', 0, 20, (False, 'main', None, True), p2wpkh_prefix),
- ('bc', 0, 32, (False, 'main', None, True), p2wsh_prefix),
- ('bc', 1, 2, (False, 'main', None, True), (OP_1, 2)),
- ('tb', 0, 20, (False, 'test', None, True), p2wpkh_prefix),
- ('tb', 0, 32, (False, 'test', None, True), p2wsh_prefix),
- ('tb', 2, 16, (False, 'test', None, True), (OP_2, 16)),
- ('bcrt', 0, 20, (False, 'regtest', None, True), p2wpkh_prefix),
- ('bcrt', 0, 32, (False, 'regtest', None, True), p2wsh_prefix),
- ('bcrt', 16, 40, (False, 'regtest', None, True), (OP_16, 40))
+ # hrp, version, witprog_size, metadata, encoding, output_prefix
+ ('bc', 0, 20, (False, 'main', None, True), Encoding.BECH32, p2wpkh_prefix),
+ ('bc', 0, 32, (False, 'main', None, True), Encoding.BECH32, p2wsh_prefix),
+ ('bc', 1, 32, (False, 'main', None, True), Encoding.BECH32M, p2tr_prefix),
+ ('bc', 2, 2, (False, 'main', None, True), Encoding.BECH32M, (OP_2, 2)),
+ ('tb', 0, 20, (False, 'test', None, True), Encoding.BECH32, p2wpkh_prefix),
+ ('tb', 0, 32, (False, 'test', None, True), Encoding.BECH32, p2wsh_prefix),
+ ('tb', 1, 32, (False, 'test', None, True), Encoding.BECH32M, p2tr_prefix),
+ ('tb', 3, 16, (False, 'test', None, True), Encoding.BECH32M, (OP_3, 16)),
+ ('tb', 0, 20, (False, 'signet', None, True), Encoding.BECH32, p2wpkh_prefix),
+ ('tb', 0, 32, (False, 'signet', None, True), Encoding.BECH32, p2wsh_prefix),
+ ('tb', 1, 32, (False, 'signet', None, True), Encoding.BECH32M, p2tr_prefix),
+ ('tb', 3, 32, (False, 'signet', None, True), Encoding.BECH32M, (OP_3, 32)),
+ ('bcrt', 0, 20, (False, 'regtest', None, True), Encoding.BECH32, p2wpkh_prefix),
+ ('bcrt', 0, 32, (False, 'regtest', None, True), Encoding.BECH32, p2wsh_prefix),
+ ('bcrt', 1, 32, (False, 'regtest', None, True), Encoding.BECH32M, p2tr_prefix),
+ ('bcrt', 16, 40, (False, 'regtest', None, True), Encoding.BECH32M, (OP_16, 40))
]
# templates for invalid bech32 sequences
bech32_ng_templates = [
- # hrp, version, witprog_size, invalid_bech32, invalid_checksum, invalid_char
- ('tc', 0, 20, False, False, False),
- ('tb', 17, 32, False, False, False),
- ('bcrt', 3, 1, False, False, False),
- ('bc', 15, 41, False, False, False),
- ('tb', 0, 16, False, False, False),
- ('bcrt', 0, 32, True, False, False),
- ('bc', 0, 16, True, False, False),
- ('tb', 0, 32, False, True, False),
- ('bcrt', 0, 20, False, False, True)
+ # hrp, version, witprog_size, encoding, invalid_bech32, invalid_checksum, invalid_char
+ ('tc', 0, 20, Encoding.BECH32, False, False, False),
+ ('bt', 1, 32, Encoding.BECH32M, False, False, False),
+ ('tb', 17, 32, Encoding.BECH32M, False, False, False),
