| Age | Commit message (Collapse) | Author |
|---|
|
754fb6bb8125317575edec7c20b5617ad27a9bdd verifybinaries: fix argument type error pointed out by mypy (Cory Fields)
8a65e5145c4d128bb6c30c94e68434dd482db489 verifybinaries: catch the correct exception (Cory Fields)
4b23b488d2c5662215d78e4963ef5a2b86b4e25b verifybinaries: fix OS download filter (Cory Fields)
8cdadd17297e5f4487692eae88b1e60a42c8c4b2 verifybinaries: use recommended keyserver by default (Cory Fields)
4e0396835dd933a28446844da294040345f2e6ad verifybinaries: remove unreachable code (Cory Fields)
5668c6473a01528ac7d66b325b18b1cd2bd93063 verifybinaries: Don't delete shasums file (Cory Fields)
46c73b57c69933d7eb52e28595609e793e8eef6e verifybinaries: README cleanups (Cory Fields)
6d118302654481927e864a428950960e26eb7f4a verifybinaries: remove awkward bitcoin-core prefix handling (Cory Fields)
c44323a71705b6df9aafe90df24072e735a5c2ff verifybinaries: move all current examples to the pub subcommand (Cory Fields)
7a6e7ffd066a42c5fbb7d69effbe074fb982936b contrib: Use machine parseable GPG output in verifybinaries (Andrew Chow)
6b2cebfa2f1526f7eae31eb645c71712f0a69e97 contrib: Add verifybinaries command for specifying files to verify (Andrew Chow)
e4d577822835d4866e2ad046f23ab411b2910d59 contrib: Specify to GPG the SHA256SUMS file that is detached signed (Andrew Chow)
17575c0efa960ffb765392e3565b3861846f398e contrib: Refactor verifbinaries to support subcommands (Andrew Chow)
37c9fb7a59a3179b90ed1deaebaabb539976504b contrib: verifybinaries: allow multisig verification (James O'Beirne)
Pull request description:
Following up on #23020 from jamesob with achow101's additional features on top.
Both mentioned that they will be away for the next few weeks, so this is intended to keep review going.
All credit to the jamesob and achow101. See #23020 for the original description and [here](https://github.com/bitcoin/bitcoin/pull/23020#issuecomment-1480603300) for the added features.
I squashed the last commit from https://github.com/achow101/bitcoin/tree/pr23020-direct-bins-gpg-parse into the first commit here.
Fetching and local verification seem to work as intended for me.
ACKs for top commit:
josibake:
ACK https://github.com/bitcoin/bitcoin/pull/27358/commits/754fb6bb8125317575edec7c20b5617ad27a9bdd
Tree-SHA512: b310c57518daa690a00126308a3e7e94b978ded56d13da15d5189e9e90b71c93888d854f64179150586b0a915db8dadd43c92b716613913c198128db8867257b
|
|
|
|
|
|
Co-authored-by: Reproducibility Matters <seb.kung@gmail.com>
|
|
|
|
|
|
It may be useful for local validation.
|
|
- Use correct name for verify.py
- Add usage examples for verifybinaries bin
- Document proper use of new cleanup option
- Fixup broken example
|
|
|
|
|
|
This further minifies the Guix release build environment.
|
|
GPG has an option to provide machine parseable output. Use that instead
of trying to parse the human readable output.
|
|
In addition to verifying the published releases with the `pub` command,
the verifybinaries script is updated to take a `bin` command where the
user specifies the local files, sums, and sigs to verify.
|
|
|
|
Prepares for the option to provide local binaries, sha256sums, and
signatures directly.
|
|
This commit adds the functionality necessary to transition from
doing binary verification on the basis of a single signature to
requiring a minimum threshold of trusted signatures.
A signature can appear as "good" from GPG output, but it may not come
from an identity the user trusts. We call these "good, untrusted"
signatures.
We report bad signatures but do not necessarily fail in their presence,
since a bad signature might coexist with enough good, trusted signatures
to fulfill our criteria.
If "--import-keys" is enabled, we will prompt the user to
optionally try to retrieve unknown keys. Marking them as trusted locally
is a WIP, but keys which are retrieved successfully and appear on the
builder-keys list will immediately count as being useful towards
fulfilling the threshold.
