e181bda061 guix: Apply all codesignatures to Windows binaries (Ava Chow)
aafbd23fd9 guix: Apply codesignatures to all MacOS binaries (Ava Chow)
3656b828dc contrib: Sign all Windows binaries too (Ava Chow)
31d325464d contrib: Sign and notarize all MacOS binaries (Ava Chow)
710d5b5149 guix: Update signapple (Ava Chow)
e8b3c44da6 build: Include all Windows binaries for codesigning (Ava Chow)
dd4ec840ee build: Include all MacOS binaries for codesigning (Ava Chow)
4e5c9ceb9d guix: Rename Windows unsigned binaries to unsigned.zip (Ava Chow)
d9d49cd533 guix: Rename MacOS binaries to unsigned.tar.gz (Ava Chow)
c214e5268f guix: Rename unsigned.tar.gz to codesigning.tar.gz (Ava Chow)
Pull request description:
I have updated signapple to notarize MacOS app bundles without adding any additional dependencies. Further, it can also sign and apply detached signatures to standalone binaries.
As such, we can use signapple to perform the notarization and stapling steps so that MacOS will run the app bundle after it is installed. `detached-sig-create.sh` is updated to have a notarization step and to download the ticket which will be included in the detached signatures. The workflow is largely unchanged for the MacOS codesigners except for the additional requirement of having an App Store Connect API key and Team UUID, instructions for which can be found at https://github.com/achow101/signapple/blob/master/docs/notarization.md. For guix builders, the workflow is unchanged.
Additionally, the standalone binaries packaged in the MacOS `.tar.gz` and Windows `.zip` will now be codesigned. `detached-sig-create.sh` was updated to handle these, so the workflow for both MacOS and Windows codesigners remains unchanged. For guix builders, the workflow is also unchanged.
Because those binaries will how have codesigned and unsigned versions, the build command is modified to output `-unsigned.{tar.gz,zip}` archives containing the binaries. Since this happens to conflict with the tarball used for codesigning, the codesigning tarball was renamed to `-codesigning.tar.gz`. Both MacOS and Windows codesigners will need to adjust their workflows to account for the new name.
Fixes#15774 and #29749
ACKs for top commit:
Sjors:
Tested ACK e181bda061
davidgumberg:
Tested ACK e181bda061.
pinheadmz:
tested ACK e181bda061
Tree-SHA512: ce0e2bf38e1748cdaa0d13be6f61c3289cd09cfb7d071a68b0b13d2802b3936c9112eda6e4c7b29c535c0995d56b14871442589cdcea2e7707e35c1b278b9263
This should be bumped every major release to avoid falling too far
behind, therefore making this feature as useful as it can be.
Document this in release-process.md to avoid forgetting to add a new
hardcoded height during release.
Signapple has been updated to sign individual binaries, and notarize app
bundles and binaries. When codesigning, all individual binaries will be
codesigned, and both the app bundle and individual binaries will be
notarized.
The tarballs used for codesigning are more than merely unsigned, they
also contain scripts and other data for codesigning. Rename them to
codesigning.tar.gz to distinguish from tarballs containing actually just
the unsigned binaries.
- Mention which directories contain the respective unsigned tarballs
- Clarify that bitcoin.conf might not need to be updated
- Specify where to put historical release notes if there is already
something in release-notes.md
- Clarify what exactly is the problem with running guix-codesign more
than once
- Correct number: 6 codesigned attestations are needed before uploading
binaries
- Remove scp command which is outdated
- Remove server path which is outdated
- Specify that translations update should happen before branch-off, not
before each release candidate
- Mention that you should notify lists when RCs are available
- Put "Archive the release notes" as a separate step, since creating the
github release has a dependency on it.
- Put bitcoincore.org website updates as a separate step, since
updating packaging repos may have a dependency on it.
- Update "bitcoin-dev mailing list" to "bitcoin-dev group"
- Document that maintainers should create PRs to collect backports
- Remove section about not uploading `*-debug` files, reader should
upload all build artifacts.
- Torrent is created automatically, so delete instructions.
- Mention that server also generates ots file automatically.
Nobody is pushing direct to guix.sigs, nor should they, as that
bypasses CI.
Use a newer example for the testing issue.
Don't duplicate the bitcoincore.org doc instructions.
a2bef805c1 kernel: update m_assumed_* chain params for 25.x (fanquake)
4128e01dba kernel: update chainTxData for 25.x (fanquake)
00b2b114b4 kernel: update nMinimumChainWork & defaultAssumeValid for 25.x (fanquake)
07fcc0a82c doc: update references to kernel/chainparams.cpp (fanquake)
Pull request description:
Update chainparams pre `25.x` branch off.
Co-Author in the commits as a PR (#27223) had previously been opened too-early to do the same.
Note: Remember that some variance is expected in the `m_assumed_*` sizes.
ACKs for top commit:
achow101:
ACK a2bef805c1
josibake:
ACK a2bef805c1
gruve-p:
ACK a2bef805c1
dergoegge:
ACK a2bef805c1 on the new mainnet params
Tree-SHA512: 0b19c2ef15c6b15863d6a560a1053ee223057c7bfb617ffd3400b1734cee8f75bc6fd7f04d8f8e3f5af6220659a1987951a1b36945d6fe17d06972004fd62610
This has been superseded by adding a builder-keys/ directory in
guix.sigs, where the presence of keys, and validity of signatures
is checked. Preventing issues like missing keys or invalid signatures.
New (or exisiting) Guix builders can add their key in the next PR
they open adding attestations.
74743ad905 Clarify in release process how to update defaultAssumeValid/nMinimumChainWork (Jon Atack)
415345d547 Release process: use 4096 blocks and getbestblockhash for getchaintxstats (Jon Atack)
fe048f7f7c Specify in release process which chains need to be updated (Jon Atack)
584147682a Reorganize release process chainparams section to reduce repetition (Jon Atack)
e8f844888f Clarify release process overhead note to be more actionable (Jon Atack)
e538eada7c Release process: exclude huge files for mainnet m_assumed_blockchain_size (laanwj)
b4d2d74767 Release process: specify blockchain/chain_state units, reduce repetition (Jon Atack)
318655c395 Add missing references to signet in the release process (Jon Atack)
Pull request description:
Release process updates, fixes and clarifications regarding updating the chainparams:
- add missing references to signet
- specify specify blockchain/chainstate units, reduce repetition
- exclude huge files for m_assumed_blockchain_size on mainnet
- rewrite overhead note to be more actionable
- reorganize the chainparams section to reduce repetition
- specify which chains need to be updated
- use 4096 blocks and getbestblockhash for getchaintxstats
- clarify how to update defaultAssumeValid and nMinimumChainWork
ACKs for top commit:
laanwj:
ACK 74743ad905
brunoerg:
re-ACK 74743ad905
Tree-SHA512: 7fc092be739f63c5d8404add2dcbcd0c570b680ff0ab36a9b5a774b2e930717beebaa6c867ab6db6795b3c234d9016ab1ae905a78d6ea6610140a59930c43029
fa4943e8df doc: Add template for empty release notes (MarcoFalke)
Pull request description:
* Move release process notes from the release notes to the release process documentation
* Clarify that wallet RPC or Settings related release notes snippets should not be duplicated. I think it should be sufficient to only mention them in the wallet section and leave them out from the general RPC section.
* Create an empty template to ensure the release notes can be cleared with a single `cp` command. Also, this ensures that the "no duplication" note isn't deleted again. (We used to have it in at least the 22.0 and 21.0 release notes: https://github.com/bitcoin/bitcoin/blob/master/doc/release-notes/release-notes-0.21.0.md#updated-settings , but it was lost in the 23.0 notes)
ACKs for top commit:
laanwj:
ACK fa4943e8df
Tree-SHA512: 808e100ee1e371f7746a479ddfb237c6895935cffefc0e49033505492a03288013d5c20386af30f2a7dca8ad0c0628bdb6673dcb5cc4fcf4d0183b0ec65ce941
87f54060ff doc: Swap gen-manpages and update RC steps in release process (laanwj)
42c202893b doc: Fix gen-manpages, rewrite in Python (laanwj)
Pull request description:
Rewrite the manual page generation script in Python.
This:
- solves '-' stripping issue (fixes#22681)
- makes that a copyright footer is generated correctly again
Also change the release process to swap gen-manpages and update RC steps, so that the pages will have the correct rc and/or final version.
ACKs for top commit:
dongcarl:
Code Review ACK 87f54060ff
fanquake:
ACK 87f54060ff - tested generating and opening the man pages locally, but didn't run through the release process. Will propose some changes to address consolidating the help / version output.
Tree-SHA512: 39254721ca84e4f223a321c554f2e08c36428b15019a0f9fa3eff408b4c6f1e1d74941143f4d2927427afa3ad7a7e6f999d6ec660132d817809b640a87ae9f7d
64645fa3e0 Release process: fix broken link to Guix building docs (Jeremy Rand)
Pull request description:
Not 100% sure whether this link was always broken or if the Guix docs renamed the heading at some point. Either way, seems good to fix it.
ACKs for top commit:
fanquake:
ACK 64645fa3e0
Tree-SHA512: 4932059fe583c0d27c70febf8f4dd8cffd3e15567359c5429d2691e221afc6da319bf43ebcd264ae0f98302e1eeb67ffd763d3d7d06ab1633913555ee7461643
The uploaded binaries need to match the same flat directory structure of
the SHA256SUMS file in order for torrent downloaders to be able to
verify the download without moving files. Mention this in the release
process doc.
