phantom/bitcoin
1
0
Fork 0
mirror of https://github.com/bitcoin/bitcoin.git synced 2025-04-29 14:59:39 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge bitcoin/bitcoin#31407: guix: Notarize MacOS app bundle and codesign all MacOS and Windows binaries
Some checks are pending
CI / ASan + LSan + UBSan + integer, no depends, USDT (push) Waiting to run
Details
CI / test each commit (push) Waiting to run
Details
CI / macOS 14 native, arm64, no depends, sqlite only, gui (push) Waiting to run
Details
CI / macOS 14 native, arm64, fuzz (push) Waiting to run
Details
CI / Win64 native, VS 2022 (push) Waiting to run
Details
CI / Win64 native fuzz, VS 2022 (push) Waiting to run
Details

Browse source 
e181bda061 guix: Apply all codesignatures to Windows binaries (Ava Chow)
aafbd23fd9 guix: Apply codesignatures to all MacOS binaries (Ava Chow)
3656b828dc contrib: Sign all Windows binaries too (Ava Chow)
31d325464d contrib: Sign and notarize all MacOS binaries (Ava Chow)
710d5b5149 guix: Update signapple (Ava Chow)
e8b3c44da6 build: Include all Windows binaries for codesigning (Ava Chow)
dd4ec840ee build: Include all MacOS binaries for codesigning (Ava Chow)
4e5c9ceb9d guix: Rename Windows unsigned binaries to unsigned.zip (Ava Chow)
d9d49cd533 guix: Rename MacOS binaries to unsigned.tar.gz (Ava Chow)
c214e5268f guix: Rename unsigned.tar.gz to codesigning.tar.gz (Ava Chow)

Pull request description:

  I have updated signapple to notarize MacOS app bundles without adding any additional dependencies. Further, it can also sign and apply detached signatures to standalone binaries.

  As such, we can use signapple to perform the notarization and stapling steps so that MacOS will run the app bundle after it is installed. `detached-sig-create.sh` is updated to have a notarization step and to download the ticket which will be included in the detached signatures. The workflow is largely unchanged for the MacOS codesigners except for the additional requirement of having an App Store Connect API key and Team UUID, instructions for which can be found at https://github.com/achow101/signapple/blob/master/docs/notarization.md. For guix builders, the workflow is unchanged.

  Additionally, the standalone binaries packaged in the MacOS `.tar.gz` and Windows `.zip` will now be codesigned. `detached-sig-create.sh` was updated to handle these, so the workflow for both MacOS and Windows codesigners remains unchanged. For guix builders, the workflow is also unchanged.

  Because those binaries will how have codesigned and unsigned versions, the build command is modified to output `-unsigned.{tar.gz,zip}` archives containing the binaries. Since this happens to conflict with the tarball used for codesigning, the codesigning tarball was renamed to `-codesigning.tar.gz`. Both MacOS and Windows codesigners will need to adjust their workflows to account for the new name.

  Fixes #15774 and #29749

ACKs for top commit:
  Sjors:
    Tested ACK e181bda061
  davidgumberg:
    Tested ACK e181bda061.
  pinheadmz:
    tested ACK e181bda061

Tree-SHA512: ce0e2bf38e1748cdaa0d13be6f61c3289cd09cfb7d071a68b0b13d2802b3936c9112eda6e4c7b29c535c0995d56b14871442589cdcea2e7707e35c1b278b9263
This commit is contained in:
merge-script 2025-03-05 17:34:26 +00:00
commit bd0ee07310
No known key found for this signature in database
GPG key ID: 2EEB9F5CC09526C1
7 changed files with 161 additions and 77 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
contrib/guix/guix-codesign
View file

@ -137,7 +137,7 @@ fi
################ ################
# Unsigned tarballs SHOULD exist # Codesigning tarballs SHOULD exist
################ ################
# Usage: outdir_for_host HOST SUFFIX # Usage: outdir_for_host HOST SUFFIX
@ -149,13 +149,13 @@ outdir_for_host() {
} }
unsigned_tarball_for_host() { codesigning_tarball_for_host() {
case "$1" in case "$1" in
*mingw*) *mingw*)
echo "$(outdir_for_host "$1")/${DISTNAME}-win64-unsigned.tar.gz" echo "$(outdir_for_host "$1")/${DISTNAME}-win64-codesigning.tar.gz"
;; ;;
*darwin*) *darwin*)
echo "$(outdir_for_host "$1")/${DISTNAME}-${1}-unsigned.tar.gz" echo "$(outdir_for_host "$1")/${DISTNAME}-${1}-codesigning.tar.gz"
;; ;;
*) *)
exit 1 exit 1
@ -164,22 +164,22 @@ unsigned_tarball_for_host() {
} }
# Accumulate a list of build directories that already exist... # Accumulate a list of build directories that already exist...
hosts_unsigned_tarball_missing="" hosts_codesigning_tarball_missing=""
for host in $HOSTS; do for host in $HOSTS; do
if [ ! -e "$(unsigned_tarball_for_host "$host")" ]; then if [ ! -e "$(codesigning_tarball_for_host "$host")" ]; then
hosts_unsigned_tarball_missing+=" ${host}" hosts_codesigning_tarball_missing+=" ${host}"
fi fi
done done
if [ -n "$hosts_unsigned_tarball_missing" ]; then if [ -n "$hosts_codesigning_tarball_missing" ]; then
# ...so that we can print them out nicely in an error message # ...so that we can print them out nicely in an error message
cat << EOF cat << EOF
ERR: Unsigned tarballs do not exist ERR: Codesigning tarballs do not exist
... ...
EOF EOF
for host in $hosts_unsigned_tarball_missing; do for host in $hosts_codesigning_tarball_missing; do
echo " ${host} '$(unsigned_tarball_for_host "$host")'" echo " ${host} '$(codesigning_tarball_for_host "$host")'"
done done
exit 1 exit 1
fi fi
@ -371,7 +371,7 @@ EOF
OUTDIR="$(OUTDIR_BASE=/outdir-base && outdir_for_host "$HOST" codesigned)" \ OUTDIR="$(OUTDIR_BASE=/outdir-base && outdir_for_host "$HOST" codesigned)" \
DIST_ARCHIVE_BASE=/outdir-base/dist-archive \ DIST_ARCHIVE_BASE=/outdir-base/dist-archive \
DETACHED_SIGS_REPO=/detached-sigs \ DETACHED_SIGS_REPO=/detached-sigs \
UNSIGNED_TARBALL="$(OUTDIR_BASE=/outdir-base && unsigned_tarball_for_host "$HOST")" \ CODESIGNING_TARBALL="$(OUTDIR_BASE=/outdir-base && codesigning_tarball_for_host "$HOST")" \
bash -c "cd /bitcoin && bash contrib/guix/libexec/codesign.sh" bash -c "cd /bitcoin && bash contrib/guix/libexec/codesign.sh"
) )

53
contrib/guix/libexec/build.sh
View file

@ -281,24 +281,6 @@ mkdir -p "$DISTSRC"
;; ;;
esac esac
case "$HOST" in
*darwin*)
cmake --build build --target deploy ${V:+--verbose}
mv build/dist/Bitcoin-Core.zip "${OUTDIR}/${DISTNAME}-${HOST}-unsigned.zip"
mkdir -p "unsigned-app-${HOST}"
cp --target-directory="unsigned-app-${HOST}" \
contrib/macdeploy/detached-sig-create.sh
mv --target-directory="unsigned-app-${HOST}" build/dist
(
cd "unsigned-app-${HOST}"
find . -print0 \
| sort --zero-terminated \
| tar --create --no-recursion --mode='u+rw,go+r-w,a+X' --null --files-from=- \
| gzip -9n > "${OUTDIR}/${DISTNAME}-${HOST}-unsigned.tar.gz" \
|| ( rm -f "${OUTDIR}/${DISTNAME}-${HOST}-unsigned.tar.gz" && exit 1 )
)
;;
esac
( (
cd installed cd installed
@ -327,7 +309,7 @@ mkdir -p "$DISTSRC"
cp -r "${DISTSRC}/share/rpcauth" "${DISTNAME}/share/" cp -r "${DISTSRC}/share/rpcauth" "${DISTNAME}/share/"
# Finally, deterministically produce {non-,}debug binary tarballs ready # Deterministically produce {non-,}debug binary tarballs ready
# for release # for release
case "$HOST" in case "$HOST" in
*mingw*) *mingw*)
@ -335,8 +317,8 @@ mkdir -p "$DISTSRC"
| xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}" | xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
find "${DISTNAME}" -not -name "*.dbg" \ find "${DISTNAME}" -not -name "*.dbg" \
| sort \ | sort \
| zip -X@ "${OUTDIR}/${DISTNAME}-${HOST//x86_64-w64-mingw32/win64}.zip" \ | zip -X@ "${OUTDIR}/${DISTNAME}-${HOST//x86_64-w64-mingw32/win64}-unsigned.zip" \
|| ( rm -f "${OUTDIR}/${DISTNAME}-${HOST//x86_64-w64-mingw32/win64}.zip" && exit 1 ) || ( rm -f "${OUTDIR}/${DISTNAME}-${HOST//x86_64-w64-mingw32/win64}-unsigned.zip" && exit 1 )
find "${DISTNAME}" -name "*.dbg" -print0 \ find "${DISTNAME}" -name "*.dbg" -print0 \
| xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}" | xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
find "${DISTNAME}" -name "*.dbg" \ find "${DISTNAME}" -name "*.dbg" \
@ -360,12 +342,13 @@ mkdir -p "$DISTSRC"
find "${DISTNAME}" -print0 \ find "${DISTNAME}" -print0 \
| sort --zero-terminated \ | sort --zero-terminated \
| tar --create --no-recursion --mode='u+rw,go+r-w,a+X' --null --files-from=- \ | tar --create --no-recursion --mode='u+rw,go+r-w,a+X' --null --files-from=- \
| gzip -9n > "${OUTDIR}/${DISTNAME}-${HOST}.tar.gz" \ | gzip -9n > "${OUTDIR}/${DISTNAME}-${HOST}-unsigned.tar.gz" \
|| ( rm -f "${OUTDIR}/${DISTNAME}-${HOST}.tar.gz" && exit 1 ) || ( rm -f "${OUTDIR}/${DISTNAME}-${HOST}-unsigned.tar.gz" && exit 1 )
;; ;;
esac esac
) # $DISTSRC/installed ) # $DISTSRC/installed
# Finally make tarballs for codesigning
case "$HOST" in case "$HOST" in
*mingw*) *mingw*)
cp -rf --target-directory=. contrib/windeploy cp -rf --target-directory=. contrib/windeploy
@ -373,11 +356,31 @@ mkdir -p "$DISTSRC"
cd ./windeploy cd ./windeploy
mkdir -p unsigned mkdir -p unsigned
cp --target-directory=unsigned/ "${OUTDIR}/${DISTNAME}-win64-setup-unsigned.exe" cp --target-directory=unsigned/ "${OUTDIR}/${DISTNAME}-win64-setup-unsigned.exe"
cp -r --target-directory=unsigned/ "${INSTALLPATH}"
find unsigned/ -name "*.dbg" -print0 \
| xargs -0r rm
find . -print0 \ find . -print0 \
| sort --zero-terminated \ | sort --zero-terminated \
| tar --create --no-recursion --mode='u+rw,go+r-w,a+X' --null --files-from=- \ | tar --create --no-recursion --mode='u+rw,go+r-w,a+X' --null --files-from=- \
| gzip -9n > "${OUTDIR}/${DISTNAME}-win64-unsigned.tar.gz" \ | gzip -9n > "${OUTDIR}/${DISTNAME}-win64-codesigning.tar.gz" \
|| ( rm -f "${OUTDIR}/${DISTNAME}-win64-unsigned.tar.gz" && exit 1 ) || ( rm -f "${OUTDIR}/${DISTNAME}-win64-codesigning.tar.gz" && exit 1 )
)
;;
*darwin*)
cmake --build build --target deploy ${V:+--verbose}
mv build/dist/Bitcoin-Core.zip "${OUTDIR}/${DISTNAME}-${HOST}-unsigned.zip"
mkdir -p "unsigned-app-${HOST}"
cp --target-directory="unsigned-app-${HOST}" \
contrib/macdeploy/detached-sig-create.sh
mv --target-directory="unsigned-app-${HOST}" build/dist
cp -r --target-directory="unsigned-app-${HOST}" "${INSTALLPATH}"
(
cd "unsigned-app-${HOST}"
find . -print0 \
| sort --zero-terminated \
| tar --create --no-recursion --mode='u+rw,go+r-w,a+X' --null --files-from=- \
| gzip -9n > "${OUTDIR}/${DISTNAME}-${HOST}-codesigning.tar.gz" \
|| ( rm -f "${OUTDIR}/${DISTNAME}-${HOST}-codesigning.tar.gz" && exit 1 )
) )
;; ;;
esac esac