Logging is improved and an option to output JSON that summarizes the
whole sum signature and binary verification processes has been added.
Co-authored-by: Russ Yanofsky <russ@yanofsky.org>
Co-authored-by: willcl-ark <will8clark@gmail.com>
|
|
This way, correct `--plugin` argument are passed through.
This is a prerequisite for LTO (see #25391).
|
|
4becee396f3bda40832138dd1aaa90368ed31857 guix: combine and document enable_werror (fanquake)
Pull request description:
Combine into `hardened-glibc`.
Document why we don't use `--disable-werror` directly.
https://www.gnu.org/software/libc/manual/html_node/Configuring-and-compiling.html
> By default, the GNU C Library is built with -Werror. If you wish
> to build without this option (for example, if building with a
> newer version of GCC than this version of the GNU C Library was
> tested with, so new warnings cause the build with -Werror to fail),
> you can configure with --disable-werror.
ACKs for top commit:
hebasto:
ACK 4becee396f3bda40832138dd1aaa90368ed31857, the diff is correct.
TheCharlatan:
ACK 4becee396f3bda40832138dd1aaa90368ed31857
Tree-SHA512: 8724415f51b4d72d40c4e797faf52c93a81147fb629332b9388ffd7f113f2b16db3b7496bf3063dd978ac629fd5bde3ec7df4f1ff1ed714cb56f316a9334d119
|
|
Combine into hardened-glibc.
Document why we don't use --disable-werror directly.
https://www.gnu.org/software/libc/manual/html_node/Configuring-and-compiling.html
> By default, the GNU C Library is built with -Werror. If you wish
> to build without this option (for example, if building with a
> newer version of GCC than this version of the GNU C Library was
> tested with, so new warnings cause the build with -Werror to fail),
> you can configure with --disable-werror.
|
|
This also fixes atleast one --no-substitues build failure I've seen,
where cmake dependencies wouldn't build:
```bash
The following derivations will be built:
/gnu/store/7qqvqq2g7l5ylrjv0gn6zha565a12kar-python-lief-0.12.1.drv
/gnu/store/f9zwh1ldy63ga0i5w6cbbqlj6sfq226j-cmake-3.21.4.drv
/gnu/store/3wg6ya847id503m5izhzhn1qqs464lfk-python-sphinx-4.2.0.drv
building /gnu/store/3wg6ya847id503m5izhzhn1qqs464lfk-python-sphinx-4.2.0.drv...
/ 'check' phasenote: keeping build directory `/tmp/guix-build-python-sphinx-4.2.0.drv-5'
builder for `/gnu/store/3wg6ya847id503m5izhzhn1qqs464lfk-python-sphinx-4.2.0.drv' failed with exit code 1
build of /gnu/store/3wg6ya847id503m5izhzhn1qqs464lfk-python-sphinx-4.2.0.drv failed
View build log at '/var/log/guix/drvs/3w/g6ya847id503m5izhzhn1qqs464lfk-python-sphinx-4.2.0.drv.gz'.
cannot build derivation `/gnu/store/f9zwh1ldy63ga0i5w6cbbqlj6sfq226j-cmake-3.21.4.drv': 1 dependencies couldn't be built
cannot build derivation `/gnu/store/7qqvqq2g7l5ylrjv0gn6zha565a12kar-python-lief-0.12.1.drv': 1 dependencies couldn't be built
guix environment: error: build of `/gnu/store/7qqvqq2g7l5ylrjv0gn6zha565a12kar-python-lief-0.12.1.drv' failed
```
|
|
Updates to version 0.12.3.
Retain our PPC64 patch.
Mention when we can drop our local definition.
|
|
285edfadcacde4921c0afa2092c613daf21a55aa guix: use osslsigncode 2.5 (fanquake)
Pull request description:
Switches to using a newer version of [osslsigncode](https://github.com/mtrojnar/osslsigncode) in our Guix environment.
achow101 can you test this with some sort of WIndows code-signing dry-run (no-rush).
ACKs for top commit:
achow101:
ACK 285edfadcacde4921c0afa2092c613daf21a55aa
Tree-SHA512: 2ab8f65e506bd97e74e76f24e791ae20694e567a751cc57d3a27f31f0733e3530d058ef19825a35dc21d1342e3fffc52d8d643258198c669cc68b6db41bda629
|
|
4b7aec2951fe4595946cdc804b0dec1921d79d05 Add mempool tracepoints (virtu)
Pull request description:
This PR adds multiple mempool tracepoints.
| tracepoint | description |
| ------------- | ------------- |
| `mempool:added` | Is called when a transaction enters the mempool |
| `mempool:removed` | ... when a transaction is removed from the mempool |
| `mempool:replaced` | ... when a transaction is replaced in the mempool |
| `mempool:rejected` | ... when a transaction is rejected from entering the mempool |
The tracepoints are further documented in `docs/tracing.md`. Usage is demonstrated in the example script `contrib/tracing/mempool_monitor.py`. Interface tests are provided in `test/functional/interface_usdt_mempool.py`.
The rationale for passing the removal reason as a string instead of numerically is that the benefits of not having to maintain a redundant enum-string mapping seem to outweigh the small cost of string generation. The reject reason is passed as string as well, although in this instance the string does not have to be generated but is readily available.
ACKs for top commit:
0xB10C:
ACK 4b7aec2951fe4595946cdc804b0dec1921d79d05
achow101:
ACK 4b7aec2951fe4595946cdc804b0dec1921d79d05
Tree-SHA512: 6deb3ba2d1a061292fb9b0f885f7a5c4d11b109b838102d8a8f4828cd68f5cd03fa3fc64adc6fdf54a08a1eaccce261b0aa90c2b8c33cd5fd3828c8f74978958
|
|
Tracepoints for added, removed, replaced, and rejected transactions.
The removal reason is passed as string instead of a numeric value, since
the benefits of not having to maintain a redundant enum-string mapping
seem to outweigh the small cost of string generation. The reject reason
is passed as string as well, although here the string does not have to
be generated but is readily available.
So far, tracepoint PRs typically included two demo scripts: a naive
bpftrace script to show raw tracepoint data and a bcc script for a more
refined view. However, as some of the ongoing changes to bpftrace
introduce a certain degree of unreliability (running some of the
existing bpftrace scripts was not possible with standard kernels and
bpftrace packages on latest stable Ubuntu, Debian, and NixOS), this PR
includes only a single bcc script that fuses the functionality of former
bpftrace and bcc scripts.
|
|
Co-authored-by: Andrew Chow <github@achow101.com>
|
|
This returns us to pre-Guix behaviour, where the compilers we were using
to build releases, were configured with this option.
|
|
packages in our manifest
2c9eb4afe1f583aafa552b2711b149f17ef8320f guix: use cmake-minimal over cmake (fanquake)
1475515312856afe3f19a95f2c32bc80c7c54484 guix: use coreutils-minimal over coreutils (fanquake)
444562141504ff7f0bb071d6e7bf7f511517e372 guix: use bash-minimal over bash (fanquake)
Pull request description:
Minimal versions of the same packages, that should still be sufficient for our use:
> (define-public bash-minimal
;; A stripped-down Bash for non-interactive use.
> (define-public coreutils-minimal
;; Coreutils without its optional dependencies.
> ;;; This minimal variant of CMake does not include the documentation. It is
;;; used by the cmake-build-system.
