aboutsummaryrefslogtreecommitdiff
path: root/contrib
AgeCommit message (Collapse)Author
2022-06-09windeploy: Renewed windows code signing certificateAndrew Chow
Github-Pull: #25201 Rebased-From: 7e9fe6d800ee8f3381e8f6ad2371f7775c68fad9
2022-02-15guix: Fix powerpc64(le) dynamic linker nameCarl Dong
I used Guix's values for the powerpc64(le) dynamic linkers, and the /lib-prefix seems to be a Guix-ism rather than standard. The standard path for the linker-loaders start with /lib64. I've taken the new loader values from SYSDEP_KNOWN_INTERPRETER_NAMES in glibc's sysdeps/unix/sysv/linux/powerpc/ldconfig.h file. For future reference, loader path values can also be found on glibc's website: https://sourceware.org/glibc/wiki/ABIList?action=recall&rev=16 Github-Pull: #23148 Rebased-From: b96adcbfae90b3e041754f11624cac04c1999e8c
2022-01-31guix: ignore additioanl failing certvalidator testfanquake
====================================================================== ERROR: test_revocation_mode_soft (tests.test_validate.ValidateTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/tmp/guix-build-python-certvalidator-0.1-1.e5bdb4b.drv-0/source/tests/test_validate.py", line 85, in test_revocation_mode_soft validate_path(context, path) File "/tmp/guix-build-python-certvalidator-0.1-1.e5bdb4b.drv-0/source/tests/../certvalidator/validate.py", line 50, in validate_path return _validate_path(validation_context, path) File "/tmp/guix-build-python-certvalidator-0.1-1.e5bdb4b.drv-0/source/tests/../certvalidator/validate.py", line 358, in _validate_path raise PathValidationError(pretty_message( certvalidator.errors.PathValidationError: The path could not be validated because the end-entity certificate expired 2022-01-14 12:00:00Z Github-Pull: #24057 Rebased-From: 85885919656a3f606f3d7f208378aabe95f3f62d
2021-09-02guix/prelude: Override VERSION with FORCE_VERSIONCarl Dong
Previously, if the builder exported $VERSION in their environment (as past Gitian-building docs told them to), but their HEAD does not actually point to v$VERSION, their build outputs will differ from those of other builders. This is because the contrib/guix/guix-* scripts only ever act on the current git worktree, and does not try to check out $VERSION if $VERSION is set in the environment. Setting $VERSION only makes the scripts pretend like the current worktree is $VERSION. This problem was seen in jonatack's attestation for all.SHA256SUMS, where only his bitcoin-22.0rc3-osx-signed.dmg differed from everyone else's. Here is my deduced sequence of events: 1. Aug 27th: He guix-builds 22.0rc3 and uploads his attestations up to guix.sigs 2. Aug 30th, sometime after POSIX time 1630310848: he pulls the latest changes from master in the same worktree where he guix-built 22.0rc3 and ends up at 7be143a960e2 3. Aug 30th, sometime before POSIX time 1630315907: With his worktree still on 7be143a960e2, he guix-codesigns. Normally, this would result in outputs going in guix-build-7be143a960e2, but he had VERSION=22.0rc3 in his environment, so the guix-* scripts pretended like he was building 22.0rc3, and used 22.0rc3's guix-build directory to locate un-codesigned outputs and dump codesigned ones. However, our SOURCE_DATE_EPOCH defaults to the POSIX time of HEAD (7be143a960e2), which made all timestamps in the resulting codesigned DMG 1630310848, 7be143a960e2's POSIX timestamp. This differs from the POSIX timestamp of 22.0rc3, which is 1630348517. Note that the windows codesigning procedure does not consider SOURCE_DATE_EPOCH. We resolve this by only allowing VERSION overrides via the FORCE_VERSION environment variable. Github-Pull: #22847 Rebased-From: 96cc6bb04f7e173e1f7637b780ac00fc75486671
2021-08-26doc: Stop nixing `-` in manual pagesW. J. van der Laan
The version replacement here is not working anyway, not just that but it is actively harmful as it removes all `-` from the text. So remove that line. See discussion in #22681. Tree-SHA512: 909c6225a50bbda1253bae65c09700a658bd36b5c91c91cea28d1df0aad5dc4adb095e0695259eca377536da34d17741ce453a5c5c50041d1163d94bbbe5355d
2021-08-20guix: Don't include directory name in SHA256SUMSAndrew Chow
The SHA256SUMS file can be used in a sha256sum -c command to verify downloaded binaries. However users are likely to download just a single file and not place this file in the correct directory relative to the SHA256SUMS file for the simple verification command to work. By not including the directory name in the SHA256SUMS file, it will be easier for users to verify downloaded binaries. Co-authored-by: Carl Dong <contact@carldong.me> Github-Pull: bitcoin/bitcoin#22654 Rebased-From: fb17c99e35e72f3b21ec3b5473e84c21dc964776
2021-08-20release: Release with separate SHA256SUMS and sig filesCarl Dong
This allows us to remove the rfc4880 EOL hacks and release with a SHA256SUMS.asc file that's a combination of all signer signatures. Github-Pull: bitcoin/bitcoin#22642 Rebased-From: 90b3e482e911fde73133a157c3b354471682275a
2021-08-20guix-verify: Non-zero exit code when anything failsCarl Dong
Previously, if verification fails, the correct message will be printed, but the exit code would still be 0. Github-Pull: bitcoin/bitcoin#22643 Rebased-From: d451b60d22576dff7a2c8d6a8b5880d9d69e397c
2021-08-02contrib, p2p: update I2P hardcoded seedsJon Atack
Github-Pull: #22589 Rebased-From: 2962640c49cf38f76345e45e63045a8f0eed5c61
2021-07-29guix: Ensure EPOCH_SOURCE_DATE does not include GPG informationAndrew Chow
If the user has set log.showSignature=true in their git config, then the git log will always output GPG signature information. Since git log is used to set EPOCH_SOURCE_DATE, this will mistakenly have GPG signature information in it which causes issues for the build. To avoid this issue, we override the config and force log.showSignature=false. Github-Pull: #22531 Rebased-From: 9b313dfef18792fcc36e78ef3caa693fafcce04e
2021-07-29guix: Remove extra \r from all.SHA256SUMS line endingAndrew Chow
guix-attest mistakenly added an extra \r to the line endings in all.SHA256SUMS, causing guix-verify to erroneously fail. Co-Authored-By: Carl Dong <contact@carldong.me> Github-Pull: #22531 Rebased-From: 43225f0a2a517ccd79dc49279b979ffd2eca6b85
2021-07-29guix: Allow changing the base manifest in guix-verifyAndrew Chow
When verifying guix attestations, it is useful to set a particular signer's manifest as the base to compare against. Github-Pull: #22531 Rebased-From: 4a466388a0092fbdf5f8969c6bfb65bf8cc962e1
2021-07-29guix: Make all.SHA256SUMS rather than codesigned.SHA256SUMSAndrew Chow
Github-Pull: #22531 Rebased-From: 33455c76964b9e27b33e970d9722cc47657b291b
2021-07-29script, doc: guix touchupsjonatack
Github-Pull: #22538 Rebased-From: 198ceb82f91bfdeac6e143ca7433f4a524f6f36f
2021-07-29Updated Readme, Corrected the codesign typoh
Github-Pull: #22538 Rebased-From: d7b7f610a53aa62bd82f6704a9c518a93c896963
2021-07-23guix/build: Remove vestigial SKIPATTEST.TAGCarl Dong
Github-Pull: #22533 Rebased-From: 9f01feda0ad99d8600f9edee1f37594c5166a7b8
2021-07-23guix/INSTALL: Misc fixupsCarl Dong
Github-Pull: #22511 Rebased-From: a884a1edcd1b795799f1be65df17462041741dc3
2021-07-23guix: Silence getent(1) invocationCarl Dong
Github-Pull: #22511 Rebased-From: 3c4d2c418e62d421a8bd7640ef5384251c892406
2021-07-20Merge bitcoin/bitcoin#22465: guix: Pin kernel-header version, time-machine ↵fanquake
to upstream 1.3.0 commit e6a94d44469f90f4dc88a07a5a8587730811c705 guix: Bump to version-1.3.0 from upstream (Carl Dong) 90fd13b954a364963f58e6cd12962c6f1986f79b guix: Pin kernel header version (Carl Dong) Pull request description: ``` - Use 4.19 for riscv64 (earliest LTS release w/ riscv64 support) - Use 4.9 for all others (second-oldest LTS release, released in combination with glibc glibc 2.24 in Debian stretch) ``` ``` The chosen commit is the HEAD of Guix's version-1.3.0 branch as of July 15th, 2021. Also fix visual indenting. ``` ----- This + the documentation PR should make our Guix system ready for release! ACKs for top commit: MarcoFalke: review ACK e6a94d44469f90f4dc88a07a5a8587730811c705 to change to vanilla guix. Did not review the kernel change. laanwj: ACK e6a94d44469f90f4dc88a07a5a8587730811c705 fanquake: ACK e6a94d44469f90f4dc88a07a5a8587730811c705 Tree-SHA512: a175e4ddb3ee786a39f5e800ce336932ad2f6797a3a28400a6f723875d0f19833fd36cedc41b3580e4604110517211bd9f557be36adf7265fd8e591c434ae032
2021-07-20Merge bitcoin/bitcoin#22199: macdeploy: minor fixups and simplificationsfanquake
0a5723beea9c909b437e8c3fa434506019c1198c macdeploy: cleanup .temp.dmg if present (fanquake) ecffe8689dfbdc33deba8119376dcc8f208f0f72 macdeploy: remove qt4 related code (fanquake) 639f0642539c6b5ba9bc7b39bb8bb52752029bee macdeploy: select the plugins we need, rather than excluding those we don't (fanquake) 3d26b6b9e928e3cdc4b3d8d1f66ec7ed022b411b macdeploy: fix framework printing when passing -verbose (fanquake) dca6c9032993f2bbf8047751d52f2a5c7ebd3ee4 macdeploy: remove unused plistlib import (fanquake) Pull request description: This includes [one followup](https://github.com/bitcoin/bitcoin/pull/20422#discussion_r534207899) and [one bug fix](https://github.com/bitcoin/bitcoin/commit/3d26b6b9e928e3cdc4b3d8d1f66ec7ed022b411b) from #20422, as well as some simplifications to the `macdeployqtplus` code. ACKs for top commit: hebasto: ACK 0a5723beea9c909b437e8c3fa434506019c1198c, tested on macOS Big Sur 11.4 (20F71, x86_64) + Homebrew's Qt 5.15.2. Tree-SHA512: cfad9505eacd32fe3a9d06eb13b2de0b6d2cad7b17778e90b503501cbf922e53d4e7f7f74952d1aed58410bdae9b0bb3248098583ef5b85689cb27d4dc06c029
2021-07-20Merge bitcoin/bitcoin#21711: guix: Add full installation and usage documentationfanquake
fac4814106c796b8786dd90053513cc35142dfe5 doc/release-process: Add torrent creation details (Carl Dong) 5d24cc3d82dad6812f8370c3ccc7c2b5a6c12c11 guix/INSTALL: Guix installs init scripts in libdir (Carl Dong) 5da2ee49d5b44de803b671aedbdd14e5c1d71ea9 guix/INSTALL: Add coreutils/inotify-dir-recreate troubleshooting (Carl Dong) 318c60700b7bbb7ec09a29bf037e7c2787646be6 guix: Adapt release-process.md to new Guix process (Carl Dong) fcab35b2292f9221eaba521740e8b3b2511a8b78 guix-attest: Produce and sign normalized documents (Carl Dong) c2541fd0ca99481a5a792a8f2772925d64fb0491 guix: Overhaul README (Carl Dong) 46ce6ce3782dfbd8f9d26dc2ba0f284755e75f2d tree-wide: Rename gitian-keys to builder-keys (Carl Dong) fc4f8449f34e32b0b9ac9d218d6c3264b02467ba guix: Update various check_tools lists (Carl Dong) 263220a85c1df218431fafbda07c8b23ccc4ce4d guix: Check for a sane services database (Carl Dong) Pull request description: Based on: #21462 Keeping the README in one file so that it's easy to search through. Will add more jumping links later so navigation is easier. Current TODOs: - [x] Shell installer option: prompt user to re-login for `/etc/profile.d` entry to be picked up - [x] Binary tarball option: prompt user to create `/etc/profile.d` entry and re-login - [x] Fanquake docker option: complete section - [x] Arch Linux AUR option: prompt to start `guix-daemon-latest` unit after finishing "optional setup" section - [x] Building from source option: Insert dependency tree diagram that I made - [x] Building from source option: redo sectioning, kind of a mess right now - [x] Optional setup: make clear which parts are only needed if building from source - [x] Workaround 1 for GnuTLS: perhaps mention how to remove Guix build farm's key - [x] Overall (after everything): Make the links work. Note to self: wherever possible, tell user how to check that something is true rather than branching by installation option. ACKs for top commit: fanquake: ACK fac4814106c796b8786dd90053513cc35142dfe5 - going to go ahead and merge this now. It's a lot of documentation, and could probably be nit-picked / improved further, however, that can continue over the next few weeks. I'm sure more (backportable) improvements / clarifications will be made while we progress through RCs towards a new release. Tree-SHA512: dc46c0ecdfc67c7c7743ca26e4a603eb3f54adbf81be2f4c1f4c20577ebb84b5250b9c9ec89c0e9860337ab1c7cff94d7963c603287267deecfe1cd987fa070a
2021-07-19guix/INSTALL: Guix installs init scripts in libdirCarl Dong
2021-07-19guix/INSTALL: Add coreutils/inotify-dir-recreate troubleshootingCarl Dong
2021-07-19guix-attest: Produce and sign normalized documentsCarl Dong
That way we can easily combine the document and detached signature to produce cleartext signature files for upload during the release process. See subsequent commits which modify doc/release-process.md for more details.
2021-07-19guix: Overhaul READMECarl Dong
- Added detailed Guix bootstrap/installation instructions
2021-07-18Merge bitcoin/bitcoin#22410: Avoid GCC 7.1 ABI change warning in guix buildfanquake
1edddf5de41b053049ce0b0bdbc39c2fbb743c40 Avoid GCC 7.1 ABI change warning in guix build (Pieter Wuille) Pull request description: The arm-linux-gnueabihf guix build output is littered with warnings like: ``` /gnu/store/7a96hdqdb2qi8a39f09n84xjy2hr23rs-gcc-cross-arm-linux-gnueabihf-8.4.0/include/c++/bits/stl_vector.h:1085:4: note: parameter passing for argument of type '__gnu_cxx::__normal_iterator<CRecipient*, std::vector<CRecipient> >' changed in GCC 7.1 ``` These are irrelevant for us. Disable them using `-Wno-psabi`. ACKs for top commit: laanwj: ACK 1edddf5de41b053049ce0b0bdbc39c2fbb743c40 hebasto: ACK 1edddf5de41b053049ce0b0bdbc39c2fbb743c40, after thorough reading related materials, I agree this change can be merged. As I mentioned above, I have been compiling my arm-32bit binaries with `-Wno-psabi` flag for two years, and no related flaws were observed. Tree-SHA512: 485c7500547ac5da567ad23847341c18ff832607f5a1002676404cc647e437cf3445b6894ecff5b52929ca52bea946c06bd90eace1997c895e56204e787065e4
2021-07-15guix: Bump to version-1.3.0 from upstreamCarl Dong
The chosen commit is the HEAD of Guix's version-1.3.0 branch as of July 15th, 2021. Also fix visual indenting.
2021-07-15guix: Pin kernel header versionCarl Dong
- Use 4.19 for riscv64 (earliest LTS release w/ riscv64 support) - Use 4.9 for all others (second-oldest LTS release, released in combination with glibc glibc 2.24 in Debian stretch)
2021-07-09net: change I2P seeds' ports to 0Vasil Dimov
2021-07-08tree-wide: Rename gitian-keys to builder-keysCarl Dong
2021-07-08guix: Update various check_tools listsCarl Dong
2021-07-08guix: Check for a sane services databaseCarl Dong
On bare systems, it is possible to be lacking a services database. Check for basic entries before attempting a build. See the error message in the diff for more context.
