Commit Graph

1282 Commits

Author SHA1 Message Date
PastaPastaPasta
cbef7f2116
feat: use a self-signed windows code signing certificate instead of e… (#5814)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

## Issue being fixed or feature implemented
Implement a new code-singing certificate for windows. 

Previously we used a certificate issued by DigiCert, however that
certificate recently expired. A renewed certificate would cost roughly
$200/year at the cheapest CAs and $370/year with DigiCert. EV
certificates are relatively novel types of certificates that start out
with positive reputation, reducing smart screen popups for users. EV
certificates start at $270/year.

As a result we had (/have) 4 options:
1. Get a new code signing certificate from a trusted CA
- - Pro: Certificate gains reputation over time in smart screen and
binaries are signed
- - Pro: Shows "Verified Publisher" and "Dash Core Group Inc" on install
- - Con: Costs, feels manipulative to pay at least $600 simply for
someone to sign a certificate
2. Get a new EV code signing certificate
- - Pro: Certificate starts with good reputation and gains reputation
over time
- - Con: Even greater costs for a signature that says that we are from
Dash Core Group
3. Continue signing with the expired certificate
- - Con: This is, it has been discovered, a terrible idea and these
binaries are treated worse than unsigned binaries
4. Deliver unsigned windows binaries
- - Pro: Binary will gain reputation over time as users download it
- - Pro: Easy, is what it says on the tin
- - Con: Binaries are completely unsigned, could be tampering or
corruption issues that go undetected
- - Con: Will visibly state "Unknown Publisher"
5. Deliver self-signed windows binaries
- - Pro: Binary will gain reputation over time as users download it
- - Pro: *Possibility* that certificate will gain reputation over time
as users download binaries signed by it. It may also be that only
certificates issued by a CA will gain reputation over time.
- - Pro: Binaries are still signed
- - Pro: Users have the option to import certificate into keychain to
remove "Unknown Publisher"
- - Pro: In limited testing, install is sometimes is treated better than
unsigned, otherwise is treated the same
- - Con: may appear sketchy, as Root CA is not a trusted Root CA
- - Con: will display "Unknown Publisher" to most users
- - Con: greater potential uncertainty around future changes to
treatment of self signing systems

Based on the above discussion and testing, the best route currently is
option 5; that is what this PR implements. In the future it may make
sense to move towards a codesigning certificate issued by a trusted CA.

The root certificate authority has the following information

![image](https://github.com/dashpay/dash/assets/6443210/66a90588-9bd9-4fe5-902c-04e8d1e47b6f)
with a sha256 fingerprint of `46 84 FF 27 11 D7 C8 C5 BB FA D1 55 41 B3
F0 43 77 97 AC 67 4C 32 19 AE B4 E7 15 11 1F BB 42 A0`

The code signing certificate is issued by the root CA, has a common name
of "Dash Core Windows Signing" and a sha256 fingerprint of `1A 09 54 6E
D3 81 E9 FC AD 62 44 32 35 40 39 FF 5F A7 30 0E 5E 03 C4 E0 96 5A 62 AA
19 2B 79 EE`. This certificate is only authorized for the purpose of
code signing.

## What was done?

## How Has This Been Tested?
Multiple users installing binaries of type 1,3,4 and 5. 

## Breaking Changes
This new windows signing certificate should be documented in the release
notes.

## Checklist:
_Go over all the following points, and put an `x` in all the boxes that
apply._
- - [x] I have performed a self-review of my own code
- - [ ] I have commented my code, particularly in hard-to-understand
areas
- - [ ] I have added or updated relevant unit/integration/functional/e2e
tests
- - [ ] I have made corresponding changes to the documentation
- - [x] I have assigned this pull request to a milestone _(for
repository code-owners and collaborators only)_


-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKVkDYuyHioH9PCArUlJ77avoeYQFAmWfAbUACgkQUlJ77avo
eYTSCBAAuDEoWABdonIMs/4RaYP+DGTULltRu9CHBAqYuksXrl/4iV0r17DPSWWW
L/5vLNAUTI47Tsa7R45ZPb0hR8VPMBkvxTQipKBYK7vZpwefcR4VOprEBJJ0Bl3g
ZHtAVjZbcANEIAW3SlaiOgWbxWGKfDyM7gN3aNfoidMFBefbcYKEttuAGCnktWRI
Y3eLMGPCpxOVB0O1nLU+pzwixAWXOeVChiK31ecFfQrF3JmUc12yiFUI+OJTogg4
0G2GMIQYHiVwclj8hSWT/yZfjcyxXdLYqkmH4Nr5mye39hRI2aUQEkmkYOy8pjcB
ykKLg8JpUg/zg6GSuS6mFJnd5NHq5iSBxSRHPfR8xij1xFpmdgAaNCw4/6j9PEXB
l8cfuJ7hgX3yX09L4p2E4t7MYpM8igaenAIWAK37hmKs1WADBmaj/nf6ThKhjvzI
2GR0FOzm6Is36KYvdUQJDE0g70g31SvGy+qjlcK49MtX6BvecYt+dg8AaNZ5FIn7
d1kFI4NXM6JX2WdiHMenz5d+oFYRS/P1sXjQ1wtl9HSkiZQQkEBbgiWXfh+EXjpW
fNc8cej2LLCNZlhVcpffF8UaINsMTZVQsEGWGInjSi5eCs/YNrqL8XDdC/8mmZCu
cNvp0QBtQ+4lpbUSdhFUdgic0MRCsdeHuYIBfvPJN9tl8McbknA=
=kL6E
-----END PGP SIGNATURE-----
2024-01-11 22:49:10 +07:00
PastaPastaPasta
eab0656075
Merge pull request #5797 from knst/builder-keys
chore: update builder keys for pasta, udjin
2024-01-10 21:54:44 +07:00
UdjinM6
d0d4669479
build: Disable miner for Windows binaries built via Guix (#5801)
## Issue being fixed or feature implemented
We had this in Gitian
https://github.com/dashpay/dash/blob/master/contrib/gitian-descriptors/gitian-win.yml#L38.
We also had it for macos
https://github.com/dashpay/dash/blob/master/contrib/gitian-descriptors/gitian-osx.yml#L42
but it looks like it's no longer an issue there (or at least I did not
see anyone complaining about it).

## What was done?
tweak `CONFIGFLAGS` for `mingw` host

## How Has This Been Tested?
n/a

## Breaking Changes
n/a

## Checklist:
- [x] I have performed a self-review of my own code
- [ ] I have commented my code, particularly in hard-to-understand areas
- [ ] I have added or updated relevant unit/integration/functional/e2e
tests
- [ ] I have made corresponding changes to the documentation
- [x] I have assigned this pull request to a milestone _(for repository
code-owners and collaborators only)_
2024-01-10 19:49:34 +07:00
UdjinM6
96d4a30510 ci: Bump Guix build timeout and implement cacheing (#5727)
## Issue being fixed or feature implemented
Hopefully fixes issues like
>The job running on runner ubuntu-core-x64_i-05ed4263b8e049c7a has
exceeded the maximum execution time of 360 minutes

https://github.com/dashpay/dash/actions/runs/6932017275


https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepstimeout-minutes

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idtimeout-minutes

## What was done?
Bump timeouts for the job itself and for the corresponding step. Also,
implemented caching for `.cache` and `depends` folders.

## How Has This Been Tested?
#5729


https://github.com/dashpay/dash/actions/runs/6996271543/job/19031968814?pr=5729

## Breaking Changes
n/a

## Checklist:
- [x] I have performed a self-review of my own code
- [ ] I have commented my code, particularly in hard-to-understand areas
- [ ] I have added or updated relevant unit/integration/functional/e2e
tests
- [ ] I have made corresponding changes to the documentation
- [x] I have assigned this pull request to a milestone _(for repository
code-owners and collaborators only)_
2023-12-04 17:05:52 +02:00
PastaPastaPasta
7c966c9db0 Merge pull request #5718 from knst/mac-improvements
backport: bitcoin#24603, #26694, #24669, #22546, #22199, #25817 (mac build)
2023-12-04 17:04:30 +02:00
UdjinM6
ea1f5241f9
fix: make CONFIGFLAGS optional (#5713)
## Issue being fixed or feature implemented
make it possible to run `./contrib/guix/guix-build` without specifying
`CONFIGFLAGS`

## What was done?

## How Has This Been Tested?
run `./contrib/guix/guix-build` w/ and w/out this patch

## Breaking Changes
n/a

## Checklist:
- [x] I have performed a self-review of my own code
- [ ] I have commented my code, particularly in hard-to-understand areas
- [ ] I have added or updated relevant unit/integration/functional/e2e
tests
- [ ] I have made corresponding changes to the documentation
- [x] I have assigned this pull request to a milestone _(for repository
code-owners and collaborators only)_
2023-11-16 22:21:16 +03:00
PastaPastaPasta
42b5b15521
build(guix): add debug symbols for osx (#5708)
## Issue being fixed or feature implemented
Add debug symbols for Darwin

## What was done?
Added Darwin debug symbols and combine them as output

## How Has This Been Tested?
guix build

## Breaking Changes
  _Please describe any breaking changes your code introduces_


## Checklist:
_Go over all the following points, and put an `x` in all the boxes that
apply._
- [x] I have performed a self-review of my own code
- [ ] I have commented my code, particularly in hard-to-understand areas
- [ ] I have added or updated relevant unit/integration/functional/e2e
tests
- [ ] I have made corresponding changes to the documentation
- [x] I have assigned this pull request to a milestone _(for repository
code-owners and collaborators only)_

---------

Co-authored-by: UdjinM6 <UdjinM6@users.noreply.github.com>
2023-11-16 12:39:24 -06:00
UdjinM6
f796a4473d
build: let additional configure params to be passed into guix (#5705)
## Issue being fixed or feature implemented
Make it possible to pass additional configure params into Guix. This
could be used to setup various sets of nightly/debug builds which could
then be deployed automagically to catch potential issues early.

## What was done?


## How Has This Been Tested?
`CONFIGFLAGS="--enable-debug" HOSTS="x86_64-linux-gnu"
./contrib/guix/guix-build`

## Breaking Changes
n/a

## Checklist:
- [x] I have performed a self-review of my own code
- [ ] I have commented my code, particularly in hard-to-understand areas
- [ ] I have added or updated relevant unit/integration/functional/e2e
tests
- [ ] I have made corresponding changes to the documentation
- [x] I have assigned this pull request to a milestone _(for repository
code-owners and collaborators only)_
2023-11-16 12:19:09 -06:00
UdjinM6
7e55f09a98 chore: update mainnet seeds
```
cd contrib/seeds
dash-cli protx list valid 1 > protx.txt
./makeseeds.py protx.txt > nodes_main.txt
./generate-seeds.py . > ../../src/chainparamsseeds.h
```
2023-11-13 10:13:12 -06:00
Kittywhiskers Van Gogh
5d7367e366 merge bitcoin#22050: remove tor v2 support 2023-09-24 09:50:50 -05:00
Kittywhiskers Van Gogh
aa76506bc9 partial bitcoin#21560: Add Tor v3 hardcoded seeds
excludes:
- 2a257de113fd31539b68c28c47ef94f257b6e427
- 9b29d5df7fc555eaea42029f334f2995c6ccde3d
2023-09-24 09:50:50 -05:00
Pander
5e04b9f1d4
docs: improved Docker documentation (#5543)
## Issue being fixed or feature implemented
Make Dash on Docker Hub easier to find, a search on `dash` there does
not provide the result.

## What was done?
Improved Docker documentation in `contrib/containers/README.md`

## How Has This Been Tested?
n/a

## Breaking Changes
n/a

## Checklist:
_Go over all the following points, and put an `x` in all the boxes that
apply._
- [x] I have performed a self-review of my own code
- [ ] I have commented my code, particularly in hard-to-understand areas
- [ ] I have added or updated relevant unit/integration/functional/e2e
tests
- [x] I have made corresponding changes to the documentation
- [ ] I have assigned this pull request to a milestone _(for repository
code-owners and collaborators only)_
2023-09-19 21:26:43 +03:00
Konstantin Akimov
4aa197dbdb Merge #18673: scripted-diff: Sort test includes
fa4632c41714dfaa699bacc6a947d72668a4deef test: Move boost/stdlib includes last (MarcoFalke)
fa488f131fd4f5bab0d01376c5a5013306f1abcd scripted-diff: Bump copyright headers (MarcoFalke)
fac5c373006a9e4bcbb56843bb85f1aca4d87599 scripted-diff: Sort test includes (MarcoFalke)

Pull request description:

  When writing tests, often includes need to be added or removed. Currently the list of includes is not sorted, so developers that write tests and have `clang-format` installed will either have an unrelated change (sorting) included in their commit or they will have to manually undo the sort.

  This pull preempts both issues by just sorting all includes in one commit.

  Please be aware that this is **NOT** a change to policy to enforce clang-format or any other developer guideline or process. Developers are free to use whatever tool they want, see also #18651.

  Edit: Also includes a commit to bump the copyright headers, so that the touched files don't need to be touched again for that.

ACKs for top commit:
  practicalswift:
    ACK fa4632c41714dfaa699bacc6a947d72668a4deef
  jonatack:
    ACK fa4632c41714dfaa, light review and sanity checks with gcc build and clang fuzz build

Tree-SHA512: 130a8d073a379ba556b1e64104d37c46b671425c0aef0ed725fd60156a95e8dc83fb6f0b5330b2f8152cf5daaf3983b4aca5e75812598f2626c39fd12b88b180
2023-08-29 22:00:59 -05:00
Kittywhiskers Van Gogh
3d97c4b6a2 merge bitcoin#26057: Get rid of perl dependency 2023-08-08 06:05:02 -05:00
Kittywhiskers Van Gogh
a7f90c070c merge bitcoin#23489: Qt 5.15.2 2023-08-08 06:05:02 -05:00
Wladimir J. van der Laan
5f5550933f Merge #20468: build: warn when generating man pages for binaries built from a dirty branch
6690adba08006739da0060eb4937126bdfa1181a Warn when binaries are built from a dirty branch. (Tyler Chambers)

Pull request description:

  - Adjusted `--version` flag behavior in bitcoind and bitcoin-wallet to have the same behavior.
  - Added `--version` flag to bitcoin-tx to match.
  - Added functionality in gen-manpages.sh to error when attempting to generate man pages for binaries built from a dirty branch.

  mitigates problem with  issue #20412

ACKs for top commit:
  laanwj:
    Tested ACK 6690adba08006739da0060eb4937126bdfa1181a

Tree-SHA512: b5ca509f1a57f66808c2bebc4b710ca00c6fec7b5ebd7eef58018e28e716f5f2358e36551b8a4df571bf3204baed565a297aeefb93990e7a99add502b97ee1b8
2023-08-01 12:21:16 -05:00
Kittywhiskers Van Gogh
a854aee640 contrib: bump symbol-check.py to minimum glibc version used for CI (2.31) 2023-08-01 12:07:31 -05:00
Kittywhiskers Van Gogh
a7cb99b184 build: use glibc 2.28 for all Linux builds 2023-08-01 12:07:31 -05:00
Kittywhiskers Van Gogh
5cb5a6edb0 merge bitcoin#22930: remove glibc back compat 2023-08-01 12:07:31 -05:00
Kittywhiskers Van Gogh
a44a1a94f6 merge bitcoin#27668: document when certain guix patches can be dropped 2023-08-01 12:07:31 -05:00
Kittywhiskers Van Gogh
04d77f72e9 merge bitcoin#27029: consolidate to glibc 2.27 for Linux builds 2023-08-01 12:07:31 -05:00
Kittywhiskers Van Gogh
b7ead8c6bd ci: don't rely on dist-bundled Python, use pyenv to use fixed version 2023-08-01 12:07:31 -05:00
Kittywhiskers Van Gogh
df18cc24f0 revert: remove execstack workaround for ricv64 & powerpc64le
This reverts commit 2ecaf214331b506ebfac4f4922241744357d652b
2023-08-01 12:07:31 -05:00
UdjinM6
b208a0cc7a fix: adjust gitian descriptors to fix lief install 2023-08-01 12:07:31 -05:00
UdjinM6
73f28b62a4 chore: Drop unused code in linearize-data.py 2023-07-17 01:00:48 +03:00
PastaPastaPasta
f6131b9db5
build: simple modification to allow docker develop builds on aarch64 (#5475)
## Issue being fixed or feature implemented
Building with develop docker container on aarch64

## What was done?
Only install i386 stuff on non-arm builders

## How Has This Been Tested?
Building on aarch64 / m1 

## Breaking Changes
Should be none

## Checklist:
_Go over all the following points, and put an `x` in all the boxes that
apply._
- [ ] I have performed a self-review of my own code
- [ ] I have commented my code, particularly in hard-to-understand areas
- [ ] I have added or updated relevant unit/integration/functional/e2e
tests
- [ ] I have made corresponding changes to the documentation
- [ ] I have assigned this pull request to a milestone _(for repository
code-owners and collaborators only)_
2023-07-04 12:36:00 -05:00
Kittywhiskers Van Gogh
0a7b8bda4f merge bitcoin#25357: drop -z,noexecstack for PPC64 2023-06-29 12:31:03 -05:00
Kittywhiskers Van Gogh
6243a71267 merge bitcoin#25389: use libtool 2.4.7 2023-06-29 12:31:03 -05:00
Kittywhiskers Van Gogh
66e1541808 merge bitcoin#21851: support cross-compiling for arm64-apple-darwin 2023-06-29 12:31:03 -05:00
Kittywhiskers Van Gogh
be2eb53c57 merge bitcoin#24552: make it possible to override gpg binary 2023-06-29 12:31:03 -05:00
Kittywhiskers Van Gogh
8dc99a4967 merge bitcoin#25099: bump time-machine to 998eda3067c7d21e0d9bb3310d2f5a14b8f1c681 2023-06-29 12:31:03 -05:00
Kittywhiskers Van Gogh
f3dd5d7271 merge bitcoin#24955: Improve error message about missed macOS SDK 2023-06-29 12:31:03 -05:00
Kittywhiskers Van Gogh
1a49f48fd6 merge bitcoin#24597: Include arm64-apple-darwin into codesigned archs 2023-06-29 12:31:03 -05:00
Kittywhiskers Van Gogh
6751b13f38 merge bitcoin#22526: use newer config.guess & config.sub in depends 2023-06-29 12:31:03 -05:00
Kittywhiskers Van Gogh
b7d688ed21 merge bitcoin#24733: Fix "ERR: Unsigned tarballs do not exist" 2023-06-29 12:31:03 -05:00
Kittywhiskers Van Gogh
9600020a1f merge bitcoin#24549: Use $HOST instead of generic osx{64} for macOS artifacts 2023-06-29 12:31:03 -05:00
Kittywhiskers Van Gogh
ab8c26a533 merge bitcoin#23585: Drop Darwin version for better maintainability 2023-06-29 12:31:03 -05:00
Kittywhiskers Van Gogh
205aa83eaa merge bitcoin#25484: enable toolchain hardening by default 2023-06-29 12:31:03 -05:00
Kittywhiskers Van Gogh
fc6252bedc merge bitcoin#25437: remove explicit glibc stack protector disabling 2023-06-29 12:31:03 -05:00
Kittywhiskers Van Gogh
9c5d657c54 merge bitcoin#26018: consistently use -ffile-prefix-map 2023-06-29 12:31:03 -05:00
Kittywhiskers Van Gogh
a8129266eb merge bitcoin#25639: Drop repetition of option's default value 2023-06-29 12:31:03 -05:00
Kittywhiskers Van Gogh
6169e200c3 merge bitcoin#24508: Drop unneeded openssl dependency for signapple 2023-06-29 12:31:03 -05:00
Kittywhiskers Van Gogh
14f6e37680 merge bitcoin#24520: only check for the macOS SDK once 2023-06-29 12:31:03 -05:00
Kittywhiskers Van Gogh
f6869929d8 build: obey bitcoin#22993 by setting macOS target to Darwin 19 2023-06-29 12:31:03 -05:00
Kittywhiskers Van Gogh
63c4e2456b
build: follow up to #5449. implementing suggestions and deduplication (#5464)
## Additional Information

* Based on suggestions by @knst made
[here](https://github.com/dashpay/dash/pull/5449#issuecomment-1609937147)
and
[here](https://github.com/dashpay/dash/pull/5426#discussion_r1241789033)
2023-06-28 13:59:16 -05:00
Kittywhiskers Van Gogh
ddb38f42da contrib: move context to repository root, use additional context for copy 2023-06-27 20:24:08 +05:30
Kittywhiskers Van Gogh
38b8344ea5 contrib: create Guix container with interactive abilities 2023-06-27 20:24:08 +05:30
Kittywhiskers Van Gogh
a283002d97 contrib: remove no longer needed packages after bitcoin#23909 2023-06-18 11:47:54 -05:00
Kittywhiskers Van Gogh
51675eef1d merge bitcoin#25558: Make windows cross architecture reproducible 2023-06-18 11:47:54 -05:00
Kittywhiskers Van Gogh
cc1fcb0f44 merge bitcoin#25490: more cross arch reproducibility (x86_64 -> arm64) 2023-06-18 11:47:54 -05:00