(define-public cmake-minimal
ACKs for top commit:
TheCharlatan:
ACK 2c9eb4afe1f5
Sjors:
tACK 2c9eb4afe1f583aafa552b2711b149f17ef8320f
achow101:
ACK 2c9eb4afe1f583aafa552b2711b149f17ef8320f
hebasto:
ACK 2c9eb4afe1f583aafa552b2711b149f17ef8320f,
Tree-SHA512: f91ca9e088b8346b20c2affc80870c31640de3aedcfcc0fb98a5e82c77ef64537870b88552f26759d31d8d0956b1fd685e6c25d5acbc92f5feaececd1a7dd37e
|
|
|
|
|
|
|
|
|
|
maintainers leaving
14fac808bd6c12bce121011bbf50501960c7326f verify-commits: Mention git v2.38.0 requirement (Andrew Chow)
bb86887527d817ee2a015863ddf3541dac42080f verify-commits: Skip checks for commits older than trusted roots (Andrew Chow)
5497c1483097a9b582ef78089a2ce1101b7d722e verify-commits: Use merge-tree in clean merge check (Andrew Chow)
76923bfa09397568fb8eb72142468a986fc6f790 verify-commits: Remove all allowed commit exceptions (Andrew Chow)
53b07b2b47aa3d4ca80fac74e432783a1e724df3 verify-commits: Move trusted-keys valid sig check into verify-commits itself (Andrew Chow)
Pull request description:
Currently the `verify-commits.py` script does not work well with maintainers giving up their commit access. If a key is removed from `trusted-keys`, any commits it signed previously will fail to verify, however keys cannot be kept in the list as it would allow that person to continue to push new commits. Furthermore, the `trusted-keys` used depends on the working tree which `verify-commits.py` itself may be modifying. When the script is run, the `trusted-keys` may be the one that is intended to be used, but the script may change the tree to a different commit with a different `trusted-keys` and use that instead!
To resolve these issues, I've updated `verify-commits.py` to load the `trusted-keys` file and check the keys itself rather than delegating that to `gpg.sh` (which previously read in `trusted-keys`). This avoids the issue with the tree changing.
I've also updated the script so that it stops modifying the tree. It would do this for the clean merge check where it would checkout each individual commit and attempt to reapply the merges, and then checking out the commit given as a cli arg. `git merge-tree` lets us do basically that but without modifying the tree. It will give us the object id for the resulting tree which we can compare against the object id of the tree in the merge commit in question. This also appears to be quite a bit faster.
Lastly I've removed all of the exception commits in `allow-revsig-commits`, `allow-incorrect-sha512-commits`, and `allow-unclean-merge-commits` since all of these predate the commits in `trusted-git-root` and `trusted-sha512-root`. I've also updated the script to skip verification of commits that predate `trusted-git-root`, and skip sha512 verification for those that predate `trusted-sha512-root`.
ACKs for top commit:
Sjors:
ACK 14fac808bd6c12bce121011bbf50501960c7326f
glozow:
Concept ACK 14fac808bd6c12bce121011bbf50501960c7326f
Tree-SHA512: f9b0c6e1f1aecb169cdd6c833b8871b15e31c2374dc589858df0523659b294220d327481cc36dd0f92e9040d868eee6a8a68502f3163e05fa751f9fc2fa8832a
|
|
trusted-git-root
fab17f08e24f0db687dc25c5e10eb62293070048 Revert "[contrib] verify-commits: Add MarcoFalke fingerprint" (MarcoFalke)
Pull request description:
This reverts commit fa243293343eb964bfee5b91cc52b91f16232ab6.
The commit may be signed by my key, but I haven't checked it. Also, I haven't checked the new `contrib/verify-commits/trusted-git-root`.
ACKs for top commit:
achow101:
ACK fab17f08e24f0db687dc25c5e10eb62293070048
glozow:
ACK fab17f08e2
Tree-SHA512: 485fb302f7e42704412afffd6c09a031f63df18f259b27282b8373d5bf95b0ec72426cec476d88bf23e793a6e1dae4c1df2059645961806e34b50448ebf1862a
|
|
61bb4e783b3acc62b121a228f6b14c2462e23315 lint: enable E722 do not use bare except (Leonardo Lazzaro)
Pull request description:
Improve test code and enable E722 lint check.
If you want to catch all exceptions that signal program errors, use except Exception: (bare except is equivalent to except BaseException:).
Reference: https://peps.python.org/pep-0008/#programming-recommendations
ACKs for top commit:
MarcoFalke:
lgtm ACK 61bb4e783b3acc62b121a228f6b14c2462e23315
Tree-SHA512: c7497769d5745fa02c78a20f4a0e555d8d3996d64af6faf1ce28e22ac1d8be415b98e967294679007b7bda2a9fd04031a9d140b24201e00257ceadeb5c5d7665
|
|
|
|
This reverts commit fa243293343eb964bfee5b91cc52b91f16232ab6.
|
|
|
|
d5d4b75840b4219495ed0fc421a4b71e757224ee guix: combine glibc hardening options into hardened-glibc (fanquake)
c49f2b8eb5d70aea76e2aa06cdfcb2cc9fa1cb53 guix: remove no-longer needed powerpc workaround (fanquake)
74c989398971864afc7098818262ff0b76fbcf71 guix: use glibc 2.27 for all Linux builds (fanquake)
Pull request description:
Build against glibc 2.27 for all Linux builds (previously only used for RISC-V), and at the same time, increase our minimum required glibc to 2.27 (2018). This would drop support for Ubuntu Xenial (16.04) & Debian Stretch (9), from the produced release binaries. Compiling from source on those systems may be possible, assuming you can install a recent enough compiler/toolchain etc.