2021-07-07guix: Test security-check sanity before performing themCarl Dong
2021-07-07scripts: adjust test-symbol-check for guix release environmentfanquake
Now that our release binaries are build in a glibc 2.24 and 2.27 environment, we can't use a symbol from glibc 2.28 to test our checks. Replace renameat2() with nextup(), which was introduced in 2.24. Note that this also means re-disabling the test for RISC-V, however RISC-V is built in a glibc 2.27 environment, and our minimum required glibc for that binary is 2.27.
2021-07-07scripts: more robustly test macOS symbol checksfanquake
2021-07-07build: Use and test PE binutils with --reloc-sectionCarl Dong
Also fix test-security-check.py to account for new PE PIE failure indication.
2021-07-07guix: Patch binutils to add security-related disable flagsCarl Dong
We use these flags in our test-security-check make target, but they are only available because debian patches them in. We can patch them in for our Guix builds so that we can check the sanity of our security/symbol checking suite before running them.
2021-07-07devtools: Improve *-check.py tool detectionCarl Dong
This is important to make sure that we're not testing tools different from the one we're building with. Introduce determine_wellknown_cmd, which encapsulates how we should handle well-known tools specification (IFS splitting, env override, etc.).
2021-07-06Avoid GCC 7.1 ABI change warning in guix buildPieter Wuille
2021-07-06script: remove gitian reference from symbol-check.pyfanquake
2021-07-06guix: add additional documentation to patchesfanquake
2021-07-06guix: no-longer pass --enable-glibc-back-compat to Guixfanquake
Now that our Guix builds are performed on glibc 2.24 and 2.27 (RISCV), we no-longer need to pass the --enable-glibc-back-compat option. Replace it with --disable-threadlocal, to prevent the usage of symbols from glibc 2.18. None of the binaries produced required symbols later than 2.17, and 2.27 (RISCV).
2021-07-02guix: Also sort SHA256SUMS.partCarl Dong
2021-07-01guix: Build depends/qt with our platform definitionCarl Dong
Our 'bitcoin-linux-g++' definition better integrates with our depends system than the stock linux-g++-64 definition. This fixes a bug whereby Guix builds on x86_64 for x86_64 did not produce a QMinimalIntegrationPlugin and led to bitcoin-qt not being built.
2021-07-01guix: Rebase toolchain on glibc 2.24 (2.27 for riscv64)Carl Dong
Support for riscv64 in glibc landed in 2.27 so it's unavoidable that we use 2.27. Running a Bitcoin build with toolchains based on 2.24 for platforms other than riscv64 seem to produce binaries which do not have 2.17 symbols. So use 2.24 since it's more recent and maintained by Debian Stretch.
2021-06-24Merge bitcoin/bitcoin#22257: test: refactor: various (de)serialization ↵MarcoFalke
helpers cleanups/improvements bdb8b9a347e68f80a2e8d44ce5590a2e8214b6bb test: doc: improve doc for `from_hex` helper (mention `to_hex` alternative) (Sebastian Falbesoner) 191405420815d49ab50184513717a303fc2744d6 scripted-diff: test: rename `FromHex` to `from_hex` (Sebastian Falbesoner) a79396fe5f8f81c78cf84117a87074c6ff6c9d95 test: remove `ToHex` helper, use .serialize().hex() instead (Sebastian Falbesoner) 2ce7b47958c4a10ba20dc86c011d71cda4b070a5 test: introduce `tx_from_hex` helper for tx deserialization (Sebastian Falbesoner) Pull request description: There are still many functional tests that perform conversions from a hex-string to a message object (deserialization) manually. This PR identifies all those instances and replaces them with a newly introduced helper `tx_from_hex`. Instances were found via * `git grep "deserialize.*BytesIO"` and some of them manually, when it were not one-liners. Further, the helper `ToHex` was removed and simply replaced by `.serialize().hex()`, since now both variants are in use (sometimes even within the same test) and using the helper doesn't really have an advantage in readability. (see discussion https://github.com/bitcoin/bitcoin/pull/22257#discussion_r652404782) ACKs for top commit: MarcoFalke: review re-ACK bdb8b9a347e68f80a2e8d44ce5590a2e8214b6bb 😁 Tree-SHA512: e25d7dc85918de1d6755a5cea65471b07a743204c20ad1c2f71ff07ef48cc1b9ad3fe5f515c1efaba2b2e3d89384e7980380c5d81895f9826e2046808cd3266e
2021-06-21scripted-diff: test: rename `FromHex` to `from_hex`Sebastian Falbesoner
-BEGIN VERIFY SCRIPT- sed -i 's/\<FromHex\>/from_hex/g' $(git grep -l FromHex) -END VERIFY SCRIPT- Co-authored-by: MarcoFalke <falke.marco@gmail.com>
2021-06-21test: remove `ToHex` helper, use .serialize().hex() insteadSebastian Falbesoner
2021-06-21test: introduce `tx_from_hex` helper for tx deserializationSebastian Falbesoner
`FromHex` is mostly used for transactions, so we introduce a shortcut `tx_from_hex` for `FromHex(CTransaction, hex_str)`.
