New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
guix: use osslsigncode 2.5 #27179
guix: use osslsigncode 2.5 #27179
Conversation
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. ReviewsSee the guideline for information on the review process.
If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update. |
e25dabb
to
3558f46
Compare
It appears that osslsigncode has been updated to do more verification of the signature after applying it. It now requires having a CA bundle which is not currently present in our environment. The package diff --git a/contrib/guix/libexec/codesign.sh b/contrib/guix/libexec/codesign.sh
index f6322d761c..6ffa0f07b2 100755
--- a/contrib/guix/libexec/codesign.sh
+++ b/contrib/guix/libexec/codesign.sh
@@ -77,6 +77,7 @@ mkdir -p "$DISTSRC"
osslsigncode attach-signature \
-in "$infile" \
-out "${OUTDIR}/${infile_base/-unsigned}" \
+ -CAfile "$GUIX_ENVIRONMENT/etc/ssl/certs/ca-certificates.crt" \
-sigin codesignatures/win/"$infile_base".pem
done
;;
diff --git a/contrib/guix/manifest.scm b/contrib/guix/manifest.scm
index 3519ec4b2b..85e3213ff9 100644
--- a/contrib/guix/manifest.scm
+++ b/contrib/guix/manifest.scm
@@ -601,7 +601,8 @@ inspecting signatures in Mach-O binaries.")
(list zip
(make-mingw-pthreads-cross-toolchain "x86_64-w64-mingw32")
(make-nsis-for-gcc-10 nsis-x86_64)
- osslsigncode))
+ osslsigncode
+ nss-certs))
((string-contains target "-linux-")
(list (make-bitcoin-cross-toolchain target)))
((string-contains target "darwin") |
Co-authored-by: Andrew Chow <github@achow101.com>
3558f46
to
285edfa
Compare
@achow101 thanks for taking a look. Rebased, and pulled your changes in here, for further testing. |
c1471783bd078d094d886dc010ba6798c6d6abbd3b5329d7ce0ff3df05a3bcd9 guix-build-285edfadcacd/output/dist-archive/bitcoin-285edfadcacd.tar.gz
151e208ad965f1c89dda0ea01cff659930cdce060e1fc32e7db474fe5814a4a1 guix-build-285edfadcacd/output/x86_64-w64-mingw32/SHA256SUMS.part
d83fb0326d5c195d32a3243d494c34b6d0810c0aa36e174ff0d1eb1664f40413 guix-build-285edfadcacd/output/x86_64-w64-mingw32/bitcoin-285edfadcacd-win64-debug.zip
6f557b84042874ffbb6755cd279b3e45fa16b89eece12f8c3ab2546d4222c129 guix-build-285edfadcacd/output/x86_64-w64-mingw32/bitcoin-285edfadcacd-win64-setup-unsigned.exe
bb7e6579f81289046922b183676fa8e38502a19f61e3ad80969143ebdc602896 guix-build-285edfadcacd/output/x86_64-w64-mingw32/bitcoin-285edfadcacd-win64-unsigned.tar.gz
c87d623f93ff8995cc84e19af5a8195aa4b97c6c8c59bf37bc4f7c347ed69601 guix-build-285edfadcacd/output/x86_64-w64-mingw32/bitcoin-285edfadcacd-win64.zip |
ACK 285edfa
|
285edfa guix: use osslsigncode 2.5 (fanquake) Pull request description: Switches to using a newer version of [osslsigncode](https://github.com/mtrojnar/osslsigncode) in our Guix environment. achow101 can you test this with some sort of WIndows code-signing dry-run (no-rush). ACKs for top commit: achow101: ACK 285edfa Tree-SHA512: 2ab8f65e506bd97e74e76f24e791ae20694e567a751cc57d3a27f31f0733e3530d058ef19825a35dc21d1342e3fffc52d8d643258198c669cc68b6db41bda629
285edfa guix: use osslsigncode 2.5 (fanquake) Pull request description: Switches to using a newer version of [osslsigncode](https://github.com/mtrojnar/osslsigncode) in our Guix environment. achow101 can you test this with some sort of WIndows code-signing dry-run (no-rush). ACKs for top commit: achow101: ACK 285edfa Tree-SHA512: 2ab8f65e506bd97e74e76f24e791ae20694e567a751cc57d3a27f31f0733e3530d058ef19825a35dc21d1342e3fffc52d8d643258198c669cc68b6db41bda629
285edfa guix: use osslsigncode 2.5 (fanquake) Pull request description: Switches to using a newer version of [osslsigncode](https://github.com/mtrojnar/osslsigncode) in our Guix environment. achow101 can you test this with some sort of WIndows code-signing dry-run (no-rush). ACKs for top commit: achow101: ACK 285edfa Tree-SHA512: 2ab8f65e506bd97e74e76f24e791ae20694e567a751cc57d3a27f31f0733e3530d058ef19825a35dc21d1342e3fffc52d8d643258198c669cc68b6db41bda629
285edfa guix: use osslsigncode 2.5 (fanquake) Pull request description: Switches to using a newer version of [osslsigncode](https://github.com/mtrojnar/osslsigncode) in our Guix environment. achow101 can you test this with some sort of WIndows code-signing dry-run (no-rush). ACKs for top commit: achow101: ACK 285edfa Tree-SHA512: 2ab8f65e506bd97e74e76f24e791ae20694e567a751cc57d3a27f31f0733e3530d058ef19825a35dc21d1342e3fffc52d8d643258198c669cc68b6db41bda629
285edfa guix: use osslsigncode 2.5 (fanquake) Pull request description: Switches to using a newer version of [osslsigncode](https://github.com/mtrojnar/osslsigncode) in our Guix environment. achow101 can you test this with some sort of WIndows code-signing dry-run (no-rush). ACKs for top commit: achow101: ACK 285edfa Tree-SHA512: 2ab8f65e506bd97e74e76f24e791ae20694e567a751cc57d3a27f31f0733e3530d058ef19825a35dc21d1342e3fffc52d8d643258198c669cc68b6db41bda629
Summary: Co-authored-by: Andrew Chow <github@achow101.com> This is a backport of [[bitcoin/bitcoin#27179 | core#27179]] Depends on D15325 Test Plan: `contrib/guix/guix-build` Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D15326
Switches to using a newer version of osslsigncode in our Guix environment.
achow101 can you test this with some sort of WIndows code-signing dry-run (no-rush).