ACKs for top commit:
hebasto:
ACK d5d4b75840b4219495ed0fc421a4b71e757224ee, I have reviewed the code and it looks OK, I agree it can be merged.
Tree-SHA512: 910f0ef45b4558f2a45d35a5c1c39aaac97e8aff086dc4fc1eddbb80c0b6e4bd23667d64e21d0fd42e4db37b6f26f447ca5d1150bb861128af7e71fb42835cf8
|
|
|
|
|
|
These commits predate the current trusted root.
|
|
Instead of having gpg.sh check against the trusted keys for a valid
signature, do it inside of verify-commits itself.
This also allows us to use the same trusted-keys throughout the
verify-commits.py check rather than it possibly being modified during
the clean merge check.
|
|
This key is no-longer in use:
https://lists.linuxfoundation.org/pipermail/bitcoin-core-dev/2023-February/000115.html
|
|
aafa5e945cef7a4f65ddadcf548932dd4e27ada1 Remove laanwj from trusted-keys (laanwj)
Pull request description:
allow-revsig-commits list generated using:
git log --format="%H %ce" --merges 577bd51a4b8de066466a445192c1c653872657e2..master | grep laanwj | cut -c -40 >> allow-revsig-commits
ACKs for top commit:
Sjors:
tACK aafa5e945cef7a4f65ddadcf548932dd4e27ada1 😢
achow101:
ACK aafa5e945cef7a4f65ddadcf548932dd4e27ada1
fanquake:
ACK aafa5e945cef7a4f65ddadcf548932dd4e27ada1
Tree-SHA512: 5e38ac8101f948030f9577480bfba14674351a7d697d7f6985966d98a0200fa110cee13fb331a1ff0c05874d92d9d03402c540f063155e7eea093accb5f4590e
|
|
|
|
|
|
Also point to the latest commit on the glibc 2.27 releases branch.
https://sourceware.org/git/?p=glibc.git;a=shortlog;h=refs/heads/release/2.27/master
|
|
To prepare for the removal of laanwj's key from trusted key, the trusted
git root needs to be newer than the most recent merge commit signed by
his key.
|
|
allow-revsig-commits list generated using:
git log --format="%H %ce" --merges 577bd51a4b8de066466a445192c1c653872657e2..master | grep laanwj | cut -c -40 >> allow-revsig-commits
Tree-SHA512: e665d1f3f6ae45ad435cb2802d49988f5133d695b145aa2dc65af95c052e562e0afaf585c351a41529985b4229965cf555f7197a44c90ba7daaea7a28975648d
|
|
(`makeseeds`)
1c07500dbb6b93510425c8bbdb320f2533efdb3d contrib: make DNS seeds file an argument in CLI (brunoerg)
Pull request description:
Instead of using `makeseeds.py` this way:
```sh
python3 makeseeds.py -a asmap-filled.dat < seeds_main.txt > nodes_main.txt
```
We could use the DNS seeds file as an argument since it is a required one. It improves the way the script handles it when that file is missing as well as makes this script more friendly.
E.g:
```sh
python3 makeseeds.py -a asmap-filled.dat -s seeds_main.txt > nodes_main.txt
```
ACKs for top commit:
vincenzopalazzo:
ACK https://github.com/bitcoin/bitcoin/pull/26701/commits/1c07500dbb6b93510425c8bbdb320f2533efdb3d
Tree-SHA512: bddf728d5d376659155f5bbeb1fa0d42aa273ec4a0cf5687f4d3f3be85625f541d392f30008e3c9d2c65967cb882deb36af34330994727771be73c9adeb521e0
|
