phantom/bitcoin
1
0
Fork 0
mirror of https://github.com/bitcoin/bitcoin.git synced 2025-01-10 20:03:34 -03:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
bitcoin/contrib
History
fanquake d50302625e
Merge bitcoin/bitcoin#22182: guix: Overhaul how guix-{attest,verify} works and hierarchy 
e2c40a4ed5 guix-attest: Error out if SHA256SUMS is unexpected (Carl Dong)
4cc35daed5 Rewrite guix-{attest,verify} for new hier (Carl Dong)
28a9c9b839 Make SHA256SUMS fragment right after build (Carl Dong)

Pull request description:

  Based on:  #22075
  Code reviewers: I recommend reading the new `guix-{attest,verify}` files instead of trying to read the diff

  The following changes resolve many usability improvements which were pointed out to me:
  1. Some maintainers like to extract their "uncodesigned tarball" inside the `output/` directory, resulting in the older `guix-attest` mistakenly attesting to the extracted contents
  2. Maintainers whose GPG keys reside on an external smartcard often need to physically interact with the smartcard as a way to approve the signing operation, having one signature per platform means a lot of fidgeting
  3. Maintainers wishing to sign on a separate machine now has the option of transferring only a subtree of `output/`, namely `output/*/SHA256SUMS.part`, in order to perform a signature (you may need to specify an `$OUTDIR_BASE` env var)
  4. An `all.SHA256SUMS` file should be usable as the base `SHA256SUMS` in bitcoin core torrents and on the release server.

  For those who sign on an separate machine than the one you do builds on, the following steps will work:
  1. `env GUIX_SIGS_REPO=/home/achow101/guix.sigs SIGNER=achow101 NO_SIGN=1 ./contrib/guix/guix-attest`
  2. Copy `/home/achow101/guix.sigs/<tag>/achow101` (which does not yet have signatures) to signing machine
  3. Sign the `SHA256SUMS` files:
      ```bash
      for i in "<path-to-achow101>/*.SHA256SUMS"; do
          gpg --detach-sign --local-user "<your-key-here>" --armor --output "$i"{.asc,}
      done
      ```
  5. Upload `<path-to-achow101>` (now with signatures) to `guix.sigs`

  -----

  After this change, output directories will now include a `SHA256SUMS.part` fragment, created immediately after a successful build:
  ```
  output
  └── x86_64-w64-mingw32
      ├── bitcoin-4e069f7589da-win64-debug.zip
      ├── bitcoin-4e069f7589da-win64-setup-unsigned.exe
      ├── bitcoin-4e069f7589da-win64.zip
      ├── bitcoin-4e069f7589da-win-unsigned.tar.gz
      └── SHA256SUMS.part
  ```

  These `SHA256SUMS.part` fragments look something like:
  ```
  3ebd7262b1a0a5bb757fef1f70e7e14033c70f98c059bc4dbfee5d1992b25825  dist-archive/bitcoin-4e069f7589da.tar.gz
  def2e7d3de5ab3e3f955344e75151df4f33713f9101f5295bd13c9375bdf633b  x86_64-w64-mingw32/bitcoin-4e069f7589da-win64-debug.zip
  643049fe3ee4a4e83a1739607e67b11b7c9b1a66208a6f35a9ff634ba795500e  x86_64-w64-mingw32/bitcoin-4e069f7589da-win64-setup-unsigned.exe
  a247a1ccec0ccc2e138c648284bd01f6a761f2d8d6d07d91b5b4a6670ec3f288  x86_64-w64-mingw32/bitcoin-4e069f7589da-win-unsigned.tar.gz
  fab76a836dcc592e39c04fd2396696633fb6eb56e39ecbf6c909bd173ed4280c  x86_64-w64-mingw32/bitcoin-4e069f7589da-win64.zip
  ```

  Meaning that they are valid `SHA256SUMS` files when `sha256sum --check`'d at the `guix-build-*/output` directory level

  When `guix-attest` is invoked, these `SHA256SUMS.part` files are combined and sorted (by `-k2`, `LC_ALL=C`) to create:

  1. `noncodesigned.SHA256SUMS` for a manifest of all non-codesigned outputs, and
  3. `all.SHA256SUMS` for a manifest of all outputs including non-codesigned outputs

  Then both files are signed, resulting in the following `guix.sigs` hierarchy:
  ```
  4e069f7589da/
  └── dongcarl
      ├── all.SHA256SUMS
      ├── all.SHA256SUMS.asc
      ├── noncodesigned.SHA256SUMS
      └── noncodesigned.SHA256SUMS.asc
  ```

ACKs for top commit:
  achow101:
    ACK e2c40a4ed5
  hebasto:
    ACK e2c40a4ed5, tested on Linux Mint 20.1 (x86_64) with and w/o `NO_SIGN=1`. Changes in `contrib/guix/libexec/codesign.sh` and `contrib/guix/guix-verify` are reviewed only.

Tree-SHA512: 618aacefb0eb6595735a9ab6a98ea6598fce65f9ccf33fa1e7ef93bf140c0f6cfc16e34870c6aa3e4777dd3f004b92a82a994141879870141742df948ec59c1f
2021-06-17 13:10:37 +08:00
..
debian doc: Fix external links (IRC, ...) 2021-05-31 17:27:57 +02:00
devtools scripts: test for MACHO control flow instrumentation 2021-05-09 14:26:09 +08:00
gitian-descriptors Use latest signapple commit 2021-06-08 16:46:56 -04:00
gitian-keys gitian-keys: Add signer aliases, some historical keys 2021-01-24 19:01:26 +01:00
guix Merge bitcoin/bitcoin#22182: guix: Overhaul how guix-{attest,verify} works and hierarchy 2021-06-17 13:10:37 +08:00
init Merge #21418: contrib: Make systemd invoke dependencies only when ready 2021-03-22 15:15:14 +01:00
linearize doc: Added default signet config for linearize script 2020-09-25 14:37:22 +02:00
macdeploy build: Xcode 12.1, macOS SDK 10.15.6 2021-05-01 13:39:45 +08:00
message-capture Add documentation to contrib folder 2021-01-23 16:15:05 -05:00
qos test: fix file permissions on various scripts 2021-04-23 17:13:28 -07:00
seeds contrib: remove torv2 seed nodes 2021-06-03 14:04:06 +02:00
shell guix: Add source-able bash prelude and utils 2021-04-05 11:00:21 -04:00
signet contrib/signet: Document miner script in README.md 2021-01-12 18:34:29 +10:00
testgen bugfix: fix bech32_encode calls in gen_key_io_test_vectors.py 2021-03-18 14:28:46 -07:00
verify-commits script: Add trusted key for hebasto 2021-04-06 12:27:32 +03:00
verifybinaries lint: Fix spelling errors in comments 2021-03-01 15:24:28 +00:00
windeploy Merge bitcoin/bitcoin#22017: Update Windows code signing certificate 2021-05-27 21:51:58 +02:00
zmq scripted-diff: Bump copyright headers 2020-12-31 09:45:41 +01:00
bitcoin-cli.bash-completion scripted-diff: Bump copyright of files changed in 2019 2019-12-30 10:42:20 +13:00
bitcoin-tx.bash-completion bash-completion: Adapt for 0.12 and 0.13 2016-07-07 07:52:59 -04:00
bitcoind.bash-completion scripted-diff: Bump copyright of files changed in 2019 2019-12-30 10:42:20 +13:00
filter-lcov.py scripted-diff: Bump copyright headers 2020-12-31 09:45:41 +01:00
gitian-build.py build: Xcode 12.1, macOS SDK 10.15.6 2021-05-01 13:39:45 +08:00
install_db4.sh contrib: embed C++11 patch in install_db4.sh 2021-01-11 10:34:27 +01:00
README.md doc: Fix whitespace errs in .md files, bitcoin.conf, Info.plist.in, and find_bdb48.m4 2019-09-17 03:21:22 -04:00
valgrind.supp contrib: Fixup valgrind suppressions file 2020-08-05 16:43:30 +02:00

README.md

Repository Tools

Developer tools

Specific tools for developers working on this repository. Additional tools, including the github-merge.py script, are available in the maintainer-tools repository.

Verify-Commits

Tool to verify that every merge commit was signed by a developer using the github-merge.py script.

Linearize

Construct a linear, no-fork, best version of the blockchain.

Qos

A Linux bash script that will set up traffic control (tc) to limit the outgoing bandwidth for connections to the Bitcoin network. This means one can have an always-on bitcoind instance running, and another local bitcoind/bitcoin-qt instance which connects to this node and receives blocks from it.

Seeds

Utility to generate the pnSeed[] array that is compiled into the client.

Build Tools and Keys

Packaging

The Debian subfolder contains the copyright file.

All other packaging related files can be found in the bitcoin-core/packaging repository.

Gitian-descriptors

Files used during the gitian build process. For more information about gitian, see the the Bitcoin Core documentation repository.

Gitian-keys

PGP keys used for signing Bitcoin Core Gitian release results.

MacDeploy

Scripts and notes for Mac builds.

Gitian-build

Script for running full Gitian builds.

Test and Verify Tools

TestGen

Utilities to generate test vectors for the data-driven Bitcoin tests.

Verify Binaries

This script attempts to download and verify the signature file SHA256SUMS.asc from bitcoin.org.