Skip to content

Instantly share code, notes, and snippets.

@hebasto
Last active March 28, 2024 10:11
Show Gist options
  • Save hebasto/7293726cbfcd0b58e1cfd5418316cee3 to your computer and use it in GitHub Desktop.
Save hebasto/7293726cbfcd0b58e1cfd5418316cee3 to your computer and use it in GitHub Desktop.
The `bitcoin-core/guix.sigs` Repository Workflow

The bitcoin-core/guix.sigs Repository Workflow

Common environment variables

export SIGNER="hebasto"
export GUIX_SIGS_REPO="/home/hebasto/guix.sigs"
export DETACHED_SIGS_REPO="/home/hebasto/bitcoin-detached-sigs"

Prerequisites

  1. Make sure your public key is available on https://keys.openpgp.org/.

  2. Fork the bitcoin-core/guix.sigs repository on GitHub (if not forked yet):

pushd $GUIX_SIGS_REPO
git remote add hebasto git@github.com:hebasto/guix.sigs.git
git config remote.pushDefault hebasto
popd
  1. The Xcode-15.0-15A240d-extracted-SDK-with-libcxx-headers subdirectory must resides in the depends/SDKsdirectory.

Preparing repository

If building for a tag:

VERSION=27.0rc2
git fetch
git checkout v$VERSION

Building

./contrib/guix/guix-build

Attesting non-codesigned binaries

./contrib/guix/guix-attest
pushd $GUIX_SIGS_REPO
git switch main
git pull
git checkout -b ${VERSION}-non-codesigned
git add $VERSION
git commit -m "Add attestations by $SIGNER for $VERSION non-codesigned"
git push
popd

Submit a PR to the bitcoin-core/guix.sigs repository on GitHub.

Signing binaries

pushd $DETACHED_SIGS_REPO
git fetch
git checkout v$VERSION
popd
./contrib/guix/guix-codesign

Attesting codesigned binaries

./contrib/guix/guix-attest
pushd $GUIX_SIGS_REPO
git switch main
git pull
git checkout -b ${VERSION}-codesigned
git add $VERSION
git commit -m "Add attestations by $SIGNER for $VERSION codesigned"
git push
popd

Submit a PR to the bitcoin-core/guix.sigs repository on GitHub.

Verifying

pushd $GUIX_SIGS_REPO
git switch main
git pull
popd
./contrib/guix/guix-verify
@Emzy
Copy link

Emzy commented Apr 16, 2021

tested, worked.

@jonatack
Copy link

jonatack commented Jul 23, 2021

Very helpful doc! Thanks!

In Signing Binaries, the git checkout command should be git checkout v$VERSION (the "v" is missing).

@jonatack
Copy link

(Maybe also state that the ./contrib/guix/guix-{build, attest, verify} commands should be run from the root of the bitcoin directory.)

@hebasto
Copy link
Author

hebasto commented Jul 24, 2021

Very helpful doc! Thanks!

Thanks you!

In Signing Binaries, the git checkout command should be git checkout v$VERSION (the "v" is missing).

Is it ok now?

@jonatack
Copy link

In Signing Binaries, the git checkout command should be git checkout v$VERSION (the "v" is missing).

Is it ok now?

Seems good. Thanks!

@0xB10C
Copy link

0xB10C commented Aug 4, 2021

Thank you! Very helpful.

@benthecarman
Copy link

Is this possible without having an apple developer account?

@hebasto
Copy link
Author

hebasto commented Aug 7, 2021

@willcl-ark
Copy link

Thanks, very useful (and worked very well!)

@jamesob
Copy link

jamesob commented Mar 8, 2022

Awesome, thanks @hebasto !

@0xB10C
Copy link

0xB10C commented Mar 16, 2022

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment