Commit Graph

19 Commits

Author SHA1 Message Date
Andrew Chow
3e693ddfb5
Merge bitcoin/bitcoin#25788: guix: patch NSIS to remove .reloc sections from installer stubs
7a0b129c41d9fefdbc20d6d04983dd87bb8379e7 guix: patch NSIS to remove .reloc sections from install stubs (fanquake)

Pull request description:

  With the release of binutils/ld 2.36, ld swapped to much improved
  default settings when producing windows binaries with mingw-w64. One of
  these changes was to stop stripping the .reloc section from binaries,
  which is required for working ASLR.

  When we switched to using a newer Guix time-machine in #23778, we begun
  using binutils 2.37 to produce releases. Since then, our windows
  installer (produced with makensis) has not functioned correctly when run on
  a Windows system with the "Force randomization for images (Mandatory ASLR)"
  option enabled. Note that all of our other release binaries, which all
  contain .reloc sections, function fine under the same option, so it
  cannot be just the presence of a .reloc section that is the issue.

  The root cause of the problem is that when we compile NSIS (makensis), a number
  of exe installer stubs are produced at the same time, for use later when makensis
  is actually run. Given the new linker defaults, the stubs will contain .reloc sections,
  when previously they would not. It seems that, in combination with how makensis
  mutates the stub when it actually builds the installer, causes the problem.

  According to upstream, https://sourceforge.net/p/nsis/bugs/1131/#abb6:
  > Looks like the problem is the very existance of the .reloc section.
  > It's not supposed to be there, and makensis doesn't handle it.

  The most recent .reloc related upstream activity is in
  https://sourceforge.net/p/nsis/bugs/1283/, where the conclusion again seemed to
  be that .relo sections are not wanted, but there hasn't been any further follow up.

  For now, restore pre-binutils-2.36 behaviour, by passing `-Wl,--disable-reloc-section`
  to the linker when building the installer stubs, which fixes the produced installer.
  The underlying issue can be further investigated in future.

  .reloc section stripping is something we've accounted for previously,
  see #18702, and related upstream discussion is in this thread:
  https://sourceware.org/bugzilla/show_bug.cgi?id=19011.

  Fixes #25726.

  Guix Build (x86_64):
  ```bash
  7e0723388913ac1ec9f650b943c6b23351ba0cd921c0ec830abf16b16724d503  guix-build-7a0b129c41d9/output/dist-archive/bitcoin-7a0b129c41d9.tar.gz
  c3bb9c68895ffafa2900b0d18c1268e299d012a7dc70593f20f9900cf116eb05  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/SHA256SUMS.part
  b57aa99c242b0aae64653c64ada38f6d3f0cbd902bbc096d3dc529fdcf87d681  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/bitcoin-7a0b129c41d9-win64-debug.zip
  341d99afc9961299883be6cd9666e8bc0f3f6296cff758719a32d27419acad36  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/bitcoin-7a0b129c41d9-win64-setup-unsigned.exe
  1d9ef48d3c9ed93a925962356b41cdaeb9d09fd758de193cd4d5f4d1ec6791eb  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/bitcoin-7a0b129c41d9-win64-unsigned.tar.gz
  28c81d99a9a4bd6648449393f91db213369e958add579ba9e9a1721540d2c4f7  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/bitcoin-7a0b129c41d9-win64.zip
  ```

  Guix Build (arm64):
  ```bash
  7e0723388913ac1ec9f650b943c6b23351ba0cd921c0ec830abf16b16724d503  guix-build-7a0b129c41d9/output/dist-archive/bitcoin-7a0b129c41d9.tar.gz
  c3bb9c68895ffafa2900b0d18c1268e299d012a7dc70593f20f9900cf116eb05  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/SHA256SUMS.part
  b57aa99c242b0aae64653c64ada38f6d3f0cbd902bbc096d3dc529fdcf87d681  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/bitcoin-7a0b129c41d9-win64-debug.zip
  341d99afc9961299883be6cd9666e8bc0f3f6296cff758719a32d27419acad36  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/bitcoin-7a0b129c41d9-win64-setup-unsigned.exe
  1d9ef48d3c9ed93a925962356b41cdaeb9d09fd758de193cd4d5f4d1ec6791eb  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/bitcoin-7a0b129c41d9-win64-unsigned.tar.gz
  28c81d99a9a4bd6648449393f91db213369e958add579ba9e9a1721540d2c4f7  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/bitcoin-7a0b129c41d9-win64.zip
  ```

ACKs for top commit:
  achow101:
    ACK 7a0b129c41d9fefdbc20d6d04983dd87bb8379e7
  hebasto:
    ACK 7a0b129c41d9fefdbc20d6d04983dd87bb8379e7
  jarolrod:
    ACK 7a0b129c41d9fefdbc20d6d04983dd87bb8379e7

Tree-SHA512: 9e14e98207d20236b833603319fc4bb335c878a7c179ab495b33d143e2a900c6926125536bbb7499ee4f0f676cd5ea45c8c86cd7e544ed9a76bb298f98db6197
2024-02-29 09:34:59 -06:00
fanquake
22e7845cf2
Merge bitcoin/bitcoin#25508: guix: use elfesteem 2eb1e5384ff7a220fd1afacd4a0170acff54fe56
103c0d9f7e084c94ba7d83a44e784ab0b4a6d8e4 guix: use elfesteem 2eb1e5384ff7a220fd1afacd4a0170acff54fe56 (fanquake)

Pull request description:

  Our patch has been merged upstream, see https://github.com/LRGH/elfesteem/pull/3.

  Guix Build (x86_64):
  ```bash
  3deb66d386587e7ce29b92528170081d9e74443ddf50d07b72aacaee31c11641  guix-build-103c0d9f7e08/output/aarch64-linux-gnu/SHA256SUMS.part
  5f53a059ccf07181fa1154dc6ab741a9beda663a48d123d2aa4256ca7d38497a  guix-build-103c0d9f7e08/output/aarch64-linux-gnu/bitcoin-103c0d9f7e08-aarch64-linux-gnu-debug.tar.gz
  20cdb705439ff54822f7c3cad12254b46f8ff93aae58f1716253f39bd734eaf1  guix-build-103c0d9f7e08/output/aarch64-linux-gnu/bitcoin-103c0d9f7e08-aarch64-linux-gnu.tar.gz
  ae51fb2ef8e76326bde4693f778444a5c21df1feba42b161e667c5f069aae967  guix-build-103c0d9f7e08/output/arm-linux-gnueabihf/SHA256SUMS.part
  0ffeaa089582871a578069c0251bf51823624274c23c2fd65f04d2a3e50f3296  guix-build-103c0d9f7e08/output/arm-linux-gnueabihf/bitcoin-103c0d9f7e08-arm-linux-gnueabihf-debug.tar.gz
  71f3da47678d8169414ef0072271604fa550e84ce86979706b3b289a1521a119  guix-build-103c0d9f7e08/output/arm-linux-gnueabihf/bitcoin-103c0d9f7e08-arm-linux-gnueabihf.tar.gz
  f5d13de726f7705e946a2b3a63d182d8c7e70e3adc9a92552676898e9819db27  guix-build-103c0d9f7e08/output/arm64-apple-darwin/SHA256SUMS.part
  e411e8f0cc3ab18981ccb65768a6af1622748c14b6e0513401179bcd0df519a7  guix-build-103c0d9f7e08/output/arm64-apple-darwin/bitcoin-103c0d9f7e08-arm64-apple-darwin-unsigned.dmg
  d7e9aa52f9b0a0249445e926753978d6845bab0c02639d162879b921f237b8ce  guix-build-103c0d9f7e08/output/arm64-apple-darwin/bitcoin-103c0d9f7e08-arm64-apple-darwin-unsigned.tar.gz
  cefde91f0b75a27e945f190194dbe0dab5653a6bcc91b18bec34d952aebd72d7  guix-build-103c0d9f7e08/output/arm64-apple-darwin/bitcoin-103c0d9f7e08-arm64-apple-darwin.tar.gz
  0b399fd5f7a85974ab25933575a0173c814d4ab578d16ab13896bb51e408b92f  guix-build-103c0d9f7e08/output/dist-archive/bitcoin-103c0d9f7e08.tar.gz
  22d6a771d2eab73ab328c8b472160333dd52c6f734761f466c79251a37bd1895  guix-build-103c0d9f7e08/output/powerpc64-linux-gnu/SHA256SUMS.part
  a6e598b022683e0858be8bd4a6d75bc15f2fbc7632c45f8b03c7a8dff367343a  guix-build-103c0d9f7e08/output/powerpc64-linux-gnu/bitcoin-103c0d9f7e08-powerpc64-linux-gnu-debug.tar.gz
  04ea54706ac47f8880ae0fcddabb0f4fe899a0bacf52d0d936dbbc1149e14e10  guix-build-103c0d9f7e08/output/powerpc64-linux-gnu/bitcoin-103c0d9f7e08-powerpc64-linux-gnu.tar.gz
  059a7018ce96e141c258d516b85c3ee95f02b61dc2db4931fa14993b2bd945e3  guix-build-103c0d9f7e08/output/powerpc64le-linux-gnu/SHA256SUMS.part
  aacaa0e4827808ed189152c6f1a4e0d9300b89136a7dc064fd045f700ee06084  guix-build-103c0d9f7e08/output/powerpc64le-linux-gnu/bitcoin-103c0d9f7e08-powerpc64le-linux-gnu-debug.tar.gz
  4041f8de495b4633df0e28d75ab6cfd0bfe7ec9292384ce4d3331383d06da310  guix-build-103c0d9f7e08/output/powerpc64le-linux-gnu/bitcoin-103c0d9f7e08-powerpc64le-linux-gnu.tar.gz
  1586a47797a803cab03a9ebcd207eb395e1651c443e9192ac2b144b85e014762  guix-build-103c0d9f7e08/output/riscv64-linux-gnu/SHA256SUMS.part
  74f088bca4e7c0d44e6b7161ee4c835b38bc9291c78f37e53d3ede2da98d52c0  guix-build-103c0d9f7e08/output/riscv64-linux-gnu/bitcoin-103c0d9f7e08-riscv64-linux-gnu-debug.tar.gz
  12cfe35b28de03f2355d6fb5ed9393001d3b5a06b12a2792cb863ca4ae61db17  guix-build-103c0d9f7e08/output/riscv64-linux-gnu/bitcoin-103c0d9f7e08-riscv64-linux-gnu.tar.gz
  b021e117d1e92ad105234661468efeab98246db79d51267a766399776999bafe  guix-build-103c0d9f7e08/output/x86_64-apple-darwin/SHA256SUMS.part
  0a6c9d00f9ea2d67ca58c867258bb1b595a3141d5f199ffb047f7235bb2863a6  guix-build-103c0d9f7e08/output/x86_64-apple-darwin/bitcoin-103c0d9f7e08-x86_64-apple-darwin-unsigned.dmg
  a7df5f759e792e4fae46ab7ddca5db8cff8973aa33d7d99c4bfbf7c04c2d3013  guix-build-103c0d9f7e08/output/x86_64-apple-darwin/bitcoin-103c0d9f7e08-x86_64-apple-darwin-unsigned.tar.gz
  801ec4f81af5f184cc0e0fcf650f4e5822d895a4202c35575f46e1c63498b1aa  guix-build-103c0d9f7e08/output/x86_64-apple-darwin/bitcoin-103c0d9f7e08-x86_64-apple-darwin.tar.gz
  813e9c9c6e0ce430d2096963dbffeb141f239d67b334e44b3fd1f1bc9246758d  guix-build-103c0d9f7e08/output/x86_64-linux-gnu/SHA256SUMS.part
  43e7afc360267fea8e1620e0c2ea40c45af07debbd646abf9fe631465c2e2c47  guix-build-103c0d9f7e08/output/x86_64-linux-gnu/bitcoin-103c0d9f7e08-x86_64-linux-gnu-debug.tar.gz
  0c5fc4b3c5bf4a53f1f9710cd738d5c0bbe6a2f0dc45e91f92065ae766b63635  guix-build-103c0d9f7e08/output/x86_64-linux-gnu/bitcoin-103c0d9f7e08-x86_64-linux-gnu.tar.gz
  08c031137c2c472a944f3220cf3812a8ec1dd70da9b0f264361ba16badb65b9f  guix-build-103c0d9f7e08/output/x86_64-w64-mingw32/SHA256SUMS.part
  4bbdc405075001b61e7cc48974e4b987c887a861add6db419fb51eccd914fbb0  guix-build-103c0d9f7e08/output/x86_64-w64-mingw32/bitcoin-103c0d9f7e08-win64-debug.zip
  8de95b683500300a787dd1d0d74580e9d6ab448f00f4c32e58ad830b763f2755  guix-build-103c0d9f7e08/output/x86_64-w64-mingw32/bitcoin-103c0d9f7e08-win64-setup-unsigned.exe
  36202c352d1f3b238daa00126f7ad369e53a510a32bb2585d69f967ef02aff48  guix-build-103c0d9f7e08/output/x86_64-w64-mingw32/bitcoin-103c0d9f7e08-win64-unsigned.tar.gz
  6255922a31502a23ea323095dec2d176bca22977222936fc7857a55ac001f6e9  guix-build-103c0d9f7e08/output/x86_64-w64-mingw32/bitcoin-103c0d9f7e08-win64.zip
  ```

ACKs for top commit:
  hebasto:
    ACK 103c0d9f7e084c94ba7d83a44e784ab0b4a6d8e4, I have reviewed the code and it looks OK.

Tree-SHA512: 421956999d2daedbce2e94a13dffa20b2dafb36ca5ffa094d8dca79eb5e60ec91bfade59cd24da548b45aec00f688d570e61a3567ea8075c25d198ac7fc4efff
2024-02-07 10:14:44 -06:00
Kittywhiskers Van Gogh
a7cb99b184 build: use glibc 2.28 for all Linux builds 2023-08-01 12:07:31 -05:00
Kittywhiskers Van Gogh
a44a1a94f6 merge bitcoin#27668: document when certain guix patches can be dropped 2023-08-01 12:07:31 -05:00
Kittywhiskers Van Gogh
04d77f72e9 merge bitcoin#27029: consolidate to glibc 2.27 for Linux builds 2023-08-01 12:07:31 -05:00
Kittywhiskers Van Gogh
0a7b8bda4f merge bitcoin#25357: drop -z,noexecstack for PPC64 2023-06-29 12:31:03 -05:00
Kittywhiskers Van Gogh
9c5d657c54 merge bitcoin#26018: consistently use -ffile-prefix-map 2023-06-29 12:31:03 -05:00
Kittywhiskers Van Gogh
51675eef1d merge bitcoin#25558: Make windows cross architecture reproducible 2023-06-18 11:47:54 -05:00
Kittywhiskers Van Gogh
cc1fcb0f44 merge bitcoin#25490: more cross arch reproducibility (x86_64 -> arm64) 2023-06-18 11:47:54 -05:00
Kittywhiskers Van Gogh
fe4b87cabb merge bitcoin#25076: native GCC 10 toolchain for Linux builds 2023-06-18 11:47:54 -05:00
Kittywhiskers Van Gogh
808367dd7c merge bitcoin#24842: fix GCC 10.3.0 + mingw-w64 setjmp/longjmp issues 2023-06-18 11:47:54 -05:00
Kittywhiskers Van Gogh
edf48e4c38 merge bitcoin#24736: fix vmov alignment issues with gcc 10.3.0 & mingw-w64 2023-06-18 11:47:54 -05:00
Kittywhiskers Van Gogh
1158ebb2e6 merge bitcoin#23778: Guix 1.4.0 & GCC 10.3 2023-06-18 11:47:54 -05:00
Kittywhiskers Van Gogh
24a6642b6f partial bitcoin#22381: Test security-check sanity before performing them (with macOS)
excludes:
- d6ef3543ae16847d5a91fa9271acee9bd2164b32
2023-06-07 14:42:02 +05:30
Konstantin Akimov
559190fb27 docs: dashification of guix 2023-04-15 12:13:27 -05:00
fanquake
088342b617 partial Merge bitcoin/bitcoin#22405: build: remove --enable-glibc-back-compat from Guix build
797b3ed9090030f32fade81803b580562d4a90a3 script: remove gitian reference from symbol-check.py (fanquake)
15fc9a0299091bfeb3370f993ad95ff638f6ba8c guix: add additional documentation to patches (fanquake)
4516e5ec9223486fe2eba7f4320d786d074a58fd lint: exclude Guix patches from spell-checking (fanquake)
de6ca41a52d2646598daae5f4620bbe766757e21 guix: no-longer pass --enable-glibc-back-compat to Guix (fanquake)
84dd81fb5bf7308b8070b53520266854fb6efad3 build: remove glibc backcompat requirement for Linux symbol checks (fanquake)

Pull request description:

  Now that our Guix toolchains are based on glibc 2.24 and 2.27 (RISCV), we don't need to use the `--enable-glibc-back-compat` option to produce binaries that don't use any symbols from glibc 2.17 and 2.27 or later.

  This also adds additional documentation to some Guix patches (pointed out in #22365) and removes Guix patches from the spelling linter, because that isn't our spelling.

  Symbol usage: https://gist.github.com/fanquake/d15604fc580718444c5aa4b3c3c75fdc.

  Guix Builds:
  ```bash
  bash-5.1# find guix-build-$(git rev-parse --short=12 HEAD)/output/ -type f -print0 | env LC_ALL=C sort -z | xargs -r0 sha256sum
  ed54e6a6cf4fab328557c0c72eb08c73f2a58c6c70959544cf4b1882e75ea69e  guix-build-797b3ed90900/output/aarch64-linux-gnu/SHA256SUMS.part
  83bd9dadc59f89f848d143fa4fc3964f16fe0b4bdf35e5093b577ff2c4bd1f43  guix-build-797b3ed90900/output/aarch64-linux-gnu/bitcoin-797b3ed90900-aarch64-linux-gnu-debug.tar.gz
  94cb8c35281f12dec6ea5b390b66cad5e27ac8c45a30c42c8d38c438695d54c0  guix-build-797b3ed90900/output/aarch64-linux-gnu/bitcoin-797b3ed90900-aarch64-linux-gnu.tar.gz
  7318b63d65c0aa52d2446de8e1f40658d2e47ab8fb0268820c3b7585d140fb23  guix-build-797b3ed90900/output/arm-linux-gnueabihf/SHA256SUMS.part
  95e1ffb372964b73f539653ca703b70cf0c018801a9c4c0ffc46a0b63539253c  guix-build-797b3ed90900/output/arm-linux-gnueabihf/bitcoin-797b3ed90900-arm-linux-gnueabihf-debug.tar.gz
  039d3842e6499626cf955ae0a7590dd6b3d0935cdc217c98aaf9d156b0ebd3b4  guix-build-797b3ed90900/output/arm-linux-gnueabihf/bitcoin-797b3ed90900-arm-linux-gnueabihf.tar.gz
  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  guix-build-797b3ed90900/output/dist-archive/SKIPATTEST.TAG
  2c4e7b6e7aff63ba811e5bf59362d16866c3a358f8844fba8739a61192870622  guix-build-797b3ed90900/output/dist-archive/bitcoin-797b3ed90900.tar.gz
  955029b949c368eabd517dd33040d2f01e2ac6a55e7b4f9107907a7c6e0c6060  guix-build-797b3ed90900/output/powerpc64-linux-gnu/SHA256SUMS.part
  fd6d6b137f8efedf58a879d11205b1d4649e1f97d7f91e193239ef206fcc285d  guix-build-797b3ed90900/output/powerpc64-linux-gnu/bitcoin-797b3ed90900-powerpc64-linux-gnu-debug.tar.gz
  51736ac8e77737999f1b5bd4c381b0016f19a8d5e40e786fe941ff04e84c11c9  guix-build-797b3ed90900/output/powerpc64-linux-gnu/bitcoin-797b3ed90900-powerpc64-linux-gnu.tar.gz
  8c244c16bfa46c1efdb120e1d91fdd14d3f14eefee8d7e1fbb0a9b4664a5c315  guix-build-797b3ed90900/output/powerpc64le-linux-gnu/SHA256SUMS.part
  704ee593251a1b1c65a5bebeef93b23f266af4e8cbf8ae556150c3b2e8f06a6c  guix-build-797b3ed90900/output/powerpc64le-linux-gnu/bitcoin-797b3ed90900-powerpc64le-linux-gnu-debug.tar.gz
  0ec06ae7d344de20d61e3965d8b383747ef20b0e9d93a3165733ea23bdf2ead8  guix-build-797b3ed90900/output/powerpc64le-linux-gnu/bitcoin-797b3ed90900-powerpc64le-linux-gnu.tar.gz
  2dd6c6ecc67b0ea40ca9c43f92efca81ccd054b8db8c197ad84ad9674d510a25  guix-build-797b3ed90900/output/riscv64-linux-gnu/SHA256SUMS.part
  5ebb27a855a677f7a188d83995be6b2a3ea8606be152abb7fc7832713fb0677a  guix-build-797b3ed90900/output/riscv64-linux-gnu/bitcoin-797b3ed90900-riscv64-linux-gnu-debug.tar.gz
  bdaf1783f5e1861597afa37c1880364e118d9a7a7af8017302d82202791019f6  guix-build-797b3ed90900/output/riscv64-linux-gnu/bitcoin-797b3ed90900-riscv64-linux-gnu.tar.gz
  726c9092b60ac2e7d7e14b2c24467fcf276a6f89170a871ddab9dce6ac230699  guix-build-797b3ed90900/output/x86_64-apple-darwin18/SHA256SUMS.part
  2af4d709b44952654f3c08c86593bf2ccc9a44ed422783a1b95b8a199a894db2  guix-build-797b3ed90900/output/x86_64-apple-darwin18/bitcoin-797b3ed90900-osx-unsigned.dmg
  fd49ba445aa6cf3d8c47019a05e9e5740cb0f53349344dd80671297127f49f1a  guix-build-797b3ed90900/output/x86_64-apple-darwin18/bitcoin-797b3ed90900-osx-unsigned.tar.gz
  3f51cbf8cf18420d4be70e656aa993675cf5e828a255c2030047ae2e059ed5b7  guix-build-797b3ed90900/output/x86_64-apple-darwin18/bitcoin-797b3ed90900-osx64.tar.gz
  afd1edee1447bb88d81e972abfae4c4e065b5b1827769f033cff9472084c7c1b  guix-build-797b3ed90900/output/x86_64-linux-gnu/SHA256SUMS.part
  ec468ef886d25e685f4f7a18b4f7d497dedf757495e0d5beb72c23cc32ab69b5  guix-build-797b3ed90900/output/x86_64-linux-gnu/bitcoin-797b3ed90900-x86_64-linux-gnu-debug.tar.gz
  1934d7294f0c9e083d38a3f68d4a61cd679defa79ce0a89f77386978692b9b18  guix-build-797b3ed90900/output/x86_64-linux-gnu/bitcoin-797b3ed90900-x86_64-linux-gnu.tar.gz
  94c11c328a628052eb6f50e9816aa768f87ea7acfbbbafdab60f6928da766811  guix-build-797b3ed90900/output/x86_64-w64-mingw32/SHA256SUMS.part
  fd371922ba93d81bd4a2b711d617af6756f9f0494db6d83aa0e5f491a24168ef  guix-build-797b3ed90900/output/x86_64-w64-mingw32/bitcoin-797b3ed90900-win-unsigned.tar.gz
  4e4ad976bc029bbbf9596ad8493accaaba8b0d5c598dd342f8da330609bbdf21  guix-build-797b3ed90900/output/x86_64-w64-mingw32/bitcoin-797b3ed90900-win64-debug.zip
  3a89a16b9101e9a17d98efb9234b5bdd264c0bba2c6326511017730e1a08311f  guix-build-797b3ed90900/output/x86_64-w64-mingw32/bitcoin-797b3ed90900-win64-setup-unsigned.exe
  e285ab737e3c843fd3f1c26c2f053e421a3c39b33995747ce48281884d3f28d1  guix-build-797b3ed90900/output/x86_64-w64-mingw32/bitcoin-797b3ed90900-win64.zip
  ```

ACKs for top commit:
  sipa:
    utACK 797b3ed9090030f32fade81803b580562d4a90a3
  hebasto:
    ACK 797b3ed9090030f32fade81803b580562d4a90a3

Tree-SHA512: 3a569702d8832c155c5ce8d2f6d823f7f12603885576078bc5192bc9038a48261ecb541800f79d1e9bc86d71fa640265c5b8b89df9d8bb680b3bb05d9d78a666
2023-03-26 16:50:26 -05:00
fanquake
7084e52141 Merge bitcoin/bitcoin#22365: guix: Avoid relying on newer symbols by rebasing our cross toolchains on older glibcs
647f7e5f1da1089d451f3c431efc635b8e87b064 guix: Also sort SHA256SUMS.part (Carl Dong)
dc4137a60c99979b89f75d2bddba96d043f387b8 guix: Build depends/qt with our platform definition (Carl Dong)
16b0a936e15b81710755303e11ef51f608b61475 guix: Rebase toolchain on glibc 2.24 (2.27 for riscv64) (Carl Dong)

Pull request description:

  After this PR, we'll have the following:
  - riscv64 -> build with a toolchain targeting glibc 2.27
  - everything else -> builds with a toolchain targeting glibc 2.24, but will not have symbols > 2.17 (checked by `symbol-check.py`)

ACKs for top commit:
  achow101:
    reACK 647f7e5f1da1089d451f3c431efc635b8e87b064
  hebasto:
    ACK 647f7e5f1da1089d451f3c431efc635b8e87b064
  MarcoFalke:
    review ACK 647f7e5f1da1089d451f3c431efc635b8e87b064
  fanquake:
    ACK 647f7e5f1da1089d451f3c431efc635b8e87b064 - documentation can be fixed shortly.

Tree-SHA512: ddff57a5d7c053687b0a273720d4ad7d28c6fc8816226d4304869284d017af5e3630d4b57565d91e74f2e1b7583c9c83ee8b2e5e70e41d619ab618e602c97a94
2023-03-26 16:50:26 -05:00
W. J. van der Laan
033e30de8b Merge bitcoin/bitcoin#21239: guix: Add codesignature attachment support for osx+win
ee883201cf134952284632e9e9ae72bf1c8c792f guix: repro: Sort find output in libtool for gcc-8 (Carl Dong)
ee0a67c32a8861eab650bf8894af06807578eba0 codesigning: Use SHA256 as digest for osslsigncode (Windows) (Carl Dong)
38eb91eb0616ed6dbe34c23e11588d130fef07f8 guix: Add codesigning functionality (Carl Dong)
bac2690e6f683fcedb883fe1d32f3c33c628a141 guix: Package codesigning tools (Carl Dong)
0a2176d47767972e4cd5ed302c1dbeedece1708b guix: Reindent existing manifest.scm (Carl Dong)
c090a3e9238ba2df07875b4708e908d8dca4ed9b Makefile.am: use APP_DIST_DIR instead of hard-coding dist (Carl Dong)

Pull request description:

  This is the last PR before we reach feature-parity with the Gitian process!

  Note: I tried using the `Makefile` inside the distsrc to make the dmg instead of manually listing out the commands, but `make` seems to want to re-make a lot of other files which broke the dmg.

  The workflow looks something like this:
  1. `env [ FOO=bar... ] ./contrib/guix/guix-build` (add additional env vars as necessary)
  2. Codesigners only:
      1.  Copy `guix-build-<short-id>/output/x86_64-apple-darwin18/bitcoin-<short-id>-osx-unsigned.tar.gz` and `guix-build-<short-id>/output/x86_64-w64-mingw32/bitcoin-<short-id>-win-unsigned.tar.gz` to signing computer
      2. Codesign with `./detached-sig-create.sh` inside the tarball
      3. Upload contents of `signature-{osx,win}.tar.gz` to https://github.com/bitcoin-core/bitcoin-detached-sigs (as a new tag)
  3. Checkout new tag for `bitcoin-core/bitcoin-detached-sigs` with the detached signatures
  4. `env [ FOO=bar... ] DETACHED_SIGS_REPO=<path/to/bitcoin-detached-sigs> ./contrib/guix/guix-codesign` (modify env vars as necessary)
  5. Make sure `guix.sigs` is cloned and updated
  6. `env GUIX_SIGS_REPO=<path/to/guix.sigs> SIGNER=0x96AB007F1A7ED999=dongcarl ./contrib/guix/guix-attest` (modify env vars as necessary)
  7. Commit your new signatures and SHA256SUMS in `guix.sigs`
  8. Optionally, after there are multiple signatures in `guix.sigs`: `env GUIX_SIGS_REPO=<path/to/guix.sigs> ./contrib/guix/guix-verify`

ACKs for top commit:
  laanwj:
    Tested ACK ee883201cf134952284632e9e9ae72bf1c8c792f
  achow101:
    ACK ee883201cf134952284632e9e9ae72bf1c8c792f

Tree-SHA512: e812a07a5f19f900600c70cb9c717769ef544a6c0c12760b5558b76b6b37df863257f3dbf38b0757e6e06e334470267e94c9f2bdbc27409d6837b1a0bfc6acbc
2023-03-26 16:50:26 -05:00
fanquake
1c79710e65 Merge #20937: guix: Make nsis reproducible by respecting SOURCE-DATE-EPOCH
1fca9811e1331ac5dae8188f6178cc37da4929a7 lint: Skip whitespace lint for guix patches (Carl Dong)
a91c46c57d88fc399432afab7bb0fb14c3e490a7 guix: Make nsis reproducible by respecting SOURCE-DATE-EPOCH (Carl Dong)

Pull request description:

  ```
  When building nsis, if VERSION is not specified, it defaults to
  cvs_version which is non-deterministic as it includes the current date.

  This patches nsis to default to SOURCE_DATE_EPOCH if it exists so that
  nsis is reproducible.

  Upstream change: https://github.com/kichik/nsis/pull/13
  ```

  Sidenote: also a good demonstration of how Guix allows us to flexibly patch our tools!

  Note to reviewers: if you want to compare hashes, please build after Jan 16th 2021 without my substitute server enabled!

ACKs for top commit:
  fanquake:
    ACK 1fca9811e1331ac5dae8188f6178cc37da4929a7

Tree-SHA512: b800e0ce5f73827ad353739effb9167ec3a6bdb362c725ae20dd3f025ce78660f85c70ce1d75cd0896facf1e8fe38a9e058459ed13dec71ab3a2fe41e20eaa5d
2023-03-26 16:50:26 -05:00