2021-06-21Merge bitcoin/bitcoin#22244: devtools: Correctly extract symbol versions in ↵W. J. van der Laan
symbol-check e8cd3700eeb27437f5ea435869c9d61214285fdd devtools: Integrate ARCH_MIN_GLIBC_VER table into MAX_VERSIONS in symbol-check.py (W. J. van der Laan) a33381acf5ae2b43616fffaf26b1c8962e8ef0bb devtools: Add xkb version to symbol-check (W. J. van der Laan) 19e598bab0a1cb5ad93321eb9fa25d1a58d5e276 devtools: Fix verneed section parsing in pixie (W. J. van der Laan) Pull request description: I misunderstood the ELF specification for version symbols (verneed): The `vn_aux` pointer is relative to the main verneed record, not the start of the section. This caused many symbols to not be versioned properly in the return value of `elf.dyn_symbols`. This was discovered in #21454. Fix it by correcting the offset computation. - xkb versions symbols (using the prefix `V`), as this library is used by bitcoin-qt, add it to the valid versions in `symbol-check.py` This unfortunately brings to light some symbols that have been introduced since and weren't caught (from a gitian compile of master): ``` bitcoin-cli: symbol getrandom from unsupported version GLIBC_2.25 bitcoin-cli: failed IMPORTED_SYMBOLS bitcoind: symbol getrandom from unsupported version GLIBC_2.25 bitcoind: symbol log from unsupported version GLIBC_2.29 bitcoind: symbol fcntl64 from unsupported version GLIBC_2.28 bitcoind: symbol pow from unsupported version GLIBC_2.29 bitcoind: symbol exp from unsupported version GLIBC_2.29 bitcoind: failed IMPORTED_SYMBOLS bitcoin-qt: symbol exp from unsupported version GLIBC_2.29 bitcoin-qt: symbol fcntl64 from unsupported version GLIBC_2.28 bitcoin-qt: symbol log from unsupported version GLIBC_2.29 bitcoin-qt: symbol pow from unsupported version GLIBC_2.29 bitcoin-qt: symbol statx from unsupported version GLIBC_2.28 bitcoin-qt: symbol getrandom from unsupported version GLIBC_2.25 bitcoin-qt: symbol renameat2 from unsupported version GLIBC_2.28 bitcoin-qt: symbol getentropy from unsupported version GLIBC_2.25 bitcoin-qt: failed IMPORTED_SYMBOLS bitcoin-wallet: symbol exp from unsupported version GLIBC_2.29 bitcoin-wallet: symbol log from unsupported version GLIBC_2.29 bitcoin-wallet: symbol fcntl64 from unsupported version GLIBC_2.28 bitcoin-wallet: failed IMPORTED_SYMBOLS test_bitcoin: symbol getrandom from unsupported version GLIBC_2.25 test_bitcoin: symbol log from unsupported version GLIBC_2.29 test_bitcoin: symbol fcntl64 from unsupported version GLIBC_2.28 test_bitcoin: symbol pow from unsupported version GLIBC_2.29 test_bitcoin: symbol exp from unsupported version GLIBC_2.29 test_bitcoin: failed IMPORTED_SYMBOLS ``` ACKs for top commit: hebasto: ACK e8cd3700eeb27437f5ea435869c9d61214285fdd Tree-SHA512: 8c15e3478eb642f01a1ddaadef03f80583f088f9fa8e3bf171ce16b0ec05ffb4675ec147d7ffc6a4360637ed47fca517c6ca2bac7bb30d794c03783cfb964b79