+ ('bcrt', 3, 1, Encoding.BECH32M, False, False, False),
+ ('bc', 15, 41, Encoding.BECH32M, False, False, False),
+ ('tb', 0, 16, Encoding.BECH32, False, False, False),
+ ('bcrt', 0, 32, Encoding.BECH32, True, False, False),
+ ('bc', 0, 16, Encoding.BECH32, True, False, False),
+ ('tb', 0, 32, Encoding.BECH32, False, True, False),
+ ('bcrt', 0, 20, Encoding.BECH32, False, False, True),
+ ('bc', 0, 20, Encoding.BECH32M, False, False, False),
+ ('tb', 0, 32, Encoding.BECH32M, False, False, False),
+ ('bcrt', 0, 20, Encoding.BECH32M, False, False, False),
+ ('bc', 1, 32, Encoding.BECH32, False, False, False),
+ ('tb', 2, 16, Encoding.BECH32, False, False, False),
+ ('bcrt', 16, 20, Encoding.BECH32, False, False, False),
]
def is_valid(v):
@@ -127,8 +147,9 @@ def gen_valid_bech32_vector(template):
hrp = template[0]
witver = template[1]
witprog = bytearray(os.urandom(template[2]))
- dst_prefix = bytearray(template[4])
- rv = bech32_encode(hrp, [witver] + convertbits(witprog, 8, 5))
+ encoding = template[4]
+ dst_prefix = bytearray(template[5])
+ rv = bech32_encode(encoding, hrp, [witver] + convertbits(witprog, 8, 5))
return rv, dst_prefix + witprog
def gen_valid_vectors():
@@ -186,22 +207,23 @@ def gen_invalid_bech32_vector(template):
hrp = template[0]
witver = template[1]
witprog = bytearray(os.urandom(template[2]))
+ encoding = template[3]
if no_data:
- rv = bech32_encode(hrp, [])
+ rv = bech32_encode(encoding, hrp, [])
else:
data = [witver] + convertbits(witprog, 8, 5)
- if template[3] and not no_data:
+ if template[4] and not no_data:
if template[2] % 5 in {2, 4}:
data[-1] |= 1
else:
data.append(0)
- rv = bech32_encode(hrp, data)
+ rv = bech32_encode(encoding, hrp, data)
- if template[4]:
+ if template[5]:
i = len(rv) - random.randrange(1, 7)
rv = rv[:i] + random.choice(CHARSET.replace(rv[i], '')) + rv[i + 1:]
- if template[5]:
+ if template[6]:
i = len(hrp) + 1 + random.randrange(0, len(rv) - len(hrp) - 4)
rv = rv[:i] + rv[i:i + 4].upper() + rv[i + 4:]
diff --git a/contrib/verify-commits/trusted-keys b/contrib/verify-commits/trusted-keys
index 27fede6277..c14f90b04b 100644
--- a/contrib/verify-commits/trusted-keys
+++ b/contrib/verify-commits/trusted-keys
@@ -4,3 +4,4 @@
B8B3F1C0E58C15DB6A81D30C3648A882F4316B9B
CA03882CB1FC067B5D3ACFE4D300116E1C875A3D
E777299FC265DD04793070EB944D35F9AC3DB76A
+D1DBF2C4B96F2DEBF4C16654410108112E7EA81F
diff --git a/contrib/verifybinaries/verify.py b/contrib/verifybinaries/verify.py
index b97ad11b8e..6cbaf2dc0c 100755
--- a/contrib/verifybinaries/verify.py
+++ b/contrib/verifybinaries/verify.py
@@ -51,7 +51,7 @@ def download_with_wget(remote_file, local_file=None):
if local_file:
wget_args = ['wget', '-O', local_file, remote_file]
else:
- # use timestamping mechanism if local filename is not explicitely set
+ # use timestamping mechanism if local filename is not explicitly set
wget_args = ['wget', '-N', remote_file]
result = subprocess.run(wget_args,
@@ -85,7 +85,7 @@ def main(args):
print("Error: need to specify a version on the command line")
return 3
- # determine remote dir dependend on provided version string
+ # determine remote dir dependent on provided version string
version_base, version_rc, os_filter = parse_version_string(args[0])
remote_dir = f"/bin/{VERSIONPREFIX}{version_base}/"
if version_rc:
diff --git a/contrib/windeploy/detached-sig-create.sh b/contrib/windeploy/detached-sig-create.sh
index 31720e72e7..29802e622e 100755
--- a/contrib/windeploy/detached-sig-create.sh
+++ b/contrib/windeploy/detached-sig-create.sh
@@ -25,7 +25,7 @@ CERTFILE="win-codesign.cert"
mkdir -p "${OUTSUBDIR}"
basename -a $(ls -1 "${SRCDIR}"/*-unsigned.exe) | while read UNSIGNED; do
echo Signing "${UNSIGNED}"
- "${OSSLSIGNCODE}" sign -certs "${CERTFILE}" -t "${TIMESERVER}" -in "${SRCDIR}/${UNSIGNED}" -out "${WORKDIR}/${UNSIGNED}" "$@"
+ "${OSSLSIGNCODE}" sign -certs "${CERTFILE}" -t "${TIMESERVER}" -h sha256 -in "${SRCDIR}/${UNSIGNED}" -out "${WORKDIR}/${UNSIGNED}" "$@"
"${OSSLSIGNCODE}" extract-signature -pem -in "${WORKDIR}/${UNSIGNED}" -out "${OUTSUBDIR}/${UNSIGNED}.pem" && rm "${WORKDIR}/${UNSIGNED}"
done
diff --git a/contrib/windeploy/win-codesign.cert b/contrib/windeploy/win-codesign.cert
index 4023a5b638..e763df5847 100644
--- a/contrib/windeploy/win-codesign.cert
+++ b/contrib/windeploy/win-codesign.cert
@@ -1,100 +1,89 @@
-----BEGIN CERTIFICATE-----
-MIIFdDCCBFygAwIBAgIRAL98pqZb/N9LuNaNxKsHNGQwDQYJKoZIhvcNAQELBQAw
-fDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
-A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMSQwIgYDVQQD
-ExtTZWN0aWdvIFJTQSBDb2RlIFNpZ25pbmcgQ0EwHhcNMjAwMzI0MDAwMDAwWhcN
-MjEwMzI0MjM1OTU5WjCBtzELMAkGA1UEBhMCQ0gxDTALBgNVBBEMBDgwMDUxDjAM
-BgNVBAgMBVN0YXRlMRAwDgYDVQQHDAdaw7xyaWNoMRcwFQYDVQQJDA5NYXR0ZW5n
-YXNzZSAyNzEuMCwGA1UECgwlQml0Y29pbiBDb3JlIENvZGUgU2lnbmluZyBBc3Nv
-Y2lhdGlvbjEuMCwGA1UEAwwlQml0Y29pbiBDb3JlIENvZGUgU2lnbmluZyBBc3Nv
-Y2lhdGlvbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMtxC8N4r/jE
-OGOdFy/0UtiUvEczPZf9WYZz/7paAkc75XopHIE5/ssmoEX27gG9K00tf3Q62QAx
-inZUPWkNTh8X0l+6uSGiIBFIV7dDgztIxnPcxaqw0k7Q2TEqKJvb5qm16zX6WfXJ
-R2r6O5utUdQ3AarHnQq9fwdM1j5+ywS5u52te74ENgDMTMKUuB2J3KH1ASg5PAtO
-CjPqPL+ZXJ7eT3M0Z+Lbu5ISZSqZB48BcCwOo/fOO0dAiLT9FE1iVtaCpBKHqGmd
-glRjPzZdgDv8g28etRmk8wQ5pQmfL2gBjt/LtIgMPTdHHETKLxJO5H3y0CNx1vzL
-ql7xNMxELxkCAwEAAaOCAbMwggGvMB8GA1UdIwQYMBaAFA7hOqhTOjHVir7Bu61n
-GgOFrTQOMB0GA1UdDgQWBBSHBbl82FUJiUkXyyYJog1awYRsxjAOBgNVHQ8BAf8E
-BAMCB4AwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAzARBglghkgB
-hvhCAQEEBAMCBBAwQAYDVR0gBDkwNzA1BgwrBgEEAbIxAQIBAwIwJTAjBggrBgEF
-BQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwQwYDVR0fBDwwOjA4oDagNIYy
-aHR0cDovL2NybC5zZWN0aWdvLmNvbS9TZWN0aWdvUlNBQ29kZVNpZ25pbmdDQS5j
-cmwwcwYIKwYBBQUHAQEEZzBlMD4GCCsGAQUFBzAChjJodHRwOi8vY3J0LnNlY3Rp
-Z28uY29tL1NlY3RpZ29SU0FDb2RlU2lnbmluZ0NBLmNydDAjBggrBgEFBQcwAYYX
-aHR0cDovL29jc3Auc2VjdGlnby5jb20wKwYDVR0RBCQwIoEgam9uYXNAYml0Y29p
-bmNvcmVjb2Rlc2lnbmluZy5vcmcwDQYJKoZIhvcNAQELBQADggEBAAU59qJzQ2ED
-aTMIQTsU01zIhZJ/xwQh78i0v2Mnr46RvzYrZOev+btF3SyUYD8veNnbYlY6yEYq
-Vb+/PQnE3t1xlqR80qiTZCk/Wmxx/qKvQuWeRL5QQgvsCmWBpycQ7PNfwzOWxbPE
-b0Hb2/VFFZfR9iltkfeInRUrzS96CJGYtm7dMf2JtnXYBcwpn1N8BSMH4nXVyN8g
-VEE5KyjE7+/awYiSST7+e6Y7FE5AJ4f3FjqnRm+2XetTVqITwMLKZMoV283nSEeH
-fA4FNAMGz9QeV38ol65NNqFP2vSSgVoPK79orqH9OOW2LSobt2qun+euddJIQeYV
-CMP90b/2WPc=
+MIIGQzCCBSugAwIBAgIQBSN7Cm16Z0UT9p7lA2jiKDANBgkqhkiG9w0BAQsFADBy
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQg
+SUQgQ29kZSBTaWduaW5nIENBMB4XDTIxMDUyMTAwMDAwMFoXDTIyMDUyNjIzNTk1
+OVowgYAxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhEZWxhd2FyZTEOMAwGA1UEBxMF
+TGV3ZXMxJjAkBgNVBAoTHUJpdGNvaW4gQ29yZSBDb2RlIFNpZ25pbmcgTExDMSYw
+JAYDVQQDEx1CaXRjb2luIENvcmUgQ29kZSBTaWduaW5nIExMQzCCAiIwDQYJKoZI
+hvcNAQEBBQADggIPADCCAgoCggIBAKe6xtFgKAQ68MvxwCjNtpgPobfDQCLKvCAN
+uBKGYuub6ufQB5dhCLN9fjMgfg33AyauvU3PcEUDUWD3/k925bPqgxHC3E7YqoB+
+11b/2Y7a86okqUgcGgvKhaKoHmXxElpM9EjQHjJ0yL4QAR1Lp+9CMMW3wIulBYKt
+wLIArFvbuQhMO/6rxL8frpK049v//WfQzB16GXuFnzN/6fDK7oOt5IrKTg4H6EY2
+fj4+QaUj0lNX7aHnZ6Ki45h2RUPDgN1ipRIuhM67npyZ/tdzPPjI3PUgfXCccN6D
++qWWnbbbvPuOht4ziPciVnPd57PqJmAOnLI86gisDfd7VKlcpOSEaagdUGvMbU6f
+uAps818GwnJzwCGllxlKASCgXDAckLLvMuit4RfYAhhdhw5R0AsaWK0HW88oHOqi
+U7eWlMCbSGk34x9hBrxYl7tvcNcLPWIPYrrhFWNFpkV8bVVIoV5rUNRgWvBcdOq1
+CCPTfsJp3nEH2WCoBghZquDZLSW12wMw2UsQyEojBeGhrR1inn8uK93wSnVCC8F4
+21yWNRMNe/LQVhmZDgFOen9r/WijBsBdQw1bL8N4zGdYv8+soqkrWzW417FfSx81
+pj4j5FEXYXXV5k/4/eBpIARXVRR8xya0nGkhNJmBk0jjDGD8fPW2gFQbqnUwAQ34
+vOr8NUqHAgMBAAGjggHEMIIBwDAfBgNVHSMEGDAWgBRaxLl7KgqjpepxA8Bg+S32
+ZXUOWDAdBgNVHQ4EFgQUVSLtZnifEHvd8z3E7AyLYNuDiaMwDgYDVR0PAQH/BAQD
+AgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMHcGA1UdHwRwMG4wNaAzoDGGL2h0dHA6
+Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zaGEyLWFzc3VyZWQtY3MtZzEuY3JsMDWgM6Ax
+hi9odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc2hhMi1hc3N1cmVkLWNzLWcxLmNy
