Skip to content

Instantly share code, notes, and snippets.

@hebasto

hebasto/guix-sigs.md

Last active March 28, 2024 10:11
Show Gist options
  • Save hebasto/7293726cbfcd0b58e1cfd5418316cee3 to your computer and use it in GitHub Desktop.
Save hebasto/7293726cbfcd0b58e1cfd5418316cee3 to your computer and use it in GitHub Desktop.
Download ZIP
The `bitcoin-core/guix.sigs` Repository Workflow
Raw
guix-sigs.md

The bitcoin-core/guix.sigs Repository Workflow

Common environment variables

export SIGNER="hebasto"
export GUIX_SIGS_REPO="/home/hebasto/guix.sigs"
export DETACHED_SIGS_REPO="/home/hebasto/bitcoin-detached-sigs"

Prerequisites

  1. Make sure your public key is available on https://keys.openpgp.org/.

  2. Fork the bitcoin-core/guix.sigs repository on GitHub (if not forked yet):

pushd $GUIX_SIGS_REPO
git remote add hebasto git@github.com:hebasto/guix.sigs.git
git config remote.pushDefault hebasto
popd
  1. The Xcode-15.0-15A240d-extracted-SDK-with-libcxx-headers subdirectory must resides in the depends/SDKsdirectory.

Preparing repository

If building for a tag:

VERSION=27.0rc2
git fetch
git checkout v$VERSION

Building

./contrib/guix/guix-build

Attesting non-codesigned binaries

./contrib/guix/guix-attest
pushd $GUIX_SIGS_REPO
git switch main
git pull
git checkout -b ${VERSION}-non-codesigned
git add $VERSION
git commit -m "Add attestations by $SIGNER for $VERSION non-codesigned"
git push
popd

Submit a PR to the bitcoin-core/guix.sigs repository on GitHub.

Signing binaries

pushd $DETACHED_SIGS_REPO
git fetch
git checkout v$VERSION
popd
./contrib/guix/guix-codesign

Attesting codesigned binaries

./contrib/guix/guix-attest
pushd $GUIX_SIGS_REPO
git switch main
git pull
git checkout -b ${VERSION}-codesigned
git add $VERSION
git commit -m "Add attestations by $SIGNER for $VERSION codesigned"
git push
popd

Submit a PR to the bitcoin-core/guix.sigs repository on GitHub.

Verifying

pushd $GUIX_SIGS_REPO
git switch main
git pull
popd
./contrib/guix/guix-verify
@Emzy
Copy link

Emzy commented Apr 16, 2021

tested, worked.

@jonatack
Copy link

jonatack commented Jul 23, 2021
edited
Loading

Very helpful doc! Thanks!

In Signing Binaries, the git checkout command should be git checkout v$VERSION (the "v" is missing).

@jonatack
Copy link

(Maybe also state that the ./contrib/guix/guix-{build, attest, verify} commands should be run from the root of the bitcoin directory.)

@hebasto
Copy link
Author

hebasto commented Jul 24, 2021

Very helpful doc! Thanks!

Thanks you!

In Signing Binaries, the git checkout command should be git checkout v$VERSION (the "v" is missing).

Is it ok now?

@jonatack
Copy link

In Signing Binaries, the git checkout command should be git checkout v$VERSION (the "v" is missing).

Is it ok now?

Seems good. Thanks!

@0xB10C
Copy link

0xB10C commented Aug 4, 2021

Thank you! Very helpful.

@benthecarman
Copy link

Is this possible without having an apple developer account?

@hebasto
Copy link
Author

hebasto commented Aug 7, 2021

@benthecarman

Is this possible without having an apple developer account?

https://bitcoincore.org/depends-sources/sdks/Xcode-12.1-12A7403-extracted-SDK-with-libcxx-headers.tar.gz

@willcl-ark
Copy link

Thanks, very useful (and worked very well!)

@jamesob
Copy link

jamesob commented Mar 8, 2022

Awesome, thanks @hebasto !

@0xB10C
Copy link

0xB10C commented Mar 16, 2022

@benthecarman

Is this possible without having an apple developer account?

https://bitcoincore.org/depends-sources/sdks/Xcode-12.1-12A7403-extracted-SDK-with-libcxx-headers.tar.gz

fwiw: this is the latest Xcode needed (12.2-12B45b): https://bitcoincore.org/depends-sources/sdks/Xcode-12.2-12B45b-extracted-SDK-with-libcxx-headers.tar.gz

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment