mirrors/bitcoin
1
0
Fork 0
mirror of https://github.com/bitcoin/bitcoin.git synced 2024-11-19 09:53:47 +01:00
Code Issues Projects Releases Wiki Activity

doc: rewrite some of the macdeploy docs

Browse Source 
Somewhat of a followup to #21778.
This commit is contained in:
fanquake 2024-06-13 17:07:34 +01:00
parent d042230f7a
commit 7c298fe0df
No known key found for this signature in database
GPG Key ID: 2EEB9F5CC09526C1
1 changed files with 13 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
contrib/macdeploy/README.md
View File

@ -56,30 +56,22 @@ The `sha256sum` should be `c0c2e7bb92c1fee0c4e9f3a485e4530786732d6c6dd9e9f418c28
## Deterministic macOS App Notes ## Deterministic macOS App Notes
macOS Applications are created in Linux using a recent LLVM. macOS Applications are created on Linux using a recent LLVM.
Apple uses `clang` extensively for development and has upstreamed the necessary All builds must target an Apple SDK. These SDKs are free to download, but not redistributable.
functionality so that a vanilla clang can take advantage. It supports the use of `-F`, See the SDK Extraction notes above for how to obtain it.
`-target`, `-mmacosx-version-min`, and `-isysroot`, which are all necessary when
building for macOS.
To complicate things further, all builds must target an Apple SDK. These SDKs are free to The Guix build process has been designed to avoid including the SDK's files in Guix's outputs.
download, but not redistributable. See the SDK Extraction notes above for how to obtain it. All interim tarballs are fully deterministic and may be freely redistributed.
The Guix process builds 2 sets of files: Linux tools, then Apple binaries which are Using an Apple-blessed key to sign binaries is a requirement to produce (distributable) macOS
created using these tools. The build process has been designed to avoid including the binaries. Because this private key cannot be shared, we'll have to be a bit creative in order
SDK's files in Guix's outputs. All interim tarballs are fully deterministic and may be freely for the build process to remain somewhat deterministic. Here's how it works:
redistributed.
As of OS X 10.9 Mavericks, using an Apple-blessed key to sign binaries is a requirement in
order to satisfy the new Gatekeeper requirements. Because this private key cannot be
shared, we'll have to be a bit creative in order for the build process to remain somewhat
deterministic. Here's how it works:
- Builders use Guix to create an unsigned release. This outputs an unsigned ZIP which - Builders use Guix to create an unsigned release. This outputs an unsigned ZIP which
users may choose to bless and run. It also outputs an unsigned app structure in the form users may choose to bless, self-codesign, and run. It also outputs an unsigned app structure
of a tarball. in the form of a tarball.
- The Apple keyholder uses this unsigned app to create a detached signature, using the - The Apple keyholder uses this unsigned app to create a detached signature, using the
script that is also included there. Detached signatures are available from this [repository](https://github.com/bitcoin-core/bitcoin-detached-sigs). included script. Detached signatures are available from this [repository](https://github.com/bitcoin-core/bitcoin-detached-sigs).
- Builders feed the unsigned app + detached signature back into Guix. It uses the - Builders feed the unsigned app + detached signature back into Guix, which combines the
pre-built tools to recombine the pieces into a deterministic ZIP. pieces into a deterministic ZIP.