+bDBLBgNVHSAERDBCMDYGCWCGSAGG/WwDATApMCcGCCsGAQUFBwIBFhtodHRwOi8v
+d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQQBMIGEBggrBgEFBQcBAQR4MHYw
+JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBOBggrBgEFBQcw
+AoZCaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3Vy
+ZWRJRENvZGVTaWduaW5nQ0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEL
+BQADggEBAOaJneI91NJgqghUxgc0AWQ01SAJTgN4z7xMQ3W0ZAtwGbA0byT7YRlj
+j7h+j+hMX/JYkRJETTh8Nalq2tPWJBiMMEPOGFVttFER1pwouHkK9pSKyp4xRvNU
+L0LPh7fE4EYMJoynys6ZTpMCHLku+X3jFat1+1moh9TJRvK5+ETZYGl0seFNU3mJ
+dZzusObm4scffIGgi40kmmISKd5ZRuooRTu9FFR/3vpfbA+7Vg4RSH3CcQPo9bfk
++h/qRQhSfQInTBn7obRpIlvEcK782qivqseJGdtnTmcdVRShD5ckTVza1yv25uQz
+l/yTqmG2LXlYjl5iMSdF0C1xYq6IsOA=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB
-iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
-cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
-BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw
-MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
-BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU
-aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy
-dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
-AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B
-3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY
-tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/
-Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2
-VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT
-79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6
-c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT
-Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l
-c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee
-UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE
-Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd
-BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G
-A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF
-Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO
-VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3
-ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs
-8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR
-iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze
-Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ
-XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/
-qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB
-VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB
-L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG
-jjxDah2nGN59PRbxYvnKkKj9
+MIIFMDCCBBigAwIBAgIQBAkYG1/Vu2Z1U0O1b5VQCDANBgkqhkiG9w0BAQsFADBl
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
+b3QgQ0EwHhcNMTMxMDIyMTIwMDAwWhcNMjgxMDIyMTIwMDAwWjByMQswCQYDVQQG
+EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl
+cnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ29kZSBT
+aWduaW5nIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+NOzHH8O
+Ea9ndwfTCzFJGc/Q+0WZsTrbRPV/5aid2zLXcep2nQUut4/6kkPApfmJ1DcZ17aq
+8JyGpdglrA55KDp+6dFn08b7KSfH03sjlOSRI5aQd4L5oYQjZhJUM1B0sSgmuyRp
+wsJS8hRniolF1C2ho+mILCCVrhxKhwjfDPXiTWAYvqrEsq5wMWYzcT6scKKrzn/p
+fMuSoeU7MRzP6vIK5Fe7SrXpdOYr/mzLfnQ5Ng2Q7+S1TqSp6moKq4TzrGdOtcT3
+jNEgJSPrCGQ+UpbB8g8S9MWOD8Gi6CxR93O8vYWxYoNzQYIH5DiLanMg0A9kczye
+n6Yzqf0Z3yWT0QIDAQABo4IBzTCCAckwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV
+HQ8BAf8EBAMCAYYwEwYDVR0lBAwwCgYIKwYBBQUHAwMweQYIKwYBBQUHAQEEbTBr
+MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQwYIKwYBBQUH
+MAKGN2h0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJ
+RFJvb3RDQS5jcnQwgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2lj
+ZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6
+Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmww
+TwYDVR0gBEgwRjA4BgpghkgBhv1sAAIEMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
+d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCgYIYIZIAYb9bAMwHQYDVR0OBBYEFFrEuXsq
+CqOl6nEDwGD5LfZldQ5YMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgP
+MA0GCSqGSIb3DQEBCwUAA4IBAQA+7A1aJLPzItEVyCx8JSl2qB1dHC06GsTvMGHX
+fgtg/cM9D8Svi/3vKt8gVTew4fbRknUPUbRupY5a4l4kgU4QpO4/cY5jDhNLrddf
+RHnzNhQGivecRk5c/5CxGwcOkRX7uq+1UcKNJK4kxscnKqEpKBo6cSgCPC6Ro8Al
+EeKcFEehemhor5unXCBc2XGxDI+7qPjFEmifz0DLQESlE/DmZAwlCEIysjaKJAL+
+L3J+HNdJRZboWR3p+nRka7LrZkPas7CM1ekN3fYBIM6ZMWM9CBoYs4GbT8aTEAb8
+B4H6i9r5gkn3Ym6hU/oSlBiFLpKR6mhsRDKyZqHnGKSaZFHv
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIF9TCCA92gAwIBAgIQHaJIMG+bJhjQguCWfTPTajANBgkqhkiG9w0BAQwFADCB
-iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
-cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
-BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
-MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjB8MQswCQYDVQQGEwJHQjEbMBkGA1UE
-CBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQK
-Ew9TZWN0aWdvIExpbWl0ZWQxJDAiBgNVBAMTG1NlY3RpZ28gUlNBIENvZGUgU2ln
-bmluZyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIYijTKFehif
-SfCWL2MIHi3cfJ8Uz+MmtiVmKUCGVEZ0MWLFEO2yhyemmcuVMMBW9aR1xqkOUGKl
-UZEQauBLYq798PgYrKf/7i4zIPoMGYmobHutAMNhodxpZW0fbieW15dRhqb0J+V8
-aouVHltg1X7XFpKcAC9o95ftanK+ODtj3o+/bkxBXRIgCFnoOc2P0tbPBrRXBbZO
-oT5Xax+YvMRi1hsLjcdmG0qfnYHEckC14l/vC0X/o84Xpi1VsLewvFRqnbyNVlPG
-8Lp5UEks9wO5/i9lNfIi6iwHr0bZ+UYc3Ix8cSjz/qfGFN1VkW6KEQ3fBiSVfQ+n
-oXw62oY1YdMCAwEAAaOCAWQwggFgMB8GA1UdIwQYMBaAFFN5v1qqK0rPVIDh2JvA
-nfKyA2bLMB0GA1UdDgQWBBQO4TqoUzox1Yq+wbutZxoDha00DjAOBgNVHQ8BAf8E
-BAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUEFjAUBggrBgEFBQcDAwYI
-KwYBBQUHAwgwEQYDVR0gBAowCDAGBgRVHSAAMFAGA1UdHwRJMEcwRaBDoEGGP2h0
-dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9u
-QXV0aG9yaXR5LmNybDB2BggrBgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6
-Ly9jcnQudXNlcnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAl
-BggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0B
-AQwFAAOCAgEATWNQ7Uc0SmGk295qKoyb8QAAHh1iezrXMsL2s+Bjs/thAIiaG20Q
-BwRPvrjqiXgi6w9G7PNGXkBGiRL0C3danCpBOvzW9Ovn9xWVM8Ohgyi33i/klPeF
-M4MtSkBIv5rCT0qxjyT0s4E307dksKYjalloUkJf/wTr4XRleQj1qZPea3FAmZa6
-ePG5yOLDCBaxq2NayBWAbXReSnV+pbjDbLXP30p5h1zHQE1jNfYw08+1Cg4LBH+g
-S667o6XQhACTPlNdNKUANWlsvp8gJRANGftQkGG+OY96jk32nw4e/gdREmaDJhlI
-lc5KycF/8zoFm/lv34h/wCOe0h5DekUxwZxNqfBZslkZ6GqNKQQCd3xLS81wvjqy
-VVp4Pry7bwMQJXcVNIr5NsxDkuS6T/FikyglVyn7URnHoSVAaoRXxrKdsbwcCtp8
-Z359LukoTBh+xHsxQXGaSynsCz1XUNLK3f2eBVHlRHjdAd6xdZgNVCT98E7j4viD
-vXK6yz067vBeF5Jobchh+abxKgoLpbn0nu6YMgWFnuv5gynTxix9vTp3Los3QqBq
-gu07SqqUEKThDfgXxbZaeTMYkuO1dfih6Y4KJR7kHvGfWocj/5+kUZ77OYARzdu1
-xKeogG/lU9Tg46LC0lsa+jImLWpXcBw8pFguo/NbSwfcMlnzh6cabVg=
+MIIDtzCCAp+gAwIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBl
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
+b3QgQ0EwHhcNMDYxMTEwMDAwMDAwWhcNMzExMTEwMDAwMDAwWjBlMQswCQYDVQQG
+EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl
+cnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0EwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtDhXO5EOAXLGH87dg+XESpa7c
+JpSIqvTO9SA5KFhgDPiA2qkVlTJhPLWxKISKityfCgyDF3qPkKyK53lTXDGEKvYP
+mDI2dsze3Tyoou9q+yHyUmHfnyDXH+Kx2f4YZNISW1/5WBg1vEfNoTb5a3/UsDg+
+wRvDjDPZ2C8Y/igPs6eD1sNuRMBhNZYW/lmci3Zt1/GiSw0r/wty2p5g0I6QNcZ4
+VYcgoc/lbQrISXwxmDNsIumH0DJaoroTghHtORedmTpyoeb6pNnVFzF1roV9Iq4/
+AUaG9ih5yLHa5FcXxH4cDrC0kqZWs72yl+2qp/C3xag/lRbQ/6GW6whfGHdPAgMB
+AAGjYzBhMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
+BBRF66Kv9JLLgjEtUYunpyGd823IDzAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYun
+pyGd823IDzANBgkqhkiG9w0BAQUFAAOCAQEAog683+Lt8ONyc3pklL/3cmbYMuRC
+dWKuh+vy1dneVrOfzM4UKLkNl2BcEkxY5NM9g0lFWJc1aRqoR+pWxnmrEthngYTf
+fwk8lOa4JiwgvT2zKIn3X/8i4peEH+ll74fg38FnSbNd67IJKusm7Xi+fT8r87cm
+NW1fiQG2SVufAQWbqz0lwcy2f8Lxb4bG+mRo64EtlOtCt/qMHt1i8b5QZ7dsvfPx
+H2sMNgcWfzd8qVttevESRmCD1ycEvkvOl77DZypoEd+A5wwzZr8TDRRu838fYxAe
++o0bJW1sj6W3YQGx0qMmoRBxna3iw/nDmVG3KwcIzi7mULKn+gpFL6Lw8g==
-----END CERTIFICATE-----
+
generated by cgit v1.2.3 (git 2.26.2) at 2024-09-04 05:11:22 +0000