62
contrib/guix/libexec/codesign.sh
View file

@ -4,6 +4,9 @@
# file COPYING or http://www.opensource.org/licenses/mit-license.php. # file COPYING or http://www.opensource.org/licenses/mit-license.php.
export LC_ALL=C export LC_ALL=C
set -e -o pipefail set -e -o pipefail
# Environment variables for determinism
export TAR_OPTIONS="--owner=0 --group=0 --numeric-owner --mtime='@${SOURCE_DATE_EPOCH}' --sort=name"
export TZ=UTC export TZ=UTC
# Although Guix _does_ set umask when building its own packages (in our case, # Although Guix _does_ set umask when building its own packages (in our case,
@ -27,7 +30,7 @@ fi
# Check that required environment variables are set # Check that required environment variables are set
cat << EOF cat << EOF
Required environment variables as seen inside the container: Required environment variables as seen inside the container:
UNSIGNED_TARBALL: ${UNSIGNED_TARBALL:?not set} CODESIGNING_TARBALL: ${CODESIGNING_TARBALL:?not set}
DETACHED_SIGS_REPO: ${DETACHED_SIGS_REPO:?not set} DETACHED_SIGS_REPO: ${DETACHED_SIGS_REPO:?not set}
DIST_ARCHIVE_BASE: ${DIST_ARCHIVE_BASE:?not set} DIST_ARCHIVE_BASE: ${DIST_ARCHIVE_BASE:?not set}
DISTNAME: ${DISTNAME:?not set} DISTNAME: ${DISTNAME:?not set}
@ -63,27 +66,54 @@ mkdir -p "$DISTSRC"
( (
cd "$DISTSRC" cd "$DISTSRC"
tar -xf "$UNSIGNED_TARBALL" tar -xf "$CODESIGNING_TARBALL"
mkdir -p codesignatures mkdir -p codesignatures
tar -C codesignatures -xf "$CODESIGNATURE_GIT_ARCHIVE" tar -C codesignatures -xf "$CODESIGNATURE_GIT_ARCHIVE"
case "$HOST" in case "$HOST" in
*mingw*) *mingw*)
find "$PWD" -name "*-unsigned.exe" | while read -r infile; do # Apply detached codesignatures
infile_base="$(basename "$infile")" WORKDIR=".tmp"
mkdir -p ${WORKDIR}
# Codesigned *-unsigned.exe and output to OUTDIR cp -r --target-directory="${WORKDIR}" "unsigned/${DISTNAME}"
find "${WORKDIR}/${DISTNAME}" -name "*.exe" -type f -exec rm {} \;
find unsigned/ -name "*.exe" -type f | while read -r bin
do
bin_base="$(realpath --relative-to=unsigned/ "${bin}")"
mkdir -p "${WORKDIR}/$(dirname "${bin_base}")"
osslsigncode attach-signature \ osslsigncode attach-signature \
-in "$infile" \ -in "${bin}" \
-out "${OUTDIR}/${infile_base/-unsigned}" \ -out "${WORKDIR}/${bin_base/-unsigned}" \
-CAfile "$GUIX_ENVIRONMENT/etc/ssl/certs/ca-certificates.crt" \ -CAfile "$GUIX_ENVIRONMENT/etc/ssl/certs/ca-certificates.crt" \
-sigin codesignatures/win/"$infile_base".pem -sigin codesignatures/win/"${bin_base}".pem
done done
# Move installer to outdir
cd "${WORKDIR}"
find . -name "*setup.exe" -print0 \
| xargs -0r mv --target-directory="${OUTDIR}"
# Make .zip from binaries
find "${DISTNAME}" -print0 \
| xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
find "${DISTNAME}" \
| sort \
| zip -X@ "${OUTDIR}/${DISTNAME}-${HOST//x86_64-w64-mingw32/win64}.zip" \
|| ( rm -f "${OUTDIR}/${DISTNAME}-${HOST//x86_64-w64-mingw32/win64}.zip" && exit 1 )
;; ;;
*darwin*) *darwin*)
# Apply detached codesignatures to dist/ (in-place) case "$HOST" in
signapple apply dist/Bitcoin-Qt.app codesignatures/osx/dist arm64*) ARCH="arm64" ;;
x86_64*) ARCH="x86_64" ;;
esac
# Apply detached codesignatures (in-place)
signapple apply dist/Bitcoin-Qt.app codesignatures/osx/"${HOST}"/dist/Bitcoin-Qt.app
find "${DISTNAME}" -wholename "*/bin/*" -type f | while read -r bin
do
signapple apply "${bin}" "codesignatures/osx/${HOST}/${bin}.${ARCH}sign"
done
# Make a .zip from dist/ # Make a .zip from dist/
cd dist/ cd dist/
@ -91,6 +121,14 @@ mkdir -p "$DISTSRC"
| xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}" | xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
find . | sort \ find . | sort \
| zip -X@ "${OUTDIR}/${DISTNAME}-${HOST}.zip" | zip -X@ "${OUTDIR}/${DISTNAME}-${HOST}.zip"
cd ..
# Make a .tar.gz from bins
find "${DISTNAME}" -print0 \
| sort --zero-terminated \
| tar --create --no-recursion --mode='u+rw,go+r-w,a+X' --null --files-from=- \
| gzip -9n > "${OUTDIR}/${DISTNAME}-${HOST}.tar.gz" \
|| ( rm -f "${OUTDIR}/${DISTNAME}-${HOST}.tar.gz" && exit 1 )
;; ;;
*) *)
exit 1 exit 1
@ -105,7 +143,7 @@ mv --no-target-directory "$OUTDIR" "$ACTUAL_OUTDIR" \
( (
cd /outdir-base cd /outdir-base
{ {
echo "$UNSIGNED_TARBALL" echo "$CODESIGNING_TARBALL"
echo "$CODESIGNATURE_GIT_ARCHIVE" echo "$CODESIGNATURE_GIT_ARCHIVE"
find "$ACTUAL_OUTDIR" -type f find "$ACTUAL_OUTDIR" -type f
} | xargs realpath --relative-base="$PWD" \ } | xargs realpath --relative-base="$PWD" \

12
contrib/guix/manifest.scm
View file

@ -15,13 +15,14 @@
(gnu packages mingw) (gnu packages mingw)
(gnu packages pkg-config) (gnu packages pkg-config)
((gnu packages python) #:select (python-minimal)) ((gnu packages python) #:select (python-minimal))
((gnu packages python-build) #:select (python-tomli)) ((gnu packages python-build) #:select (python-tomli python-poetry-core))
((gnu packages python-crypto) #:select (python-asn1crypto)) ((gnu packages python-crypto) #:select (python-asn1crypto))
((gnu packages tls) #:select (openssl)) ((gnu packages tls) #:select (openssl))
((gnu packages version-control) #:select (git-minimal)) ((gnu packages version-control) #:select (git-minimal))
(guix build-system cmake) (guix build-system cmake)
(guix build-system gnu) (guix build-system gnu)
(guix build-system python) (guix build-system python)
(guix build-system pyproject)
(guix build-system trivial) (guix build-system trivial)
(guix download) (guix download)
(guix gexp) (guix gexp)
@ -381,10 +382,10 @@ specific moment in time, whitelisting and revocation checks.")
(license license:expat)))) (license license:expat))))
(define-public python-signapple (define-public python-signapple
(let ((commit "62155712e7417aba07565c9780a80e452823ae6a")) (let ((commit "85bfcecc33d2773bc09bc318cec0614af2c8e287"))
(package (package
(name "python-signapple") (name "python-signapple")
(version (git-version "0.1" "1" commit)) (version (git-version "0.2.0" "1" commit))
(source (source
(origin (origin
(method git-fetch) (method git-fetch)
@ -394,13 +395,14 @@ specific moment in time, whitelisting and revocation checks.")
(file-name (git-file-name name commit)) (file-name (git-file-name name commit))
(sha256 (sha256
(base32 (base32
"1nm6rm4h4m7kbq729si4cm8rzild62mk4ni8xr5zja7l33fhv3gb")))) "17yqjll8nw83q6dhgqhkl7w502z5vy9sln8m6mlx0f1c10isg8yg"))))
(build-system python-build-system) (build-system pyproject-build-system)
(propagated-inputs (propagated-inputs
(list python-asn1crypto (list python-asn1crypto
python-oscrypto python-oscrypto
python-certvalidator python-certvalidator
python-elfesteem)) python-elfesteem))
(native-inputs (list python-poetry-core))
;; There are no tests, but attempting to run python setup.py test leads to ;; There are no tests, but attempting to run python setup.py test leads to
;; problems, just disable the test ;; problems, just disable the test
(arguments '(#:tests? #f)) (arguments '(#:tests? #f))

53
contrib/macdeploy/detached-sig-create.sh
View file

@ -6,26 +6,57 @@
export LC_ALL=C export LC_ALL=C
set -e set -e
ROOTDIR=dist
BUNDLE="${ROOTDIR}/Bitcoin-Qt.app"
BINARY="${BUNDLE}/Contents/MacOS/Bitcoin-Qt"
SIGNAPPLE=signapple SIGNAPPLE=signapple
TEMPDIR=sign.temp TEMPDIR=sign.temp
ARCH=$(${SIGNAPPLE} info ${BINARY} | head -n 1 | cut -d " " -f 1)
OUT="signature-osx-${ARCH}.tar.gz"
OUTROOT=osx/dist
if [ -z "$1" ]; then BUNDLE_ROOT=dist
echo "usage: $0 <signapple args>" BUNDLE_NAME="Bitcoin-Qt.app"
echo "example: $0 <path to key>" UNSIGNED_BUNDLE="${BUNDLE_ROOT}/${BUNDLE_NAME}"
UNSIGNED_BINARY="${UNSIGNED_BUNDLE}/Contents/MacOS/Bitcoin-Qt"
ARCH=$(${SIGNAPPLE} info ${UNSIGNED_BINARY} | head -n 1 | cut -d " " -f 1)
OUTDIR="osx/${ARCH}-apple-darwin"
OUTROOT="${TEMPDIR}/${OUTDIR}"
OUT="signature-osx-${ARCH}.tar.gz"
if [ "$#" -ne 3 ]; then
echo "usage: $0 <path to key> <path to app store connect key> <apple developer team uuid>"
exit 1 exit 1
fi fi
rm -rf ${TEMPDIR} rm -rf ${TEMPDIR}
mkdir -p ${TEMPDIR} mkdir -p ${TEMPDIR}
${SIGNAPPLE} sign -f --detach "${TEMPDIR}/${OUTROOT}" "$@" "${BUNDLE}" --hardened-runtime stty -echo
printf "Enter the passphrase for %s: " "$1"
read cs_key_pass
printf "\n"
printf "Enter the passphrase for %s: " "$2"
read api_key_pass
printf "\n"
stty echo
tar -C "${TEMPDIR}" -czf "${OUT}" . # Sign and notarize app bundle
${SIGNAPPLE} sign -f --hardened-runtime --detach "${OUTROOT}/${BUNDLE_ROOT}" --passphrase "${cs_key_pass}" "$1" "${UNSIGNED_BUNDLE}"
${SIGNAPPLE} apply "${UNSIGNED_BUNDLE}" "${OUTROOT}/${BUNDLE_ROOT}/${BUNDLE_NAME}"
${SIGNAPPLE} notarize --detach "${OUTROOT}/${BUNDLE_ROOT}" --passphrase "${api_key_pass}" "$2" "$3" "${UNSIGNED_BUNDLE}"
# Sign each binary
find . -maxdepth 3 -wholename "*/bin/*" -type f -exec realpath --relative-to=. {} \; | while read -r bin
do
bin_dir=$(dirname "${bin}")
bin_name=$(basename "${bin}")
${SIGNAPPLE} sign -f --hardened-runtime --detach "${OUTROOT}/${bin_dir}" --passphrase "${cs_key_pass}" "$1" "${bin}"
${SIGNAPPLE} apply "${bin}" "${OUTROOT}/${bin_dir}/${bin_name}.${ARCH}sign"
done
# Notarize the binaries
# Binaries cannot have stapled notarizations so this does not actually generate any output
binaries_dir=$(dirname "$(find . -maxdepth 2 -wholename '*/bin' -type d -exec realpath --relative-to=. {} \;)")
${SIGNAPPLE} notarize --passphrase "${api_key_pass}" "$2" "$3" "${binaries_dir}"
tar -C "${TEMPDIR}" -czf "${OUT}" "${OUTDIR}"
rm -rf "${TEMPDIR}" rm -rf "${TEMPDIR}"
echo "Created ${OUT}" echo "Created ${OUT}"

26
contrib/windeploy/detached-sig-create.sh
View file

@ -8,9 +8,9 @@ if [ -z "$OSSLSIGNCODE" ]; then
OSSLSIGNCODE=osslsigncode OSSLSIGNCODE=osslsigncode
fi fi
if [ -z "$1" ]; then if [ "$#" -ne 1 ]; then
echo "usage: $0 <osslcodesign args>" echo "usage: $0 <path to key>"
echo "example: $0 -key codesign.key" echo "example: $0 codesign.key"
exit 1 exit 1
fi fi
@ -22,12 +22,22 @@ OUTSUBDIR="${OUTDIR}/win"
TIMESERVER=http://timestamp.comodoca.com TIMESERVER=http://timestamp.comodoca.com
CERTFILE="win-codesign.cert" CERTFILE="win-codesign.cert"
stty -echo
printf "Enter the passphrase for %s: " "$1"
read cs_key_pass
printf "\n"
stty echo
mkdir -p "${OUTSUBDIR}" mkdir -p "${OUTSUBDIR}"
# shellcheck disable=SC2046 find ${SRCDIR} -wholename "*.exe" -type f -exec realpath --relative-to=. {} \; | while read -r bin
basename -a $(ls -1 "${SRCDIR}"/*-unsigned.exe) | while read UNSIGNED; do do
echo Signing "${UNSIGNED}" echo Signing "${bin}"
"${OSSLSIGNCODE}" sign -certs "${CERTFILE}" -t "${TIMESERVER}" -h sha256 -in "${SRCDIR}/${UNSIGNED}" -out "${WORKDIR}/${UNSIGNED}" "$@" bin_base="$(realpath --relative-to=${SRCDIR} "${bin}")"
"${OSSLSIGNCODE}" extract-signature -pem -in "${WORKDIR}/${UNSIGNED}" -out "${OUTSUBDIR}/${UNSIGNED}.pem" && rm "${WORKDIR}/${UNSIGNED}" mkdir -p "$(dirname ${WORKDIR}/"${bin_base}")"
"${OSSLSIGNCODE}" sign -certs "${CERTFILE}" -t "${TIMESERVER}" -h sha256 -in "${bin}" -out "${WORKDIR}/${bin_base}" -key "$1" -pass "${cs_key_pass}"
mkdir -p "$(dirname ${OUTSUBDIR}/"${bin_base}")"
"${OSSLSIGNCODE}" extract-signature -pem -in "${WORKDIR}/${bin_base}" -out "${OUTSUBDIR}/${bin_base}.pem" && rm "${WORKDIR}/${bin_base}"
done done
rm -f "${OUT}" rm -f "${OUT}"

8
doc/release-process.md
View file

@ -166,8 +166,8 @@ Then open a Pull Request to the [guix.sigs repository](https://github.com/bitcoi
In the `guix-build-${VERSION}/output/x86_64-apple-darwin` and `guix-build-${VERSION}/output/arm64-apple-darwin` directories: In the `guix-build-${VERSION}/output/x86_64-apple-darwin` and `guix-build-${VERSION}/output/arm64-apple-darwin` directories:
tar xf bitcoin-osx-unsigned.tar.gz tar xf bitcoin-${VERSION}-${ARCH}-apple-darwin-codesigning.tar.gz
./detached-sig-create.sh /path/to/codesign.p12 ./detached-sig-create.sh /path/to/codesign.p12 /path/to/AuthKey_foo.p8 uuid
Enter the keychain password and authorize the signature Enter the keychain password and authorize the signature
signature-osx.tar.gz will be created signature-osx.tar.gz will be created
@ -175,8 +175,8 @@ In the `guix-build-${VERSION}/output/x86_64-apple-darwin` and `guix-build-${VERS
In the `guix-build-${VERSION}/output/x86_64-w64-mingw32` directory: In the `guix-build-${VERSION}/output/x86_64-w64-mingw32` directory:
tar xf bitcoin-win-unsigned.tar.gz tar xf bitcoin-${VERSION}-win64-codesigning.tar.gz
./detached-sig-create.sh -key /path/to/codesign.key ./detached-sig-create.sh /path/to/codesign.key
Enter the passphrase for the key when prompted Enter the passphrase for the key when prompted
signature-win.tar.gz will be created signature-win.tar.gz will be created